OWASP Top 10 2025: what the new risk model means for IAM

TL;DR: The OWASP Top 10 2025 release candidate shifts AppSec away from symptom-level labels toward root causes, with changes such as splitting supply chain failures, elevating misconfiguration, and reframing access control and integrity issues, according to Orca Security and OWASP project leaders. That shift matters because identity, configuration, and provenance controls now sit at the centre of application risk, not beside it.

NHIMG editorial — based on content published by Orca Security: the OWASP Top 10 2025 release candidate and what changed

Questions worth separating out

Q: What breaks when broken access control is treated as a purely application-layer issue?

A: Teams miss the service and token boundaries where authorization actually fails.

Q: Why do security misconfigurations keep creating major exposure in cloud environments?

A: Because configuration is now part of the runtime control plane, not a one-time setup task.

Q: What do security teams get wrong about software supply chain risk?

A: They often focus on known vulnerabilities inside dependencies and miss the trust path that delivers the software.

Practitioner guidance

• Map appsec findings to identity and authorization boundaries Trace broken access control findings to the service, token, and API layers where trust is actually enforced.
• Harden configuration control across cloud and runtime settings Automate baseline hardening, drift detection, and permission verification for cloud services, storage, and application runtimes.
• Verify software provenance before deployment Require signed builds, controlled artifact promotion, and clear separation of duties in CI/CD.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

• The category-by-category OWASP 2025 breakdown with the specific CWE examples mapped to each risk area.
• Orca Security's explanation of how its cloud platform traces findings from Cloud-to-Dev and labels them against OWASP categories.
• The precise examples the article uses for misconfiguration, supply chain failure, cryptographic weakness, and logging gaps.
• The implementation-oriented discussion of how the platform positions alerting, dashboards, and remediation workflows around the OWASP Top 10.

👉 Read Orca Security's analysis of the OWASP Top 10 2025 release candidate →

OWASP Top 10 2025: what the new risk model means for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →