OWASP Top 10:2025
The OWASP Top 10 is the standard awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. The 2025 edition includes two new categories: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10), with significant reorganization from the 2021 edition.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
OWASP content is used under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Original material © OWASP Foundation. See owasp.org for the authoritative source.
Framework Domains (10)
Access Control
| Code | Title |
|---|---|
| OWASPTOP10-1 | A01:2025 Broken Access Control |
Authentication
| Code | Title |
|---|---|
| OWASPTOP10-7 | A07:2025 Identification and Authentication Failures |
Component Security
| Code | Title |
|---|---|
| OWASPTOP10-6 | A06:2025 Vulnerable and Outdated Components |
Configuration and Hardening
| Code | Title |
|---|---|
| OWASPTOP10-5 | A05:2025 Security Misconfiguration |
Cryptography
| Code | Title |
|---|---|
| OWASPTOP10-2 | A02:2025 Cryptographic Failures and Secret Management |
Injection
| Code | Title |
|---|---|
| OWASPTOP10-3 | A03:2025 Injection Including Cross-Site Scripting |
Integrity
| Code | Title |
|---|---|
| OWASPTOP10-8 | A08:2025 Software and Data Integrity Failures |
Logging and Monitoring
| Code | Title |
|---|---|
| OWASPTOP10-9 | A09:2025 Security Logging and Monitoring Failures |
SSRF
| Code | Title |
|---|---|
| OWASPTOP10-10 | A10:2025 Server-Side Request Forgery (SSRF) |
Secure Design
| Code | Title |
|---|---|
| OWASPTOP10-4 | A04:2025 Insecure Design and Business Logic (incl. A11 API Abuse) |
Your Compliance Coverage
If you comply with OWASP Top 10:2025, you already cover:
NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security
80%
8 controls mapped
Compare →NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
70%
7 controls mapped
Compare →ISO/IEC 27400:2022
70%
7 controls mapped
Compare →+ 190 more: FedRAMP Rev 5 (70%), NIS2 Directive Implementing Acts (70%)
See all 193 mapped frameworks ↓Maps to 193 other frameworks
Frequently Asked Questions
What is OWASP Top 10:2025?
OWASP Top 10:2025 is a compliance framework from International with 10 domains and 10 controls. The OWASP Top 10 is the standard awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. The 2025 edition includes two new categories: Software Supply Chain Failures (A03) and Mishandling of Exceptional Conditions (A10), with significant reorganization from the 2021 edition. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does OWASP Top 10:2025 have?
OWASP Top 10:2025 has 10 controls organised across 10 domains. The largest domains are Access Control (1 controls), Authentication (1 controls), Component Security (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does OWASP Top 10:2025 map to?
OWASP Top 10:2025 maps to 193 other compliance frameworks. The top mapping partners are NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security (80% coverage), NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI) (70% coverage), ISO/IEC 27400:2022 (70% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with OWASP Top 10:2025 compliance?
Start your OWASP Top 10:2025 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about OWASP Top 10:2025 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 10 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required