The OWASP Top 10 has long been the gold standard for understanding the most critical security risks to web applications. When OWASP released its 2025 edition, security teams around the world took notice. Today, we’re excited to announce that F5 Distributed Cloud Web App Scanning now provides comprehensive support for the OWASP Top 10 2025, helping organizations identify and remediate the vulnerabilities that matter most.
“F5 Distributed Cloud Web App Scanning delivers coverage across all 10 categories of OWASP Top 10 2025 critical web app vulnerabilities.”
What’s new in the OWASP Top 10 2025?
The 2025 update to the OWASP Top10 analyzed data from over 2.8 million applications contributed by leading vendors in the web app security space, mapping 248 Common Weakness Enumerations (CWEs) across the 10 categories—a significant expansion from previous editions.
The 2025 update introduces two entirely new categories and consolidates others, reflecting the evolving threat landscape. OWASP has worked to focus on root causes over symptoms wherever possible, making the guidance more actionable for development teams.
Following is the complete OWASP Top 10 2025:
- A01:2025 - Broken Access Control maintains its position at #1 as the most serious application security risk. On average, 3.73% of applications tested had one or more of the 40 CWEs in this category. Notably, Server-Side Request Forgery (SSRF), previously a standalone category at #10 in 2021, has been consolidated here.
- A02:2025 - Security Misconfiguration climbed from #5 in 2021 to #2. Misconfigurations are increasingly prevalent as modern software engineering relies more heavily on configuration-driven behavior. According to OWASP, 3.00% of applications tested had vulnerabilities in this category.
- A03:2025 - Software Supply Chain Failures is a new category expanding on the previous “Vulnerable and Outdated Components” group of risks. It encompasses compromises across the entire ecosystem of software dependencies, build systems, and distribution infrastructure. While it has the fewest occurrences in testing data, it carries the highest average exploit and impact scores.
- A04:2025 - Cryptographic Failures dropped from #2 to #4. Despite the ranking change, 3.80% of applications still exhibit cryptographic weaknesses that can lead to sensitive data exposure or system compromise.
- A05:2025 - Injection fell from #3 to #5, though it remains one of the most tested categories with the greatest number of associated CVEs. This category spans everything from Cross-site Scripting to SQL Injection.
- A06:2025 - Insecure Design dropped from #4 to #6. Introduced in 2021, this category has seen noticeable improvement as the industry embraces threat modeling and secure design practices.
- A07:2025 - Authentication Failures maintains its position with a slight name change from “Identification and Authentication Failures.” Increased adoption of standardized authentication frameworks appears to be reducing occurrences.
- A08:2025 - Software or Data Integrity Failures continues at #8, focusing on failures to maintain trust boundaries and verify the integrity of software, code, and data artifacts.
- A09:2025 - Security Logging & Alerting Failures retains its position with a name change to emphasize alerting. As OWASP notes: great logging with no alerting provides minimal value in identifying security incidents.
- A10:2025 - Mishandling of Exceptional Conditions is a new category containing 24 CWEs focused on improper error handling, logical errors, failing open, and other scenarios stemming from abnormal conditions.
How F5 Distributed Cloud Web App Scanning addresses the OWASP Top 10 2025
Distributed Cloud Web App Scanning delivers coverage across all 10 categories, with 50 test classes mapped to the new framework.
For the core categories, which include Broken Access Control, Security Misconfiguration, Cryptographic Failures, Injection, Insecure Design, Authentication Failures, and Software or Data Integrity Failures, our scanner provides comprehensive detection capabilities.
These categories benefit from mature test suites refined over years of real-world scanning, and we’ve added new tests to reflect how the scope of each category has evolved with the latest edition. For example, Broken Access Control now encompasses Server-Side Request Forgery (SSRF), which was previously a standalone category, and Security Misconfiguration has expanded to address the growing complexity of configuration-driven environments.
Some new and expanded categories in the new OWASP Top 10, such as Software Supply Chain Failures (A03:2025), were beyond our existing vulnerable dependency detection, and we’ve added tests for unpatched systems and misconfigured components that attackers frequently exploit in supply chain attacks.
Logging & Alerting Failures (A09:2025) is a renamed category that now emphasizes alerting alongside logging. Our new tests help identify gaps in security event monitoring that could delay incident detection.
For the new category, Mishandling of Exceptional Conditions (A10:2025), we’ve introduced tests for sensitive data exposure in error messages, missing custom error pages, and improper handling of unexpected parameters—all common ways applications inadvertently reveal information to attackers.
Why this matters for your security program
Compliance frameworks, penetration testing standards, and security assessments frequently reference the OWASP Top 10. With our updated scanner, organizations can more easily keep in alignment with current standards. Security reports now map findings to the 2025 categories, making it simpler to communicate risks to stakeholders and demonstrate compliance with frameworks that reference OWASP.
Organizations can also prioritize risk remediation more effectively. The OWASP Top 10 reflects real-world attack patterns derived from testing millions of applications. By focusing remediation efforts on these categories, teams address the vulnerabilities most likely to be exploited.
It’s also important that organizations address emerging risks proactively, before criminals act. New categories like Software Supply Chain Failures highlight attack vectors that have grown significantly in recent years. Despite limited testing data, supply chain vulnerabilities carry the highest exploit and impact scores; our scanner helps uncover these risks before attackers do.
Getting started
Existing Distributed Cloud Web App Scanning customers will automatically benefit from the updated OWASP Top 10 2025 mappings in their scan results. No configuration changes are required—simply run your scans as usual and review findings categorized under the new framework.
For organizations running on-premises deployments, updated Docker images are available that include the full OWASP Top 10 2025 test suite.
If you’re new to Distributed Cloud Web App Scanning, this is an excellent time to evaluate how dynamic application security testing can strengthen your security posture. Our scanner combines comprehensive vulnerability detection with the simplicity of a fully managed SaaS platform, helping security teams protect their applications without the operational overhead of traditional Dynamic Application Security Testing (DAST) tools.
To learn more about F5 Distributed Cloud Web App Scanning and its OWASP Top 10 2025 capabilities, visit our product page or contact our team to schedule a demo.
About the Author
Related Blog Posts
From dashboard fatigue to operational excellence: Why XOps needs F5 Insight for ADSP
Learn how F5 Insight for ADSP lays the visibility foundation for XOps—turning fragmented signals across applications and infrastructure into actionable intelligence.
A sneak peek into F5 BIG-IP v21.1: AI security, PQC, and software enhancements
Learn how F5’s BIG-IP v21.1 delivers AI security and PQC-readiness.
The hidden cost of unmanaged AI infrastructure
AI platforms don’t lose value because of models. They lose value because of instability. See how intelligent traffic management improves token throughput while protecting expensive GPU infrastructure.
Govern your AI present and anticipate your AI future
Learn from our field CISO, Chuck Herrin, how to prepare for the new challenge of securing AI models and agents.
F5 recognized as one of the Emerging Visionaries in the Emerging Market Quadrant of the 2025 Gartner® Innovation Guide for Generative AI Engineering
We’re excited to share that F5 has been recognized in 2025 Gartner Emerging Market Quadrant(eMQ) for Generative AI Engineering.
Self-Hosting vs. Models-as-a-Service: The Runtime Security Tradeoff
As GenAI systems continue to move from experimental pilots to enterprise-wide deployments, one architectural choice carries significant weight: how will your organization deploy runtime-based capabilities?