What's new in the OWASP Top Ten 2025
6 Labs
5 Case Studies
Platform
Linux, Web, Windows
Audience
Managers and developers working on web application development projects
Preparedness
General development
Standards and references
OWASP, SEI CERT, CWE and Fortify Taxonomy
Group size
Plenary, 30 participants
Outline
- AppSec: The weakest link in cybersecurity
- The Open Worldwide Application Security Project
- Overview of some key updates and notable changes
- Then Next Steps - beyond the Top Ten
- Wrap up
What you will learn
- Managing vulnerabilities in third party components
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Going beyond the low hanging fruits
Description
This workshop provides a focused, practical exploration of the OWASP Top Ten 2025, explaining how the project is structured, how the Top Ten is created, and how it has evolved since 2021. You’ll examine the methodology behind the list, understand why it is not a formal standard, and review key updates such as the expanded scope of Software Supply Chain Failures (A03) and the introduction of a new category, Mishandling of Exceptional Conditions (A10).
Through deep dives, case studies, and demonstrations, the course translates theory into practice. Topics include secure configuration and secrets management, protecting sensitive data in memory, supply chain security and SBOMs, vulnerability management and CVSS scoring, as well as robust error and exception handling. The final section looks ahead to emerging risks, and tackles inappropriate trust in AI-generated code (“vibe coding”), exploring how generative AI and agentic development pose new security challenges.
By the end of the course, learners will have a clear understanding of the most important changes in OWASP Top Ten 2025 and practical guidance for applying these insights in modern development and DevSecOps environments.
Note:
Note: This course presents a concise overview of key changes and emerging trends in the OWASP Top Ten 2025
It is recommended as an update to those development groups who already attended any of our web application security courses earlier.
Table of contents
- AppSec: The weakest link in cybersecurity
- The Open Worldwide Application Security Project
- OWASP and the Top Ten
- Is it a standard?
- Methodology
- The OWASP Top Ten 2025
- OWASP Top Ten 2021 to 2025 mapping
- Expanded scope: A03 – Software Supply Chain Failures
- New element: A10 – Mishandling of Exceptional Conditions
- Beyond the Top Ten – From eleven to infinity
- Overview of some key updates and notable changes
- A02 – Security Misconfiguration
- Secrets management
- Hard coded passwords
- Best practices
- Lab – Hardcoded password
- Protecting sensitive information in memory
- Challenges in protecting memory
- Case study – Microsoft secret key theft via dump files
- Storing sensitive data in memory
- Lab – Using secret-handling classes
- Secrets management
- A03 – Software Supply Chain Failures
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Supply chain security and the Software Bill of Materials (SBOM)
- SBOM examples
- Case study – The Polyfill.io supply chain attack
- Vulnerability management
- Patch management
- Vulnerability databases
- Vulnerability rating – CVSS
- CVSS – Base Metric Group
- CVSS – Supplemental Metric Group
- CVSS – Threat Metric Group
- CVSS – Environmental Metric Group
- Lab – Finding vulnerabilities in third-party components
- Bug bounty programs
- DevOps, the CI / CD build process and Software Composition Analysis
- Dependency checking
- Lab – Detecting vulnerable components
- A10 – Mishandling of Exceptional Conditions
- Error and exception handling principles
- Error handling
- Returning a misleading status code
- Reachable assertion
- Information exposure through error reporting
- Information leakage via error pages
- Case study – Information leakage via errors in Apache Superset
- Exception handling
- In the catch block. And now what?
- Catching NullPointerException
- Empty catch block
- Lab – Exception handling mess
- Control flow
- Incorrect block delimitation
- Dead code
- Using if-then-else and switch defensively
- A02 – Security Misconfiguration
- Then Next Steps – beyond the Top Ten
- X03 – Inappropriate Trust in AI-Generated Code (‘Vibe Coding’)
- The dark side of AI code generation
- Automated programming: from punch cards to GenAI
- What is responsible AI?
- XAI: what’s happening in the code-generating black box?
- Security, privacy and safety: how strong is that black box?
- The two sides of the coin
- What is GenAI (not) good for?
- Dependency hallucination via generative AI
- Case study – A history of GitHub Copilot weaknesses (up to mid 2025)
- Demonstration – GitHub Copilot code security
- Pitfalls of AI agent-driven vibe coding
- “Vibe coding” and its implications
- Security concerns of agentic development
- MCP’s effect on the attack surface
- MCP-specific attack vectors
- Case study – Database leakage via Supabase MCP
- Hallucinations and ‘agentic death spirals’
- The dark side of AI code generation
- X03 – Inappropriate Trust in AI-Generated Code (‘Vibe Coding’)
- Wrap up
- Secure coding principles
- Principles of robust programming by Matt Bishop
- Secure design principles of Saltzer and Schroeder
- And now what?
- Software security sources and further reading
- Resources
- Generative AI – Resources and additional guidance
- Secure coding principles
Pricing
1 day Session Price
750 EUR / person
- Live, instructor led classroom training
- Discussion and insight into the hacker’s mindset
- Hands-on practice using case studies based on high-profile hacks and live lab exercises
Customized course
Tailor a course to your preferences
- Send us a brief description of your business’s training needs
- Include your contact information
- One of our colleagues will be in touch to schedule a free consultation about training requirements
Inquiry
Interested in the trainings but still have some questions? Curious about how you can customize a training for your team? Send us a message and a team member will be in touch within 24 hours.
Related Courses
Web application security in Java
CYDJvWeb3d
3 days
>
Audience
Java developers working on Web applications
Group size
12 participants
Labs
Hands-on
Description
Your Web application written in Java works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because that’s what the bad guys will do – and the list is far from complete.
Handling security needs a healthy level of paranoia, and this is what this course provides: a strong emotional engagement by lots of hands-on labs and stories from real life, all to substantially improve code hygiene. Mistakes, consequences, and best practices are our blood, sweat and tears.
The curriculum goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details.All this is put in the context of Java, and extended by core programming issues, discussing security pitfalls of the Java language and the runtime environment.
So that you are prepared for the forces of the dark side.
So that nothing unexpected happens.
Nothing.
Outline
- Cyber security basics
- The OWASP Top Ten 2025
- Wrap up
What you will learn
- Getting familiar with essential cyber security concepts
- Managing vulnerabilities in third party components
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of Java
- Going beyond the low hanging fruits
- Understanding how cryptography supports security
- Learning how to use cryptographic APIs correctly in Java
- Input validation approaches and principles
Web application security in C#
CYDCsWeb3d
3 days
>
Audience
C# developers working on Web applications
Group size
12 participants
Labs
Hands-on
Description
Your Web application written in C# works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because that’s what the bad guys will do – and the list is far from complete.
Handling security needs a healthy level of paranoia, and this is what this course provides: a strong emotional engagement by lots of hands-on labs and stories from real life, all to substantially improve code hygiene. Mistakes, consequences, and best practices are our blood, sweat and tears.
The curriculum goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details.All this is put in the context of C#, and extended by core programming issues, discussing security pitfalls of the C# language and ASP.NET.
So that you are prepared for the forces of the dark side.
So that nothing unexpected happens.
Nothing.
Outline
- Cyber security basics
- The OWASP Top Ten 2025
- Wrap up
What you will learn
- Getting familiar with essential cyber security concepts
- Managing vulnerabilities in third party components
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of C#
- Going beyond the low hanging fruits
- Understanding how cryptography supports security
- Learning how to use cryptographic APIs correctly in C#
- Input validation approaches and principles
Web application security in Python
CYDPyWeb3d
3 days
>
Audience
Python developers working on Web applications
Group size
12 participants
Labs
Hands-on
Description
Your Web application written in Python works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because that’s what the bad guys will do – and the list is far from complete.
Handling security needs a healthy level of paranoia, and this is what this course provides: a strong emotional engagement by lots of hands-on labs and stories from real life, all to substantially improve code hygiene. Mistakes, consequences, and best practices are our blood, sweat and tears.
The curriculum goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details.All this is put in the context of Python, and extended by core programming issues, discussing security pitfalls of the programming language.
So that you are prepared for the forces of the dark side.
So that nothing unexpected happens.
Nothing.
Outline
- Cyber security basics
- The OWASP Top Ten 2025
- Wrap up
What you will learn
- Getting familiar with essential cyber security concepts
- Managing vulnerabilities in third party components
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of Python
- Going beyond the low hanging fruits
- Understanding how cryptography supports security
- Learning how to use cryptographic APIs correctly in Python
- Input validation approaches and principles
Node.js web application security
CYDNdWeb3d
3 days
>
Audience
Node developers working on Web applications
Group size
12 participants
Labs
Hands-on
Description
Your Web application written in JS/TS works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because that’s what the bad guys will do – and the list is far from complete.
Handling security needs a healthy level of paranoia, and this is what this course provides: a strong emotional engagement by lots of hands-on labs and stories from real life, all to substantially improve code hygiene. Mistakes, consequences, and best practices are our blood, sweat and tears.
The curriculum goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details.All this is put in the context of Node, and extended by core programming issues, discussing security pitfalls of the JS and TS language.
So that you are prepared for the forces of the dark side.
So that nothing unexpected happens.
Nothing.
Outline
- Cyber security basics
- The OWASP Top Ten 2025
- Wrap up
What you will learn
- Getting familiar with essential cyber security concepts
- Managing vulnerabilities in third party components
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of JS/TS
- Going beyond the low hanging fruits
- Understanding how cryptography supports security
- Learning how to use cryptographic APIs correctly in JS/TS
- Input validation approaches and principles
Web application security in Go
CYDGoWeb3d
3 days
>
Audience
Go developers working on Web applications
Group size
12 participants
Labs
Hands-on
Description
Your Web application written in Go works as intended, so you are done, right? But did you consider feeding in incorrect values? 16Gbs of data? A null? An apostrophe? Negative numbers, or specifically -1 or -2^31? Because that’s what the bad guys will do – and the list is far from complete.
Handling security needs a healthy level of paranoia, and this is what this course provides: a strong emotional engagement by lots of hands-on labs and stories from real life, all to substantially improve code hygiene. Mistakes, consequences, and best practices are our blood, sweat and tears.
The curriculum goes through the common Web application security issues following the OWASP Top Ten but goes far beyond it both in coverage and the details.
So that you are prepared for the forces of the dark side.
So that nothing unexpected happens.
Nothing.
Outline
- Cyber security basics
- The OWASP Top Ten 2025
- Wrap up
What you will learn
- Getting familiar with essential cyber security concepts
- Managing vulnerabilities in third party components
- Understanding Web application security issues
- Detailed analysis of the OWASP Top Ten elements
- Putting Web application security in the context of Go
- Going beyond the low hanging fruits
- Understanding how cryptography supports security
- Learning how to use cryptographic APIs correctly in Go
- Input validation approaches and principles