The OWASP Top 10 is the most widely referenced standard for web application security risks worldwide. When the OWASP Foundation updates this list, it sends ripples through development teams, security auditors, and compliance frameworks globally. The 2025 update brings significant shifts that every Indian organization building or maintaining web applications needs to understand.
This is not just an academic exercise. CERT-In compliance audits, RBI cybersecurity frameworks, and SEBI guidelines all reference OWASP as a baseline. When the Top 10 changes, your security testing scope and remediation priorities must change with it.
Quick Comparison: OWASP Top 10 — 2021 vs 2025
Before diving into details, here is the high-level mapping of how the categories have shifted:
- A01:2021 Broken Access Control — Remains critical in 2025, with expanded emphasis on API-level access control failures
- A02:2021 Cryptographic Failures — Updated to reflect modern encryption requirements and post-quantum considerations
- A03:2021 Injection — Broadened to include prompt injection and NoSQL injection patterns emerging from AI-integrated applications
- A04:2021 Insecure Design — Strengthened with threat modeling requirements and secure-by-default architecture patterns
- A05:2021 Security Misconfiguration — Expanded to cover cloud-native misconfigurations, Kubernetes security, and Infrastructure as Code
- A06:2021 Vulnerable and Outdated Components — Elevated focus on software supply chain security and SBOM (Software Bill of Materials) requirements
- A07:2021 Identification and Authentication Failures — Updated for passkey adoption, MFA bypass techniques, and session management in distributed systems
- A08:2021 Software and Data Integrity Failures — Greater emphasis on CI/CD pipeline security and build process integrity
- A09:2021 Security Logging and Monitoring Failures — Aligned with CERT-In six-hour incident reporting requirements
- A10:2021 Server-Side Request Forgery (SSRF) — Expanded to cover cloud metadata exploitation and internal service abuse in microservices architectures
Deep Dive: What Changed and Why It Matters for Indian Organizations
Broken Access Control Remains the Top Risk
Access control failures continued dominating vulnerability data between 2021 and 2025. For Indian organizations, this is particularly relevant because:
- The DPDP Act 2023 imposes penalties for unauthorized data access, making access control failures both a security and a legal risk
- Indian banking applications frequently implement complex role hierarchies (maker-checker workflows) where access control bugs can have direct financial impact
- API-first architectures adopted by Indian fintech companies create new access control surfaces that traditional testing may miss
The 2025 update specifically calls out BOLA (Broken Object Level Authorization) and BFLA (Broken Function Level Authorization) patterns that align with the OWASP API Security Top 10. If your penetration testing provider is not testing APIs separately from web interfaces, you have a coverage gap.
Injection Evolves Beyond SQL
The injection category has always been about untrusted data being sent to an interpreter. The 2025 update reflects the reality that modern applications interact with many more interpreters than traditional SQL databases:
- Prompt Injection: As Indian enterprises integrate large language models (LLMs) into customer-facing applications, prompt injection becomes a real threat vector. Chatbots, automated support systems, and AI-powered search features all introduce this risk.
- NoSQL Injection: MongoDB and other NoSQL databases are widely used in Indian startups and e-commerce platforms. The injection patterns differ from SQL but are equally dangerous.
- Template Injection: Server-side template injection (SSTI) in Python, Java, and Node.js frameworks used across Indian development shops.
- LDAP Injection: Still relevant for enterprises using Active Directory for authentication.
Supply Chain Security Gets Serious Attention
The 2025 update significantly elevates software supply chain security. This matters enormously for the Indian IT services industry because:
- Indian development teams extensively use open-source components from npm, PyPI, and Maven repositories
- The Log4Shell incident demonstrated how a single vulnerable dependency can compromise thousands of applications
- CERT-In has begun emphasizing SBOM requirements for critical infrastructure organizations
- Many Indian organizations lack visibility into their transitive dependency chains
Practical steps include implementing dependency scanning in CI/CD pipelines, maintaining a Software Bill of Materials, and establishing a process for responding to newly disclosed vulnerabilities in dependencies.
