Quiz Entry - updated: 2026.07.14
How has the OWASP Top 10 evolved from 2017 to 2025?
Access Control climbed to #1, Injection slid from #1 (2017) to #3 (2021) to #5 (2025 RC), and each edition adds new categories — Insecure Design and SSRF in 2021, Software Supply Chain Failures and Mishandling of Exceptional Conditions in the 2025 release candidate.
* Key OWASP Top 10 movements 2017 → 2025 RC — Broken Access Control to #1, Injection falling, new design/supply-chain categories. *
The full lists side by side (the 2025 column is the Release Candidate, not yet final):
| # | 2017 | 2021 | 2025 RC |
|---|---|---|---|
| A01 | Injection | Broken Access Control | Broken Access Control |
| A02 | Broken Authentication | Cryptographic Failures | Security Misconfiguration |
| A03 | Sensitive Data Exposure | Injection | Software Supply Chain Failures (new) |
| A04 | XML External Entities (XXE) | Insecure Design | Cryptographic Failures |
| A05 | Broken Access Control | Security Misconfiguration | Injection |
| A06 | Security Misconfiguration | Vulnerable & Outdated Components | Insecure Design |
| A07 | Cross-Site Scripting (XSS) | Identification & Authentication Failures | Authentication Failures |
| A08 | Insecure Deserialization | Software & Data Integrity Failures | Software & Data Integrity Failures |
| A09 | Components with Known Vulnerabilities | Security Logging & Monitoring Failures | Logging & Alerting Failures |
| A10 | Insufficient Logging & Monitoring | Server-Side Request Forgery (SSRF) | Mishandling of Exceptional Conditions (new) |
Key moves to remember:
- Broken Access Control rose to #1 (was #5 in 2017) — the most common serious flaw.
- Injection keeps dropping (A01 → A03 → A05) as frameworks make parametrized queries the default. In 2017, XSS was its own category (A07); in 2021 it was folded into Injection.
- Insecure Design (2021) reflects a shift toward "shift-left" — flaws baked in before a line of code is written.
- The 2025 RC elevates Software Supply Chain Failures to A03 (broader than 2021's "Vulnerable Components") and adds Mishandling of Exceptional Conditions (A10) covering bad error/exception handling.
Note: "2025 RC" = Release Candidate; ordering and names can still change before OWASP finalizes the list.
Go deeper:
OWASP Top 10 — A01: Broken Access Control — the category that rose to #1.
OWASP Top 10 — A03: Injection — where Injection (and XSS, folded in) landed in 2021.