OWASP Top 10 Updated for 2025

11–24–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, November 24, 2025, and it’s Thanksgiving week here in the US. Hopefully that gives you a bit of breathing room on your calendars later this week and that you’ve got plenty to be thankful for.

OWASP Top 10 Updated for 2025

The Open Web Application Security Project - better known as OWASP - has released their draft for the 2025 updates of the 8th installment of their Top 10.

For those not familiar, this list outlines the Top 10 critical risks facing web applications, and it’s a great way to make sure you’re covering your bases with any software development projects or penetration testing that you’re undertaking.

There’s a new addition to this year’s Top 10 that is worth covering in a bit of depth here today, and that’s Software Supplychain Failures.

In a lot of ways, it should come as no surprise to see this added to the list, and you can even make the case that it should’ve been added earlier, but given that the last update took place in 2021, you can cut the Foundation a bit of slack.

In their description, OWASP notes “Software supply chain failures are breakdowns or other compromises in the process of building, distributing, or updating software. They are often caused by vulnerabilities or malicious changes in third-party code, tools, or other dependencies that the system relies on.”

I appreciate their frank and direct way of speaking about this vulnerability, and they go on to say:

“You are likely vulnerable if:

• If you do not carefully track the versions of all components that you use (both client-side and server-side). This includes components you directly use as well as nested (transitive) dependencies.

• If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

• If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.

• If you do not have a change management process or tracking of changes within your supply chain, including tracking IDEs, IDE extensions and updates, changes to your organization’s code repository, sandboxes, image and library repositories, the way artifacts are created and stored, etc. Every part of your supply chain should be documented, especially changes.

• If you have not hardened every part of your supply chain, with a special focus on access control and the application of least privilege.

• If your supply chain systems do not have any separation of duty. No single person should be able to write code and promote it all the way to production without oversight from another human being.

• If developers, DevOps, or infrastructure professionals are allowed to download and use components from untrusted sources, for use in production.

• If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure before fixing vulnerabilities.

• If software developers do not test the compatibility of updated, upgraded, or patched libraries.

• If you do not secure the configurations of every part of your system (see A02:2025-Security Misconfiguration).

• If you have a complex CI/CD pipeline that uses many components but has weaker security than the rest of your application.

The fix?

“There should be a patch management process in place to:

• Know your Software Bill of Materials (SBOM) of your entire software and manage the SBOM-dictionary centrally.

• Track not just your own dependencies, but their (transitive) dependencies, and so on.

• Remove unused dependencies, unnecessary features, components, files, and documentation. Attack surface reduction.

• Continuously inventory the versions of both client-side and server-side components (e.g., frameworks, libraries) and their dependencies using tools like versions, OWASP Dependency Check, retire.js, etc.

• Continuously monitor sources like Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components you use. Use software composition analysis, software supply chain, or security-focused SBOM tools to automate the process. Subscribe to email alerts for security vulnerabilities related to components you use.

• Only obtain components from official (trusted) sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component (see A08:2025-Software and Data Integrity Failures).

• Deliberately choosing which version of a dependency you use and upgrading only when there is need.

• Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.

• Update your CI/CD, IDE, and any other developer tooling regularly; and

• Treat components in your CI/CD pipeline as part of this process; harden them, monitor them, and document changes accordingly

Given that we talk so often about third party risk management (TPRM) on this show, it’s no surprise to see it make its way into these lower level efforts.

We should also be mindful of the other ways in which the risk can manifest in our organization - with two stories from last week highlighting this:

• Google’s confirmation that 200 companies were breached in a Salesforce supply-chain attack via apps published by Gainsight, which provides a customer support platform to other companies; or

• SitusAMC, a technology vendor for real estate lenders, who has been beached impacting JPMorgan Chase and other leading banks.

So, if your software supply chain isn’t where you want it to be, or your TPRM program hasn’t quite gotten off the ground, now’s the best time to make the investment in building some resilience for your critical applications - whether you’re developing them or buying them.

Fundraising

From a fundraising perspective, we saw quite a week in terms of numbers, with more that $35B in newly committed capital, including:

• DigitalBridge, who raised $7.2b for its third digital infrastructure fund, plus $4.5 in coinvestment commitments;

• JPMorgan raised $1b for its second private equity co-investment fund;

• Brookfield is launching a $100b AI infrastructure program with Nvidia and Kuwait Investment Authority, anchored by a $10b fund;

• BVP Forge, a private equity group affiliated with Bessemer Venture Partners, raised $1b for its second fund; and

• CapVest Partners, who  secured around $3.8b for a single-asset CV focused on nuclear medicines company Curium.

A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.

We’ll see you next week for another edition of the Intentional Brief.

Links

https://owasp.org/Top10/2025/0x00_2025-Introduction/

https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/

https://techcrunch.com/2025/11/21/google-says-hackers-stole-data-from-200-companies-following-gainsight-breach/

https://www.nytimes.com/2025/11/22/business/bank-data-hack.html