Cloud Misconfigurations Now Explicitly Addressed
The 2021 Security Misconfiguration category primarily focused on traditional server and application misconfigurations. The 2025 update explicitly addresses cloud-native environments:
- S3 bucket misconfigurations and public cloud storage exposure
- Overpermissive IAM policies in AWS, Azure, and GCP
- Kubernetes RBAC misconfigurations and container security
- Infrastructure as Code (Terraform, CloudFormation) security scanning
- Serverless function permission models
For Indian organizations migrating to cloud under government initiatives like MeghRaj and Digital India, this expanded scope is directly relevant. Cloud adoption without cloud security expertise creates significant exposure.
Logging and Monitoring Aligned with Indian Compliance
The updated logging and monitoring category now emphasizes real-time detection and rapid response capabilities. This aligns directly with CERT-In directives requiring:
- Six-hour incident reporting timeline
- Synchronized NTP logging across all systems
- Log retention for 180 days within Indian jurisdiction
- Centralized log management and SIEM capabilities
Organizations that treated logging as an afterthought now face regulatory pressure to implement comprehensive monitoring. The 2025 OWASP update validates this as a critical security concern, not just a compliance checkbox.
Impact on Your Security Testing Program
Update Your Testing Scope
If your annual VAPT engagement references the OWASP Top 10 as its testing standard (and most do), you need to ensure your penetration testing provider has updated their methodology. Key questions to ask:
- Does the testing scope include API security testing aligned with OWASP API Security Top 10?
- Are cloud configurations assessed as part of the engagement?
- Is supply chain security (dependency analysis) included?
- Does the methodology address AI/LLM-specific vulnerabilities if your application uses these technologies?
Revisit Your Secure Development Lifecycle
The 2025 update reinforces that security must be built in, not bolted on. Indian development teams should:
- Integrate SAST (Static Application Security Testing) into CI/CD pipelines
- Implement dependency scanning with tools like Snyk, Dependabot, or OWASP Dependency-Check
- Conduct threat modeling during design phases, not just testing during deployment
- Train developers on the updated Top 10 with specific examples relevant to their technology stack
Update Compliance Documentation
If your organization references OWASP Top 10 in security policies, compliance documentation, or vendor assessment questionnaires, these documents need updating. This includes:
- Information security policies referencing OWASP standards
- Vendor security assessment criteria
- RFP requirements for security testing services
- Developer security training curricula
What This Means for eShield Consulting Clients
At eShield Consulting, we continuously update our penetration testing methodology to reflect the latest OWASP standards. Our assessment scope already covers API security testing, cloud configuration review, and supply chain analysis alongside traditional web application testing. We help Indian organizations not just test against the updated Top 10, but build development practices that prevent these vulnerabilities from reaching production.
Frequently Asked Questions
When was the OWASP Top 10 2025 officially released?
OWASP periodically updates the Top 10 based on collected vulnerability data from hundreds of organizations worldwide. The 2025 update reflects vulnerability trends and attack patterns observed since the 2021 release, incorporating data from application security testing firms, bug bounty programs, and incident response teams globally.
Do Indian compliance frameworks reference specific OWASP versions?
Most Indian regulatory frameworks reference the OWASP Top 10 generically without specifying a version. However, auditors typically expect organizations to test against the most current version. Using the outdated 2021 list when the 2025 update is available would be noted as a gap during compliance assessments.
How does the OWASP Top 10 2025 affect CERT-In audit requirements?
CERT-In empanelled auditors are expected to follow current security standards. The 2025 update expands the expected scope of web application security assessments. Organizations preparing for CERT-In audits should ensure their security testing covers the expanded categories, particularly cloud security, API security, and supply chain risks.
Should we test against both the 2021 and 2025 OWASP Top 10?
No. The 2025 update supersedes the 2021 version. All vulnerability categories from 2021 are either retained or absorbed into updated 2025 categories. Testing against the 2025 list provides comprehensive coverage that includes all 2021 risks.
Is the OWASP Top 10 sufficient for complete web application security?
The OWASP Top 10 represents the most critical risks but is not exhaustive. Comprehensive security testing should also reference the OWASP Application Security Verification Standard (ASVS), OWASP Testing Guide, and industry-specific requirements. The Top 10 is a minimum baseline, not a maximum standard.
