Your Web application is not just another Web site. It’s the backbone of your business operations: customer portals, API links, invoice flows and sensitive data. But how do you know if that application is secure enough? The OWASP Top 10 has provided the answer for more than two decades. The latest edition (officially the OWASP Top 10:2025, confirmed in January 2026) is based on the analysis of more than 175,000 vulnerabilities. In this article, we explain the 10 risks in plain language so that you, as a CTO or IT manager, know exactly where your attention should be focused in 2026.
What is the OWASP Top 10 and why should you know about it?
OWASP stands for Open Web Application Security Project, an independent nonprofit organization that sets the standard for application security worldwide. The OWASP Top 10 is their most well-known publication: a ranking of the 10 most critical Web application risks, compiled from real vulnerability data and input from thousands of security experts.
For Belgian companies, the OWASP Top 10 is more than an awareness document. The NIS2 Directive and the Cyber Resilience Act (CRA) explicitly refer to recognized security standards. An application pen test based on the OWASP Top 10 provides you with concrete evidence of digital resilience, something auditors and regulators want to see.
The ten risks at a glance
The OWASP Top 10:2025 contains some notable shifts from the previous 2021 edition. Two categories are new, one category has been merged with another, and the order has been shaken up considerably. Below is the full list with a brief explanation for each risk.
A01: Inadequate access control (Broken Access Control) remains in first place. This risk occurs when users can act outside their permissions, such as by modifying a client ID in the URL to view data from other clients. Server-Side Request Forgery (SSRF) has been merged with this category in this edition. In practice, we see some form of poor access control in almost every application tested.
A02: Insecure configuration (Security Misconfiguration) rises from position 5 to 2. Consider applications running in debug mode on production, open cloud storage or improperly set HTTP headers. With the speed at which DevOps teams roll out environments, security settings easily slip through.
A03: Software Supply Chain Failures is new in this edition. It is no longer just about obsolete libraries, but the entire chain: package repositories, build systems and CI/CD pipelines. One compromised component in a popular framework can affect thousands of applications at once. Maintaining a Software Bill of Materials (SBOM) is increasingly becoming a requirement under the CRA.
A04: Cryptographic Failures drops from position 2 to 4. This includes insufficient encryption of data in transit or at rest: no HTTPS, weak hashing algorithms or missing salting in password storage.
A05: Injection (Injection) drops from position 3 to 5, but remains one of the most dangerous vulnerabilities. SQL injection is the best-known example: unvalidated user input manipulates database queries. Cross-Site Scripting (XSS) also falls into this category. Modern frameworks capture many of these risks by default, but custom and legacy systems remain vulnerable.
A06: Insecure Design is about design flaws rather than implementation flaws. Even perfectly written code can be insecure if the underlying logic is flawed. Threat modeling early in the development process prevents these types of structural vulnerabilities.
A07: Authentication problems (Authentication Failures) includes weak password recovery flows, missing multi-factor authentication and session hijacking. By 2026, relying on passwords alone is no longer acceptable for critical applications, FIDO2 and passkeys will become the standard.
A08: Software or Data Integrity Failures focuses on situations where code or data is trusted without verification, such as unsigned updates or insecure deserialization.
A09: Deficient Logging and Alerting Failures (Logging & Alerting Failures) emphasizes that logging alone is not enough. If no alerting follows, you won’t notice an intrusion until weeks later. Under NIS2, this is especially relevant because of the strict incident reporting requirement.
A10: Mishandling of Exceptional Conditions is the second new category. Poorly handled errors can create detailed stack traces leaks that aid attackers, deplete resources or leave systems in an insecure state. In short, your application must also fail securely.
Two new categories that deserve extra attention
The addition of supply chain failures at position 3 reflects a trend that directly affects Belgian companies. Research shows that more than a third of Belgian organizations have already been affected by supplier-based attacks. With the CRA requiring manufacturers to ensure the security of digital products throughout their lifecycle, managing your software dependencies becomes a compliance requirement.
The new category around exception handling may sound technical, but it boils down to a simple principle: your application must safely handle the unexpected. Error-open logic, the leakage of sensitive information via error messages and the failure to properly release system resources after a crash are all problems that regularly surface during a pen test.
What does the OWASP Top 10 mean for your compliance?
For Belgian companies covered by NIS2, the OWASP Top 10 is a practical guide to meeting the requirement for “appropriate technical measures.” The CyberFundamentals levels Important and Essential require demonstrable application security. A pen test based on the OWASP Top 10 provides the concrete evidence that auditors expect.
In addition, the Cyber Resilience Act makes it mandatory for software companies to actively monitor and fix vulnerabilities. The OWASP Top 10 provides the most widely accepted frame of reference in the industry for this purpose.
From risk to action
The OWASP Top 10 is a starting point, not an end point. The real work starts with testing your specific applications for these risks. An application pen test by experienced security specialists uncovers vulnerabilities before attackers find them, and provides a concrete action plan that your development team can act on immediately.
At Cyberplan, our OSCP-certified ethical hackers conduct in-depth pen tests on Web applications and APIs, specifically targeting the OWASP Top 10. The result? A clear report in human language, with priorities that both your developers and your management understand. Via the KMO-portefeuille, as a small company you receive up to 45% subsidy on this investment, as a medium-sized company 35%.
Wondering how your applications score on the OWASP Top 10? Book a free consultation and find out where your quick wins lie.
Frequently asked questions about the OWASP Top 10.
What exactly is the OWASP Top 10?
The OWASP Top 10 is an internationally recognized ranking of the ten most critical Web application security risks. The list is compiled by the OWASP Foundation based on vulnerability data and input from security experts worldwide.
When was the last OWASP Top 10 published?
The most recent edition is the OWASP Top 10:2025, confirmed in January 2026. The previous version was dated 2021. On average, updates are published every three to four years.
What are the new categories in the OWASP Top 10:2025?
There are two new categories: Software Supply Chain Failures (A03), focusing on risks in the software supply chain, and Mishandling of Exceptional Conditions (A10), focusing on unsafe error handling in applications.
Is the OWASP Top 10 mandatory under NIS2?
The OWASP Top 10 is not a legal requirement per se, but NIS2 requires “appropriate technical measures.” A pen test based on the OWASP Top 10 is widely accepted by auditors as proof that you meet this requirement.
How often should I test my applications for OWASP risks?
At least annually, and with every major change or release of your application. For companies under NIS2 or with sensitive customer data, a semi-annual pen test is recommended.
What does an application pen test cost based on the OWASP Top 10?
The costs depend on the complexity and size of your application. Via the KMO-portefeuille, you as a Flemish company receive up to 45% subsidy on this investment, which lowers the threshold considerably.
