Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

OWASP Top 10 2025: what the new risk model means for IAM


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: The OWASP Top 10 2025 release candidate shifts AppSec away from symptom-level labels toward root causes, with changes such as splitting supply chain failures, elevating misconfiguration, and reframing access control and integrity issues, according to Orca Security and OWASP project leaders. That shift matters because identity, configuration, and provenance controls now sit at the centre of application risk, not beside it.

NHIMG editorial — based on content published by Orca Security: the OWASP Top 10 2025 release candidate and what changed

Questions worth separating out

Q: What breaks when broken access control is treated as a purely application-layer issue?

A: Teams miss the service and token boundaries where authorization actually fails.

Q: Why do security misconfigurations keep creating major exposure in cloud environments?

A: Because configuration is now part of the runtime control plane, not a one-time setup task.

Q: What do security teams get wrong about software supply chain risk?

A: They often focus on known vulnerabilities inside dependencies and miss the trust path that delivers the software.

Practitioner guidance

  • Map appsec findings to identity and authorization boundaries Trace broken access control findings to the service, token, and API layers where trust is actually enforced.
  • Harden configuration control across cloud and runtime settings Automate baseline hardening, drift detection, and permission verification for cloud services, storage, and application runtimes.
  • Verify software provenance before deployment Require signed builds, controlled artifact promotion, and clear separation of duties in CI/CD.

What's in the full article

Orca Security's full article covers the operational detail this post intentionally leaves for the source:

  • The category-by-category OWASP 2025 breakdown with the specific CWE examples mapped to each risk area.
  • Orca Security's explanation of how its cloud platform traces findings from Cloud-to-Dev and labels them against OWASP categories.
  • The precise examples the article uses for misconfiguration, supply chain failure, cryptographic weakness, and logging gaps.
  • The implementation-oriented discussion of how the platform positions alerting, dashboards, and remediation workflows around the OWASP Top 10.

👉 Read Orca Security's analysis of the OWASP Top 10 2025 release candidate →

OWASP Top 10 2025: what the new risk model means for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

OWASP Top 10 2025 is really an identity governance document in appsec clothing. The list now concentrates on access control, configuration, provenance, and integrity because those are the control planes where modern applications fail. That is why IAM, PAM, and NHI teams should read this update as a map of where application trust is breaking, not as a pure developer checklist.

A few things that frame the scale:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.

A question worth separating out:

Q: How should organisations decide whether appsec, IAM, or platform teams own a control failure?

A: They should assign ownership based on where the trust decision is made, not where the symptom appears. If the issue is authorization, configuration, signing, or lifecycle of a secret, the fix spans appsec and identity governance. Shared control ownership is often the only realistic model for root-cause remediation.

👉 Read our full editorial: OWASP Top 10 2025 shifts appsec toward root causes



   
ReplyQuote
Share: