OWASP Top 10 2025 RC1 was released on November 6th! 🎉
The big star of this edition? A03: Software Supply Chain Failures 📦 which climbs from A06 in 2021 all the way to the podium.
Attackers love poisoning our dependencies, so let’s understand what changed!
🎯 OWASP Top10 - Introduction
On November 6, 2025, OWASP published the Release Candidate 1 of the Top 10 2025 📝.
This edition is based on the analysis of:
- 2.8 million applications tested 🔬
- 589 CWEs (Common Weakness Enumerations) mapped
- 175,000 CVE records analyzed
- 12 contributing organizations (including Veracode, Snyk, HackerOne…)
💡 Fun fact: The OWASP Top 10 is NOT a simple frequency ranking. It’s a “data-informed, not data-driven” approach that blends field data AND community concerns. Like a good wine! 🍷
📊 Comparison Table 2021 vs 2025
Here’s what changed between the two editions:
| 2025 Position | 2025 Category | 2021 Position | 2021 Category | Evolution |
|---|---|---|---|---|
| A01 | 🔐 Broken Access Control (includes A10-2021 - Server-Side Request Forgery (SSRF)) | A01 | 🔐 Broken Access Control + Server-Side Request Forgery (SSRF) | ➡️ Stable #1 |
| A02 | ⚙️ Security Misconfiguration | A05 | ⚙️ Security Misconfiguration | ⬆️ +3 |
| A03 | 📦 Software Supply Chain Failures | A06 | 🧩 Vulnerable & Outdated Components | ⬆️ +3 🔥 |
| A04 | 🔑 Cryptographic Failures | A02 | 🔑 Cryptographic Failures | ⬇️ -2 |
| A05 | 💉 Injection | A03 | 💉 Injection | ⬇️ -2 |
| A06 | 🎨 Insecure Design | A04 | 🎨 Insecure Design | ⬇️ -2 |
| A07 | 👤 Authentication Failures | A07 | 🆔 Identification & Authentication Failures | ➡️ Stable (renamed) |
| A08 | ✅ Software & Data Integrity Failures | A08 | ✅ Software & Data Integrity Failures | ➡️ Stable |
| A09 | 📝 Logging & Alerting Failures | A09 | 📋 Security Logging & Monitoring Failures | ➡️ Stable (renamed) |
| A10 | ⚠️ Mishandling of Exceptional Conditions | — | — | 🆕 New |
🎪 Key Changes
📌 Key Takeaways:
- A03 (Supply Chain): Major expansion from A06:2021 → Recognition of the growing threat (I’ve been talking about supply chain for a long time - it’s not just outdated dependencies, but the entire delivery chain!)
- A02 (Misconfiguration): Rises from #5 to #2 → Fast DevOps = frequent configuration errors
- A10 (Exceptional Conditions): New entry → Error handling = forgotten attack vector
- A01 (Access Control): Still #1 → Classic never goes out of style (3.73% prevalence)
🔥 Focus: A03 - Software Supply Chain Failures
🎭 From “Vulnerable Components” to “Supply Chain Failure”
In 2021, A06 was about “Vulnerable and Outdated Components” 🧩.
In 2025, A03 expands the scope to the entire software supply chain 📦.
Why this change?
- SolarWinds (2020): Build compromise → 18,000 infected customers 😱
- Log4Shell (2021): Critical vulnerability in an ultra-popular dependency
- XZ Utils (2024): Backdoor hidden in a Linux compression library
- Shai-Hulud Worm (September 2025): Self-replicating worm on npm infecting 187+ packages
💡 What changed:
OWASP now recognizes that the problem is NOT limited to:
- ✅ Keeping your dependencies up to date
- ✅ Scanning for known CVEs
But ALSO includes:
- 🔍 Code provenance (where does it come from?)
- 🛡️ Artifact integrity (has it been modified?)
- 🔐 CI/CD pipeline security (who can touch the build?)
- 🕵️ Transitive dependencies (what’s hiding in my dep’s dep?)
💣 Recent Verified SCA Attack Examples
🪱 September 2025: Shai-Hulud Worm on npm (Source: KrebsOnSecurity)
The worm that dreamed of going viral 🐛
- Vector: Self-replicating JavaScript worm via npm
- Targets: 187+ infected packages (including 25 CrowdStrike packages temporarily)
- Mechanism:
- 🔑 Steals npm tokens from the developer’s environment
- 📦 Automatically modifies the 20 most popular accessible packages
- 🔄 Copies itself into newly published versions
- 🚀 Publishes stolen credentials in public GitHub repos named “Shai-Hulud”
- Special feature: Uses the open-source tool TruffleHog to search for secrets 🕵️
- Impact: Exponential propagation, difficult to contain once launched
🎬 Fun fact: The name “Shai-Hulud” comes from the giant sandworms in Frank Herbert’s Dune.
Attackers are also sci-fi fans! 🪐
🎨 2024: XZ Utils Backdoor (Source: Multiple CVE databases)
The most sophisticated attack ever seen 🏆
- CVE: CVE-2024-3094 (CVSS 10.0 - CRITICAL)
- Vector: Long-term compromise of a Linux library maintainer
- Technique: Backdoor hidden in test files (!!) activatable via SSH
- Detection: By accident, thanks to a Microsoft developer who noticed a weird SSH delay
- Potential impact: Almost every Linux system in the world 🌍
⏰ Attacker’s patience timeline:
- 2022: First contact with legitimate maintainer
- 2023: Benign contributions to gain trust
- February 2024: Backdoor injection in versions 5.6.0 and 5.6.1
- March 2024: Fortuitous discovery before massive distribution
Moral: Attackers play the long game. So should we. ♟️
🛡️ How to Protect Against Supply Chain Attacks?
📋 1. SBOM (Software Bill of Materials)
Generate a complete inventory of your dependencies:
# npm
npm sbom --output=sbom.json
# Python
pip-audit --format json --output sbom.json
# .NET
dotnet list package --include-transitive --format json
Why? You can’t protect what you don’t know! 🕵️
🔐 2. SLSA Framework (Supply-chain Levels for Software Artifacts)
Implement trust levels in your pipelines:
| SLSA Level | Protection | Example |
|---|---|---|
| SLSA 1 | 📝 Provenance documentation | README with build process |
| SLSA 2 | 🔒 Signed builds | GPG signature of artifacts |
| SLSA 3 | 🏗️ Isolated and auditable builds | Hermetic CI/CD, immutable logs |
| SLSA 4 | ✅ Mandatory human review | 2-person rule for merges |
👉 Aim for at least SLSA 2 for your critical projects 🎯
🔍 3. Continuous Verification Tools
🛠️ My Anti-Supply-Chain Toolbox:
-
OWASP Dependency-Track 📊
Continuous SBOM monitoring with real-time CVE alerts -
Snyk 🔍
Vulnerability scanning in dependencies + fix suggestions -
Scorecard (OSSF) 📈
Security health assessment of open-source dependencies
🚦 4. Defensive Strategies
A. Installation Verification
B. Build Environment Isolation
C. Transitive Dependency Monitoring
📚 Resources and References
🔗 Official Documentation
- 📄 OWASP Top 10 2025 RC1 - Introduction
- 📋 OWASP Top 10 2021 (Archive)
- 🏆 SLSA Framework
- 📦 SBOM Best Practices (CISA)
🛠️ Tools and Frameworks
📰 Reference Articles
- 🪱 Shai-Hulud Worm - KrebsOnSecurity
- 🎨 XZ Utils Backdoor Analysis
- 🏗️ SolarWinds Attack Timeline - FireEye
- 📊 State of Supply Chain Security 2025 - Sonatype
🎬 Conclusion: The Supply Chain, New Battlefield?
The rise of A03: Software Supply Chain Failures to the Top 10 podium is NOT an accident. 🎯
The numbers speak for themselves:
- 📈 +742% supply chain attacks between 2019 and 2024 (Sonatype)
- 🎯 3 malicious npm packages published per day on average (Socket.dev)
- ⏱️ Median time to detection: 83 days (Veracode)
💡 The Moral of the Story:
Our modern applications are like Kinder Surprises 🥚:
- You see the chocolate (your code)
- You hope for the toy (the features)
- But you ignore what’s hidden inside each component…
And sometimes, the “toy” is a self-replicating worm that steals your tokens 🪱
Action Items for 2025:
- ✅ Generate your SBOMs and keep them up to date
- 🔐 Aim for SLSA Level 2+ for your critical builds
- 🔍 Audit your CI/CD pipelines like you audit your code
- 📊 Continuously monitor with tools like Dependency-Track
- 🎓 Train your teams on supply chain risks
“In the modern world, your application’s security depends as much on the quality of YOUR dependencies as on YOUR code.”
– PandaHack (2021)
Stay vigilant, and may your dependencies always be verified! 🛡️
— SPoint42, malicious package hunter by day, sandworm dreamer by night 🪐
Tags: #OWASP #Top10 #SupplyChain #SCA #npm #PyPI #SBOM #SLSA #DevSecOps #SoftwareSecurity