OWASP Top 10 2025 Introduces Supply‑Chain Failures and Pushes Misconfiguration to #2
What Happened — The OWASP Foundation published its 2025 Top 10, adding “Software Supply Chain Failures” (A03) and “Mishandling of Exceptional Conditions” (A10) while elevating “Security Misconfiguration” from #5 to #2. The shift reflects attacks already seen in production and expands the scope of Broken Access Control to include API‑authorization failures.
Why It Matters for Compliance & Audit Readiness
- The new A03 and A10 categories map to SOC 2 CC3.1 (System Operations) and CC6.1 (Risk Management) controls that require documented, continuous evidence of secure configurations and vetted third‑party components.
- The rise of Misconfiguration to #2 underscores the necessity of continuous scanning and automated evidence collection to demonstrate an auditable configuration‑management process.
- Supply‑chain failures demand robust vendor‑risk assessments and third‑party attestations that can be presented as audit artifacts during a SOC 2 examination.
Who Is Affected — SaaS vendors, API providers, cloud‑native development teams, and any organization delivering web‑application services.
Recommended Actions —
- Map each OWASP 2025 category to the relevant SOC 2 criteria and update your control matrix.
- Deploy continuous scanning tools that feed configuration‑state evidence directly into your audit repository.
- Formalize a software‑supply‑chain risk program with documented third‑party assessments and ongoing monitoring.
Source: Qualys Blog
Technical Notes — The 2025 list is derived from analysis of >175 k CVE records and 589 CWE entries. A03 shows the highest incidence rate (5.19 %) but low CVE coverage, indicating many supply‑chain attacks evade signature‑based scanners.