TL;DR: OWASP’s latest Top 10 is still led by broken access controls and security misconfigurations, with the current edition based on data from over 2.8 million apps and 3.73% affected in the top flaw category, according to Swarmnetics. The message for practitioners is that secure-by-design progress has not displaced foundational control failures, especially where cloud and application boundaries blur.
NHIMG editorial — based on content published by Swarmnetics: Update of OWASP Top 10 Sees Same Old Problems Topping the List
By the numbers:
- The current OWASP Top 10 is based on data for over 2.8 million apps donated by a variety of large cybersecurity firms, along with a survey circulated to security professionals.
- The report finds 3.73% of the analyzed apps impacted by the #1 category of flaws.
Questions worth separating out
Q: What breaks when broken access control is treated as a purely application-layer issue?
A: Teams miss the service and token boundaries where authorization actually fails.
Q: Why do security misconfigurations keep creating major exposure in cloud environments?
A: Because configuration is now part of the runtime control plane, not a one-time setup task.
Q: How do security teams know whether secure-by-design is actually improving app risk?
A: Look for fewer repeat findings in authorization, configuration, and dependency trust tests, not just fewer policy exceptions.
Practitioner guidance
- Map authorization checks to business-critical app functions Identify the application actions that expose data, administrative capability, or privileged workflows, then verify that each one is enforced server-side with explicit authorization logic rather than client-side assumptions.
- Bind cloud configuration baselines to access policy Treat misconfiguration as an access issue by pairing infrastructure baselines with identity and role constraints for storage, APIs, and administrative endpoints.
- Test dependency trust and error paths before release Add build-time and pre-production checks for dependency provenance, fallback handling, and error-state behaviour, because attackers often exploit the paths that teams do not consider part of the main workflow.
What's in the full analysis
Swarmnetics' full article covers the category-by-category movement and interpretation this post intentionally leaves for the source:
- Its breakdown of how category mergers changed the apparent ranking movement in the 2025 OWASP Top 10.
- Its discussion of the pre-cloud bias in the list and why that matters for cloud-hosted systems.
- Its examples of specific flaw types such as URL guessing, user ID enumeration, and exception handling failures.
- Its commentary on how threat modelling and secure-by-design practices are influencing category movement.
👉 Read Swarmnetics' analysis of the latest OWASP Top 10 findings →
OWASP Top 10: what the unchanged risk leaders mean for app teams?
Explore further
Broken access control is still the most durable application security failure because identity decisions are too often assumed instead of enforced. The article’s reminder that URL guessing, identifier enumeration, and missing authorization checks still appear in modern apps shows how frequently access logic is treated as a thin layer instead of a control boundary. For IAM and PAM teams, the lesson is that entitlement design and app enforcement must be aligned, or the application becomes the weakest authorization layer in the stack.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should own access control and configuration failures in modern application estates?
A: Ownership should sit with the teams that can change the control in production: application engineering for authorization logic, cloud platform teams for baseline configuration, and identity teams for privileged access and trust policy. If ownership is split without a clear runtime test, gaps persist because no one is accountable for the control working end to end.
👉 Read our full editorial: OWASP Top 10 still points to access control and misconfig gaps