LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How has the OWASP Top 10 evolved from 2017 to 2025?

Access Control climbed to #1, Injection slid from #1 (2017) to #3 (2021) to #5 (2025 RC), and each edition adds new categories — Insecure Design and SSRF in 2021, Software Supply Chain Failures and Mishandling of Exceptional Conditions in the 2025 release candidate.

Three risks tracked across 2017/2021/2025-RC: Broken Access Control rises to #1, Injection drops, new categories appear.

* Key OWASP Top 10 movements 2017 → 2025 RC — Broken Access Control to #1, Injection falling, new design/supply-chain categories. *

The full lists side by side (the 2025 column is the Release Candidate, not yet final):

# 2017 2021 2025 RC
A01 Injection Broken Access Control Broken Access Control
A02 Broken Authentication Cryptographic Failures Security Misconfiguration
A03 Sensitive Data Exposure Injection Software Supply Chain Failures (new)
A04 XML External Entities (XXE) Insecure Design Cryptographic Failures
A05 Broken Access Control Security Misconfiguration Injection
A06 Security Misconfiguration Vulnerable & Outdated Components Insecure Design
A07 Cross-Site Scripting (XSS) Identification & Authentication Failures Authentication Failures
A08 Insecure Deserialization Software & Data Integrity Failures Software & Data Integrity Failures
A09 Components with Known Vulnerabilities Security Logging & Monitoring Failures Logging & Alerting Failures
A10 Insufficient Logging & Monitoring Server-Side Request Forgery (SSRF) Mishandling of Exceptional Conditions (new)

Key moves to remember:

  • Broken Access Control rose to #1 (was #5 in 2017) — the most common serious flaw.
  • Injection keeps dropping (A01 → A03 → A05) as frameworks make parametrized queries the default. In 2017, XSS was its own category (A07); in 2021 it was folded into Injection.
  • Insecure Design (2021) reflects a shift toward "shift-left" — flaws baked in before a line of code is written.
  • The 2025 RC elevates Software Supply Chain Failures to A03 (broader than 2021's "Vulnerable Components") and adds Mishandling of Exceptional Conditions (A10) covering bad error/exception handling.

Note: "2025 RC" = Release Candidate; ordering and names can still change before OWASP finalizes the list.

Go deeper:

From Quiz: SPRG / OWASP Top 10 | Updated: Jul 14, 2026