{"id":54272,"date":"2025-11-30T18:02:18","date_gmt":"2025-11-30T18:02:18","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=54272"},"modified":"2026-02-21T08:29:27","modified_gmt":"2026-02-21T08:29:27","slug":"what-is-owasp-top-10-for-2025","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/what-is-owasp-top-10-for-2025\/","title":{"rendered":"What is OWASP Top 10 for 2026"},"content":{"rendered":"\n<p>OWASP Top 10:2026 \u2013 Release Candidate (RC1) is the <strong>new draft version<\/strong> of the OWASP Top 10, published on <strong>6 November 2026<\/strong> as the <strong>8th edition<\/strong> of the project. It\u2019s \u201calmost final\u201d but still open for community feedback and minor adjustments. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/p>\n\n\n\n<p>Below is a structured \u201ccomplete details\u201d view you can reuse in training.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">1. What is OWASP Top 10:2026 RC1?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>It\u2019s the <strong>2026 update<\/strong> of the OWASP Top Ten \u2013 the list of the <strong>10 most critical web application security risks<\/strong>.<\/li>\n\n\n\n<li>Status: <strong>Release Candidate 1 (RC1)<\/strong> \u2013 i.e. a near-final draft open for comments and issues on GitHub. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li>It keeps the same spirit as 2021 (data-informed + survey + expert review) but:\n<ul class=\"wp-block-list\">\n<li>Adds <strong>two new categories<\/strong><\/li>\n\n\n\n<li><strong>Expands<\/strong> the supply-chain risk area<\/li>\n\n\n\n<li><strong>Consolidates<\/strong> SSRF into Broken Access Control<\/li>\n\n\n\n<li>Focuses more explicitly on <strong>root causes<\/strong> than symptoms. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">2. The OWASP Top 10:2026 RC1 List<\/h2>\n\n\n\n<p>From the official OWASP introduction page: (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>A01:2026 \u2013 Broken Access Control<\/strong><\/li>\n\n\n\n<li><strong>A02:2026 \u2013 Security Misconfiguration<\/strong><\/li>\n\n\n\n<li><strong>A03:2026 \u2013 Software Supply Chain Failures<\/strong> \u2b50 (new \/ expanded)<\/li>\n\n\n\n<li><strong>A04:2026 \u2013 Cryptographic Failures<\/strong><\/li>\n\n\n\n<li><strong>A05:2026 \u2013 Injection<\/strong><\/li>\n\n\n\n<li><strong>A06:2026 \u2013 Insecure Design<\/strong><\/li>\n\n\n\n<li><strong>A07:2026 \u2013 Authentication Failures<\/strong> (renamed)<\/li>\n\n\n\n<li><strong>A08:2026 \u2013 Software or Data Integrity Failures<\/strong><\/li>\n\n\n\n<li><strong>A09:2026 \u2013 Logging &amp; Alerting Failures<\/strong> (renamed)<\/li>\n\n\n\n<li><strong>A10:2026 \u2013 Mishandling of Exceptional Conditions<\/strong> \u2b50 (new)<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">3. High-level Overview of Each Category<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">A01:2026 \u2013 Broken Access Control<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Users can access data or functions they shouldn\u2019t (horizontal\/vertical privilege escalation, IDOR, forced browsing, SSRF folded in).<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Still <strong>#1<\/strong> risk. Now explicitly <strong>includes SSRF<\/strong>, which was a separate A10 in 2021. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Regular user accessing <code>\/admin<\/code> functions<\/li>\n\n\n\n<li>Modifying IDs in URLs to see other users\u2019 data<\/li>\n\n\n\n<li>SSRF via misused internal endpoints (now treated as an access control failure)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A02:2026 \u2013 Security Misconfiguration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Failures in securely configuring applications, frameworks, servers, cloud services, or containers.<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Moves from <strong>#5 (2021)<\/strong> up to <strong>#2 (2026)<\/strong>; almost every app tested had at least one misconfiguration. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Default credentials or sample apps left enabled<\/li>\n\n\n\n<li>Open S3 buckets \/ public storage<\/li>\n\n\n\n<li>Missing security headers<\/li>\n\n\n\n<li>Unnecessary services \/ verbose error messages<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A03:2026 \u2013 Software Supply Chain Failures \u2b50<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Compromises in <strong>dependencies, build pipelines, repositories, or distribution channels<\/strong> \u2013 not just \u201cusing outdated components\u201d.<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> This is a <strong>major expansion<\/strong> of 2021\u2019s \u201cVulnerable and Outdated Components\u201d, extended to the <strong>full supply chain<\/strong> (malicious packages, compromised maintainers, tampered build artifacts). (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Installing a malicious NPM\/NuGet\/PyPI package<\/li>\n\n\n\n<li>Compromised CI\/CD pipeline injecting backdoors<\/li>\n\n\n\n<li>Tampered container base images<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A04:2026 \u2013 Cryptographic Failures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Incorrect, weak, or missing use of cryptography; poor key management; broken protocols.<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Same category, now <strong>#4 instead of #2<\/strong>. Still very prevalent (3.8% of apps had one or more crypto-related CWEs in data). (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Using outdated algorithms (MD5, SHA-1)<\/li>\n\n\n\n<li>No encryption for sensitive data in transit or at rest<\/li>\n\n\n\n<li>Hardcoded encryption keys<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A05:2026 \u2013 Injection<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Untrusted input interpreted as code\/commands (SQL, NoSQL, OS, LDAP, Expression Language, XSS, etc.).