Author

Tim Mackey

Published

11 August 2025

Estimated Read time

7Mins

Tim Mackey, Head of Software Supply Chain Risk at Black Duck, looks at the value of the OWASP for the cybersecurity space, interrogating its practical usefulness for the industry.

The Open Web Application Security Project (OWASP) has long been one of the most trusted names in application security. Its most famous project, the OWASP Top 10, has been a go-to resource for developers and security teams alike, offering a standardised list of the most critical web application vulnerabilities. 

Since its introduction, it’s been marketed as a starting point for secure coding practices. But with the next update expected shortly, we must now ask a difficult question: Has the OWASP Top 10 failed us, or have we simply failed to act upon it?

Same List, Same Problems

Let’s be clear: the OWASP Top 10 has value. It brings awareness to critical issues. But when we examine its impact over time, the evidence is troubling. Many of the vulnerabilities first highlighted in early versions of the list, injection flaws, cross-site scripting (XSS), broken authentication, and security misconfiguration, continue to appear in every subsequent edition. 

This isn’t just disappointing; it suggests that, despite widespread awareness, we’re not solving the underlying problems. In fact, the total number of software vulnerabilities continues to climb. The CVE list grows every year. What should have been resolved by now has instead become normalised. So, why aren’t we making more progress?

Why the OWASP Top 10 Isn’t Driving Change

In my experience, there are three core reasons the OWASP Top 10 isn’t delivering the transformation we hoped for: lack of context, lack of education, and lack of actionability.

1. Developers Lack Context

Modern developers are often handed user stories, tasked with building specific features, and measured against functional requirements, not security ones. Rarely do they have visibility into how their code will be used in the real world. Is it going into a healthcare platform? A consumer-facing mobile app? A component in a critical infrastructure system?

That kind of context matters. If a developer doesn’t understand the operational environment, how can they effectively prioritise security? Assumptions take the place of understanding, and those assumptions can introduce serious risk. What’s more, the industry often treats developer capabilities as interchangeable: junior developers should all know X, senior developers should all know Y, but not all developers have the same training or exposure. This inconsistency becomes more dangerous in a world where AI-generated code is gaining traction. If models are trained on insecure practices, or if developers don’t know what to watch for, the problems will only compound.

And before you say “how can a developer working for company X not know what their code goes into”, think about this – how many companies have grown by acquisition, or how many companies create SDKs or APIs, or how much of your code is from open-source libraries? The moment your code is used by someone else, that’s when context starts to get lost. The greater the separation, the harder it is for a developer to account for user requirements in their testing.

2. Security Education Is Declining

We assume that awareness translates into knowledge, but that’s not how education works.

The Building Security in Maturity Model (BSIMM) Report tracks how real-world organisations implement software security initiatives. In its 15th edition, released in January 2025, one of the most striking findings was that security awareness training has dropped nearly 50% since 2008. That’s despite an ever-growing attack surface, increases in cyber-attack complexity, and increasing regulatory pressure. It’s not enough to circulate a PDF or hold an annual security talk. Developers need to be actively trained, not just on what to avoid, but on how to write secure code for the specific environments and technologies they use. Without that, the OWASP Top 10 becomes little more than a checklist for compliance rather than a driver of change.

3. The List Lacks Actionability

Let’s face it, awareness without empowerment is performative. The OWASP Top 10 tells you what the most common risks are, but it doesn’t help organisations operationalise that knowledge. There’s no built-in guidance for remediation, no framework for prioritisation, and no accountability for fixing the issues once they’re known. As a result, many developers and even AppSec teams view the list as someone else’s problem. A static document can’t drive dynamic change unless the surrounding ecosystem is built to act on it.

Web Apps vs the Wider World: What CWEs Tell Us

Another major shortcoming of the OWASP Top 10 is its narrow scope. It’s designed specifically for web applications, but today’s software landscape is far broader. API-driven services, cloud-native platforms, embedded systems, and mobile apps all play significant roles in enterprise ecosystems. 

OWASP’s list doesn’t address the risks these platforms face. To get a more complete picture, we must look beyond OWASP. The MITRE CWE Top 25, for example, offers a platform-agnostic view of the most dangerous software weaknesses based on real-world exploitability and impact.

Here’s the shocking bit: 40% of the weaknesses in the 2024 CWE Top 25 aren’t even mentioned in the OWASP Top 10. One of the most common software weaknesses, CWE-787: Out-of-bounds Write, is entirely absent from OWASP’s list. Why? Because OWASP is focused on web applications, and CWE is focused on software security at large. This divergence is dangerous. It reinforces a fragmented view of risk and one that leaves organisations blind to issues that lie outside of the web app domain.

Accountability Is Coming

For years, security was about raising awareness, but now we’re entering a new era of accountability. Consider the Digital Operational Resilience Act (DORA), which came into effect across the EU in January 2025. It will force financial institutions to meet strict security requirements, from incident reporting to third-party risk assessments. Non-compliance will no longer be optional. Even more sweeping is the Cyber Resilience Act (CRA), set to take effect in 2027. It will mandate security standards for all hardware and software products with digital elements sold in the EU, backed by fines large enough to make company boards take notice.

These laws mark a profound shift from guidelines to governance. Sure, it’s important to understand the risks, but if organisations aren’t implementing proactive security strategies, then they’ll become a relic, untrusted by customers and obsolete in the eyes of the market.

What You Can Do Today

So how do we move forward? First, treat the OWASP Top 10 as a baseline and not a benchmark of success. It’s a good place to start, but by no means a complete solution – particularly if your app isn’t a web app. Expand your visibility by incorporating the MITRE CWE Top 25, which offers a more comprehensive, real-world view of dangerous vulnerabilities across all types of software.

Second, empower developers, not just with knowledge, but with tools and authority. Integrate secure coding practices into your CI/CD pipelines. Use security tooling that provides feedback in real time, not just in postmortems. And most importantly, make security part of the definition of “done” and not a side process.

Third, invest in contextual training. Developers shouldn’t just learn what to avoid but also understand why it matters in the environments they build for. Generic training won’t cut it. Tailor your education programmes to your domain, your risk profile and your tech stack.

Fourth, benchmark your practices against real-world data. Resources like the BSIMM Report give insights into what some of the most mature security programmes are doing. Use it to identify gaps and plan improvements; not in theory, but in how your team actually works.

And finally, build accountability into processes. Track key security metrics. Make them part of quarterly reviews. Tie them to incentives and governance. Because when security stops being bolted on to products and becomes everyone’s responsibility, that’s when real change happens.

Final Thought

Fifteen years. That’s how long we’ve been cycling through the same vulnerabilities in the OWASP Top 10. In that time, we’ve built space-grade cloud platforms, invented AI copilots and redefined how we work and live. And yet, we’re still being taken down by injection flaws and broken authentication. 

So maybe the question isn’t just whether the OWASP Top 10 has failed us. Maybe the real question is: Why haven’t we done more with what we already know?

  • Cybersecurity

We believe in a personal approach

By working closely with our customers at every step of the way we ensure that we capture the dedication, enthusiasm and passion which has driven change within their organisations and inspire others with motivational real-life stories.

Get in touch