Across a wide range of projects (web applications, APIs, and mobile applications), we consistently encounter issues that fall directly within the OWASP categories. In particular, weaknesses such as broken access control, security misconfigurations, software supply chain failures and authentication failures continue to appear regularly.
These vulnerabilities are often the result of architectural decisions, missing authorization checks, or misconfigurations. Because they are deeply tied to modern application design and deployment practices (it’s more and more about configuring a framework), they tend to persist even in mature development environments.
While the exact distribution varies per engagement, the overall trend is consistent: the majority of real-world findings still fall within the OWASP Top 10 risk areas.
Following are cases that we encountered (and encounter regularly) at clients and map directly to the before mentioned categories.
The OWASP Top 10 remains valuable not because it introduces completely new classes of vulnerabilities, but because it accurately reflects what security professionals encounter in practice. It provides organizations with a practical prioritization of the risks that are most likely to affect their applications.
Our findings at the Security Factory reinforce this perspective. Even as technologies change (whether through microservices, modern frameworks, or cloud-native deployments), the underlying security challenges often remain the same.
We also see an increasing use of AI-assisted coding and code review tools within development teams. While these tools improve productivity, they have not changed the nature of the vulnerabilities we encounter in practice. Even in AI-assisted environments, we continue to identify the same OWASP Top 10 issues, such as broken access control, security misconfigurations, authentication failures, and vulnerable dependencies. This shows that although AI helps generate and review code, it does not replace secure design decisions or architecture-level security controls, reaffirming the continued relevance of the OWASP Top 10.
For organizations looking to improve their application security posture, the OWASP Top 10 continues to serve as a reliable starting point. Focusing on these core risk areas can significantly reduce the likelihood of exploitable vulnerabilities in production systems.
Based on our experience performing security assessments, addressing these foundational issues would eliminate a large portion of the vulnerabilities we encounter in the field. To resolve these issues, it is advisable to have a pentest carried out on a regular basis.
The message is simple: the OWASP Top 10 reflects reality and our findings confirm it.