The OWASP Top 10 2025 is the latest update to the most widely referenced standard for web application security. If you're building or maintaining web applications, this is the benchmark your security posture is measured against.
Here's what changed from 2021 to 2025, and how Ship Safe's 18 agents map to every category.
The 2025 Top 10
| Rank | Category | What's New |
|---|---|---|
| A01 | Broken Access Control | Still #1. Now includes BOLA and mass assignment |
| A02 | Cryptographic Failures | Expanded to cover weak JWT secrets and missing TLS |
| A03 | Injection | Now includes template injection and prompt injection |
| A04 | Insecure Design | Architecture-level flaws, not just implementation bugs |
| A05 | Security Misconfiguration | Docker, K8s, CORS, CSP, and cloud misconfigs |
| A06 | Vulnerable Components | Supply chain attacks now explicitly included |
| A07 | Authentication Failures | Rate limiting, MFA bypass, session fixation |
| A08 | Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Logging & Monitoring | Expanded to include missing audit trails |
| A10 | Server-Side Request Forgery | SSRF promoted from sub-category to its own entry |
What Changed from 2021
Injection (A03) now includes prompt injection. This is the biggest shift. With LLMs embedded in production applications, prompt injection is now an OWASP-recognized web vulnerability, not just an AI concern.
Supply chain attacks are now explicit in A06. Typosquatting, dependency confusion, and malicious packages are no longer edge cases. They're mainstream attack vectors.
SSRF got its own category (A10). Previously a sub-item, SSRF is now important enough to stand alone, driven by cloud metadata attacks and internal service exploitation.
How Ship Safe Covers OWASP 2025
Ship Safe's 18 agents map to every OWASP 2025 category:
| OWASP 2025 | Ship Safe Agents |
|---|---|
| A01: Broken Access Control | AuthBypassAgent, APIFuzzer |
| A02: Cryptographic Failures | AuthBypassAgent (JWT), Scanner (secrets) |
| A03: Injection | InjectionTester, LLMRedTeam (prompt injection) |
| A04: Insecure Design | VibeCodingAgent, AgenticSecurityAgent |
| A05: Security Misconfiguration | ConfigAuditor, CICDScanner |
| A06: Vulnerable Components | SupplyChainAudit, dependency audit |
| A07: Authentication Failures | AuthBypassAgent, APIFuzzer |
| A08: Data Integrity Failures | SupplyChainAudit, InjectionTester |
| A09: Logging & Monitoring | ExceptionHandlerAgent |
| A10: SSRF | SSRFProber |
Beyond the standard Top 10, Ship Safe also covers:
- OWASP LLM Top 10 2025 via LLMRedTeam, MCPSecurityAgent, RAGSecurityAgent
- OWASP Agentic AI Top 10 via AgenticSecurityAgent
- OWASP Mobile Top 10 2024 via MobileScanner
- OWASP CI/CD Top 10 via CICDScanner
Scan Your Project Against OWASP 2025
npx ship-safe audit .Every finding includes its OWASP category, CWE identifier, and a prioritized fix. The scoring engine weights findings by OWASP 2025 severity to produce a 0-100 score.
For compliance reporting, Ship Safe maps findings to SOC 2 Type II, ISO 27001:2022, and NIST AI RMF controls.
Ship fast. Ship safe.