1. Home
  2. Blogs and news
  3. OWASP Top 10 2025: What we still see in real-world penetration tests

OWASP Top 10 (2025): What we still see in real-world penetration tests

What is OWASP Top 10

The OWASP Top 10 is one of the most widely used application security standards for developers, security teams, and penetration testers. In this article, we compare the OWASP Top 10 2025 risks with real-world findings from penetration testing engagements to show how closely the framework still reflects modern application security issues.

The recently released OWASP Top 10 (2025) once again highlights the most critical web application security risks. While the list evolves over time, one thing remains consistent: many of the same fundamental issues continue to dominate real-world security assessments.

At the Security Factory, we see this reflected clearly in our own penetration testing engagements. The vulnerabilities we most frequently identify during assessments closely align with the risks highlighted in the OWASP Top 10.

OWASP Top 10 patterns in real-world penetration tests

Across a wide range of projects (web applications, APIs, and mobile applications), we consistently encounter issues that fall directly within the OWASP categories. In particular, weaknesses such as broken access control, security misconfigurations, software supply chain failures and authentication failures continue to appear regularly.

These vulnerabilities are often the result of architectural decisions, missing authorization checks, or misconfigurations. Because they are deeply tied to modern application design and deployment practices (it’s more and more about configuring a framework), they tend to persist even in mature development environments.

70 – 80% of vulnerabilities we report map directly to OWASP Top 10 categories. In almost every engagement we still find at least one broken access control issue, often in places teams do not expect. The overall trend is consistent across all project types.

Looking at our recent assessment results, a clear pattern emerges:

  • Broken access control remains one of the most persistent issues we encounter
  • Security misconfigurations frequently appear in modern frameworks (I’m looking at you CORS)
  • Software Supply Chain Failures continue to be a high risk factor in production environments
  • Authentication failures are still regularly observed in production systems

While the exact distribution varies per engagement, the overall trend is consistent: the majority of real-world findings still fall within the OWASP Top 10 risk areas.

Following are cases that we encountered (and encounter regularly) at clients and map directly to the before mentioned categories.

Why the OWASP Top 10 still matters for Application Security

The OWASP Top 10 remains valuable not because it introduces completely new classes of vulnerabilities, but because it accurately reflects what security professionals encounter in practice. It provides organizations with a practical prioritization of the risks that are most likely to affect their applications.

Our findings at the Security Factory reinforce this perspective. Even as technologies change (whether through microservices, modern frameworks, or cloud-native deployments), the underlying security challenges often remain the same.

Not sure where your app stands?

We run OWASP-aligned assessments for web apps, APIs, and mobile, and show you exactly what we find.

AI-assisted development and OWASP Top 10 2025 risks

We also see an increasing use of AI-assisted coding and code review tools within development teams. While these tools improve productivity, they have not changed the nature of the vulnerabilities we encounter in practice. Even in AI-assisted environments, we continue to identify the same OWASP Top 10 issues, such as broken access control, security misconfigurations, authentication failures, and vulnerable dependencies. This shows that although AI helps generate and review code, it does not replace secure design decisions or architecture-level security controls, reaffirming the continued relevance of the OWASP Top 10.

What can you do with this?

Audit your access control layer: check whether your API enforces authorisation at the object level, not just the route level. Run a quick test: can an authenticated user access another user’s resource by changing an ID?

Review every CORS configuration in production: make sure your CORS settings do not allow arbitrary origins by implementing an explicit allowlist of allowed origins

Run a dependency audit today: execute npm audit or pip-audit on your main projects. Prioritise server-side libraries that process untrusted input: sanitisers, parsers, and template engines first.

Add security criteria to your AI coding prompts: when using AI code generation, explicitly ask for authorisation checks, input validation, and rate limiting. Do not assume the model will include them by default.

Schedule a pentest if you have not had one in the past year. Our assessments are aligned with the OWASP Top 10 2025 and give you a precise picture of where your application stands, not a theoretical one.

The takeaway

For organizations looking to improve their application security posture, the OWASP Top 10 continues to serve as a reliable starting point. Focusing on these core risk areas can significantly reduce the likelihood of exploitable vulnerabilities in production systems.

Based on our experience performing security assessments, addressing these foundational issues would eliminate a large portion of the vulnerabilities we encounter in the field. To resolve these issues, it is advisable to have a pentest carried out on a regular basis.

The message is simple: the OWASP Top 10 reflects reality and our findings confirm it.

More about our services

Penetration Testing

Penetration testing is the most effective method for assessing and improving your security level in terms of price and quality. The output of our pentest is to list your vulnerabilities, the risks they may pose to your application or network. With our online reporting platform you can follow findings in real time.

Red Team Exercise

Test physical, cyber, and social defences all at once. A Red Team exercise is more sophisticated than a standard penetration test. It mimics the same process that a persistent hacker would follow to map out an organization’s infrastructure, and then test the physical, cyber, and social defences in a creative and combined approach.

Don’t wait until it is too late. Elevate your security posture and explore the benefits of continuous penetration testing today!
Contact us at hello@thesecurityfactory.be
Menu