- This Week on Absolute AppSec
- Posts
- Episode #303 w/ Brian Glas
Episode #303 w/ Brian Glas
An insider peek into the 2025 OWASP Top 10.
Seth Law
November 24, 2025
This week on Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) welcome Professor Brian Glas to the show to discuss the recently released OWASP Top 10 2025 Release Candidate. The OWASP Top 10 project has spanned over 22 years and is now on its eighth iteration, and Prof. Glas has been involved with the project since late 2016 for the 2017, 2021, and now the 2025 releases. The core team collectively has extensive AppSec experience, averaging over 20 years per member. The latest Top 10 release candidate was unveiled on the Thursday prior to the episode at the Global AppSec conference, with Glas participating in the release and other talks related to the project methodology. At its core, the Top 10’s primary purpose is to serve as an awareness document, aiming to raise the baseline for secure development across the entire industry. To view this episode or to find even more of our thoughts on the updated Top 10, go to https://www.youtube.com/@AbsoluteAppSec, or find us wherever you get your podcasts.
While Brian’s day job is being an Assistant Professor in Computer Science and Cybersecurity at Union University, that is not where the grind stops. He built FedEx’s AppSec team, worked on the Trustworthy Computing team at Microsoft, and was a contributor to the RABET-V Pilot Program for election-related technology. You can also find him consulting on software security projects, contributing to SAMM v1.1-2.0+, and, of course, working on the upcoming OWASP Top 10 report.
“One of the chief purposes of the Top 10 is to […] define things that we need to address and then bring attention to them, because the Top 10 has ridiculous weight.”
While the Top 10 list itself is considered set for the RC1 release, the methodology thrives on community feedback, especially via GitHub PRs, to ensure the accompanying details are accurate, relevant, and up to date. The core team, even with their decades of combined expertise, still relies on external data because they don’t know everything. There are several key challenges in compiling the data for the Top 10 because the team wants to ensure data contributors sample from diverse perspectives, and they grapple with the lack of consensus on the use of CWE Mapping, and negotiate the overlap of CWEs as well as potential bias that may creep into them.
There are also questions of how to approach categorizing and organizing the flaws. The Top 10 methodology prioritizes incidence rate (how many unique applications had at least one instance of a flaw) over frequency (the total number of flaws found). Glas explained that frequency would heavily favor tool vendors, because tools find all endpoints susceptible to a vulnerability (e.g., 5,000 instances of XSS), whereas human testers typically report only one instance of a pervasive issue. The transition to incidence rate helps reconcile the disparity between tool and human reporting, since it is less susceptible to skewing from false positives, making it a more reliable metric for the Top 10. Additionally, the definition of what constitutes an “application” in modern development is also more complex, especially with continuous testing, microservices, serverless functions, and source code repositories being used as the basis for reporting.
“My goal is one day that things can fall off this list because we don’t have to deal with them anymore. That would be phenomenal.”
The discussion also highlighted the importance of the Top 10 in directing industry focus. Glas said the project aims to identify things that need attention. Seth, Ken, and Brian then discussed the new and shifted categories of the 2025 update.
Software Supply Chain Failures (New & Shifting): The most surprising change for Brian was the shifting of Software Supply Chain Failures, given how the community resonated with it despite the raw data for related CWEs barely placing it in the Top 10. While the 2017 Top 10 included “Vulnerable Components” and the 2021 release shifted to “Vulnerable and Outdated Components,” the new Software Supply Chain Failures category recognizes that the risk extends beyond mere component vulnerabilities to include poor management of CI/CD pipelines, which now present exposed endpoints and attack surfaces.
Mishandling of Exceptional Conditions (New): This category emerged from the breaking of the broad “code quality” grouping. It acts as a superset, addressing logic flaws, missing try-catch blocks, and error messages that expose sensitive data, which were deemed more beneficial to address than a category focused solely on resilience.
Broken Logging and Alerting Failures (Previously Logging and Monitoring Failures): Despite initial pushback from those who argued these are not true vulnerabilities, this category consistently placed high on the community survey because people recognize it as a critical problem that is hard to test for and essential for knowing when a security issue occurs. Seth confirms this category’s positive effect, noting that since its introduction in 2021, his consulting work has seen an increase in requests for purple team engagements specifically to test logging and alerting infrastructure.
Injection (Shifting): As of the earlier 2021 incarnation of the list, Cross-Site Scripting is no longer a top-line vulnerability; it is rather part of the Injection category, which has dropped to number five on the list, a direction Glas sees as a good sign of industry progress in dealing with the range of injection vulnerabilities that used to make security engineers’ blood run cold (SQLi, XSS, etc).
SSRF (Shifting): Server-Side Request Forgery was a standalone category in 2021 to bring attention to a pervasive issue that lacked weight. It has since been folded into Broken Access Control, which Glas argues is where it logically belongs because its root cause is related to the “Confused Deputy” pattern—a form of access control issue—where the system is confused about who it’s acting on behalf of. Seth and Ken both felt that SSRF could also be classified under Injection or even Insecure Design, highlighting the difficulty in precise classification, but ultimately agreeing with the Confused Deputy argument.
This episode is sponsored by DryRun Security. Authorization flaws are some of the trickiest security gaps—permissions get messy, logic gets overlooked, and suddenly, users have access they shouldn't. DryRun Security helps you catch these risks early with Natural Language Code Policy (NLCP). Their latest blogpost is written by James Wicket, titled, “Beyond Reachability: The Exploitability Advantage in AppSec.”
Are you shivering? Are your ears displaying unexpectedly pink or red hues? Well, the Absolute AppSec merch store might just have what you’re looking for. Pick out a hoodie or beanie to keep your core temperatures nice and toasty.
You’ve made it to beanie season! Get the appropriate weather-wear in the Absolute AppSec store!
And, if you have thoughts on this year’s Top 10, join the discussion on our Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover, as well as pick the brains of a number of industry experts.
Stay Secure,
Seth & Ken
https://www.youtube.com/watch?v=YTIof-RiiKk - Episode #75 - Brian Glas - Brian has been helping with the OWASP Top 10 project for a fair number of years. Check of this earlier episode with him to learn more about the decision-making process for the project.
https://www.youtube.com/watch?v=LH2hiAGN70A - Episode #122 - Brian Glas - Brian came back to explain the Top Ten 2021 edition with details on where the earlier classes of vulnerabilities moved and how the naming decisions took place.
https://www.youtube.com/watch?v=IxpD5GbHMWY - Episode #76 - Guy Podjarny - The last episode’s discussion with Brian sparked discussion on the introduction of the more capacious Software Supply-Chain failures category, as well as the way CVE volume in vulnerability class categories influenced the new Top Ten list, brought to mind by the Snyk guru Guy Podjarny.
Absolute AppSec Happenings
https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ - Deep dive into how AI dangerously handles private data, untrusted content, and external communication. What is the real risk?
https://oneusefulthing.org/p/three-years-from-gpt-3-to-gemini - It’s been almost three years since the release of ChatGPT, and the entire tech world has dramatically changed. Ethan Mollick’s post here explores the journey from GPT3 all the way to the new Gemini 3 model that has blown everything around it out of the water.
Upcoming Events
Where in the world are Seth and Ken?
December 8-11, 2025 - Next-Gen Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat Europe in London, UK. This is a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.
April 7-8, 2026 - Harnessing LLMs for Application Security - IN PERSON at Kernel Con. Come join Seth and Ken in Omaha for the Harnessing LLMs course!