HomeIntelligenceBrief
BREACH BRIEF⚪ Informational Advisory

OWASP Top 10 2025 Adds Supply‑Chain Failures and Elevates Misconfiguration – Implications for SOC 2 Controls

The OWASP Foundation released its 2025 Top 10, introducing Software Supply Chain Failures and moving Security Misconfiguration to #2. The changes expose control gaps that SOC 2 audit programs must now evidence through continuous monitoring and vendor‑risk documentation.

LiveThreat™ Intelligence · 📅 June 15, 2026· 📰 blog.qualys.com
Severity
Informational
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
blog.qualys.com

OWASP Top 10 2025 Introduces Supply‑Chain Failures and Pushes Misconfiguration to #2

What Happened — The OWASP Foundation published its 2025 Top 10, adding “Software Supply Chain Failures” (A03) and “Mishandling of Exceptional Conditions” (A10) while elevating “Security Misconfiguration” from #5 to #2. The shift reflects attacks already seen in production and expands the scope of Broken Access Control to include API‑authorization failures.

Why It Matters for Compliance & Audit Readiness

  • The new A03 and A10 categories map to SOC 2 CC3.1 (System Operations) and CC6.1 (Risk Management) controls that require documented, continuous evidence of secure configurations and vetted third‑party components.
  • The rise of Misconfiguration to #2 underscores the necessity of continuous scanning and automated evidence collection to demonstrate an auditable configuration‑management process.
  • Supply‑chain failures demand robust vendor‑risk assessments and third‑party attestations that can be presented as audit artifacts during a SOC 2 examination.

Who Is Affected — SaaS vendors, API providers, cloud‑native development teams, and any organization delivering web‑application services.

Recommended Actions

  • Map each OWASP 2025 category to the relevant SOC 2 criteria and update your control matrix.
  • Deploy continuous scanning tools that feed configuration‑state evidence directly into your audit repository.
  • Formalize a software‑supply‑chain risk program with documented third‑party assessments and ongoing monitoring.

Source: Qualys Blog

Technical Notes — The 2025 list is derived from analysis of >175 k CVE records and 589 CWE entries. A03 shows the highest incidence rate (5.19 %) but low CVE coverage, indicating many supply‑chain attacks evade signature‑based scanners.

📰 Original Source
https://blog.qualys.com/qualys-insights/2026/06/15/what-changed-in-owasp-top-10-2025-and-recommendations-for-each-category

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →