OWASP Top 10 2025: Software Supply Chain Failures

With the much-anticipated arrival of the 2025 OWASP Top Ten, enterprises have a couple of new threats to be extra wary of, including one that lurks near the top of the list. Software Supply Chain Failures, which debuts as a new category but isn’t entirely new, sits at No. 3 on the Open Web Application Security Project’s quadrennial list of the most serious risks to web application security. It’s a risk that enterprises need to take very seriously, if they aren’t already. 

Software Supply Chain Failures grew out of a category in the previous list from 2021, Vulnerable and Outdated Components, and now it includes a broader range of compromises across the software ecosystem of dependencies, build systems and distribution infrastructure. And its appearance on the list should come as no particular surprise, given the damage caused by high-profile supply chain attacks such as SolarWinds in 2019, the Bybit hack earlier this year, and the ongoing Shai-Hulud campaign, a particularly nasty, self-replicating npm worm wreaking havoc on exposed developer environments.

The OWASP Top Ten has generally been consistent, which befits a list that appears every four years, albeit with updates in between. There usually is some shuffling within the list—Injection, a longtime resident, drops from No. 3 to No. 5, for instance, and Insecure Design drops two places to No. 6, while Security Misconfiguration jumps from No. 5 to No. 2. Broken Access Control continues to stake out the top position. The 2025 edition has two new entries, the aforementioned Software Supply Chain Failures and Mishandling of Exceptional Conditions, which enters the list at No. 10. Here, we take a close look at the new supply chain vulnerabilities entry.

[WATCH VIDEO]

Vulnerabilities Can Crop Up Almost Anywhere

Software Supply Chain Failures is a somewhat unusual category on the list in that, among the 10 entries, it has the fewest occurrences in OWASP’s research data, but it also had the highest average exploit and impact scores resulting from the five Common Weakness Enumerations (CWEs) in the category. OWASP said it suspects the category’s limited presence is due to current challenges in testing for it, which could eventually improve. Regardless, survey respondents overwhelmingly named Software Supply Chain Failures as a top concern.

Most supply chain vulnerabilities grow out of the interconnected nature of doing business, involving upstream and downstream partners and third parties. Every interaction involves software whose components (aka dependencies or libraries) could be unprotected. An enterprise can be vulnerable if it doesn’t track all versions of its own components (client side, server side or nested), as well as transitive dependencies (from other libraries) ensuring that they are not vulnerable, unsupported or out of date. Components typically have the same privileges as the application, so compromised components, including those that come from third parties or open-source repositories, can have a far-reaching impact. Timely patching and updates are essential—even regular monthly or quarterly patch schedules can leave an enterprise exposed for days or months. 

Likewise, the lack of a change management process with your supply chain can create vulnerabilities if you are not tracking Integrated Development Environments (IDEs) or changes to your code repository, image and library repositories, or other parts of the supply chain. An organization needs to harden the supply chain by applying access control and least-privilege policies, ensuring that no individual can create code and deploy it to production without supervision, and that no one can download components from untrusted sources. 

Supply chain attacks can take many forms. The notorious SolarWinds attack began when Russian attackers injected malware into an update to the company’s popular network management software. It affected about 18,000 customers. Although the number of enterprises actually impacted was closer to 100, that list included major corporations and government agencies. The $1.5 billion Bybit hack, traced to North Korea, involved compromised cryptocurrency apps. The recent Glass Worm supply chain attack involved an invisible, self-replicating code that infected the Open VSX Marketplace. 

Preventing Supply Chain Exploits

Because supply chain attacks involve the interdependency of systems, defending against them involves an all-encompassing approach. OWASP offers tips for preventing attacks, including having patch management processes in place to:

• Know your Software Bill of Materials (SBOM) for all software and manage the SBOM centrally. It’s best to generate SBOMs during the build, rather than later, using standard formats, such as SPDX or CycloneDX, and to publish at least one machine-readable SBOM per release.
• Track all of your dependencies, including transitive dependencies, removing unused dependencies, as well as unnecessary features, components, files and documentation. 
• Continuously inventory both client-side and server-side components and their dependencies using tools, such as OWASP Dependency Check or retire.js.
• Stay up to date on vulnerabilities, continuously monitoring sources such as the Common Vulnerabilities and Exposures (CVE) website and the National Vulnerability Database (NVD) and subscribe to email alerts for security vulnerabilities related to the components you use.
• Use components obtained only from trusted sources over secure links. A trustworthy provider, for instance, would be willing to work with a researcher to disclose a CVE the researcher discovered in a component.
• Deliberately choose which version of a dependency you will use and upgrade only when you need to. Work with third-party libraries that have had their vulnerabilities published in a well-known source such as NVD. 
• Monitor for unmaintained or unsupported libraries and components. If patching is not possible, consider deploying a virtual patch to monitor, detect or protect against the discovered issue.
• Regularly update developer tooling.
• Treat components in your CI/CD pipeline as part of this process, hardening and monitoring them while documenting changes.

Change management or a tracking process should also apply to your CI/CD settings, code repositories, sandboxes, integrated developer environments (IDEs), SBOM tooling, created artifacts, logging systems and logs, third-party integrations such as SaaS, artifact repository and your container registry. You also need to harden systems, from developer workstations to the CI/CD pipeline. Be sure to also enable multi-factor authentication while enforcing strong identity and access management policies. 

Protecting against software supply chain failures is a multi-faceted, ongoing endeavor in the face of our highly interconnected world. Organizations must employ strong defensive measures for the entire lifecycle of their applications and components in order to defend against this rapidly evolving, modern threat.

Note to SCW Trust Score™ Users:

As we update our Learning Platform content to align with the OWASP Top 10 2025 standard, you may observe minor adjustments in the Trust Score for your Full Stack developers. Please reach out to your Customer Success representative if you have any questions or require support.