<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Still present, drops from <strong>#3 to #5<\/strong> but remains one of the <strong>most tested categories<\/strong> with many associated CVEs and CWEs. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>SQL injection via query concatenation<\/li>\n\n\n\n<li>OS command injection in shell calls<\/li>\n\n\n\n<li>XSS in templating or HTML output<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A06:2026 \u2013 Insecure Design<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Flaws at the <strong>architectural \/ design level<\/strong>, independent of any specific implementation bug.<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Introduced in 2021 and now slides from <strong>#4 to #6<\/strong> because misconfiguration and supply-chain risks jumped ahead. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>No threat modeling or misuse-case scenarios<\/li>\n\n\n\n<li>Flows that allow money transfer without strong verification<\/li>\n\n\n\n<li>Relying solely on client-side controls<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A07:2026 \u2013 Authentication Failures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Problems with authentication mechanisms \u2013 login, session management, password reset, MFA flows, etc.<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Same position (<strong>#7<\/strong>), but <strong>renamed<\/strong> from \u201cIdentification and Authentication Failures\u201d to simply <strong>\u201cAuthentication Failures\u201d<\/strong> to better reflect the mapped CWEs. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Weak password policies or no rate limiting<\/li>\n\n\n\n<li>Session IDs exposed in URLs<\/li>\n\n\n\n<li>Broken \u201cremember me\u201d or token handling<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A08:2026 \u2013 Software or Data Integrity Failures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Failures to verify the <strong>integrity &amp; authenticity<\/strong> of code, configuration, or data \u2013 especially at a lower level than A03 (supply chain). (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Same category, same ranking (<strong>#8<\/strong>); now clearly positioned as complementing A03.<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Unsigned or unverified updates<\/li>\n\n\n\n<li>Insecure deserialization<\/li>\n\n\n\n<li>Trusting untrusted data sources<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A09:2026 \u2013 Logging &amp; Alerting Failures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Missing, incomplete, or un-actionable logging; lack of alerting on important security events.<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> Renamed from \u201cSecurity Logging and Monitoring Failures\u201d to <strong>\u201cLogging &amp; Alerting Failures\u201d<\/strong> to emphasize that <strong>alerting on logged events<\/strong> is critical. Still at <strong>#9<\/strong>. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>No logs for auth failures or permission violations<\/li>\n\n\n\n<li>Logs exist, but no alerts \/ correlation \/ monitoring<\/li>\n\n\n\n<li>Logs stored in a way that can be easily tampered with<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h3 class=\"wp-block-heading\">A10:2026 \u2013 Mishandling of Exceptional Conditions \u2b50<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What:<\/strong> Issues stemming from <strong>poor error and exception handling<\/strong>, failing open, or incorrect logic around abnormal system states. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>Change vs 2021:<\/strong> <strong>Brand-new category<\/strong> introduced in 2026.<\/li>\n\n\n\n<li><strong>Examples:<\/strong>\n<ul class=\"wp-block-list\">\n<li>Catching all exceptions and returning success<\/li>\n\n\n\n<li>Suppressing security-related errors (e.g., signature verification failures)<\/li>\n\n\n\n<li>Removing or bypassing validation logic in \u201cerror\u201d paths<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>This category formalizes a class of bugs that were previously spread across others (e.g., injection, auth issues) but share the theme of <strong>bad behavior when things go wrong<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">4. What\u2019s Changed vs OWASP Top 10:2021 (Summary)<\/h2>\n\n\n\n<p>From OWASP\u2019s own \u201cWhat\u2019s changed\u201d section: (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/p>\n\n\n\n<p><strong>1. Two new categories:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>A03 \u2013 Software Supply Chain Failures<\/strong><\/li>\n\n\n\n<li><strong>A10 \u2013 Mishandling of Exceptional Conditions<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>2. One consolidation:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>SSRF<\/strong> is no longer its own item; it\u2019s <strong>rolled into A01 (Broken Access Control)<\/strong> as one way of improperly exposing internal resources.<\/li>\n<\/ul>\n\n\n\n<p><strong>3. Renames \/ re-framing:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>A07<\/strong> renamed to \u201cAuthentication Failures\u201d<\/li>\n\n\n\n<li><strong>A09<\/strong> renamed to \u201cLogging &amp; Alerting Failures\u201d<\/li>\n\n\n\n<li>Emphasis on <strong>root causes<\/strong> (misconfiguration, cryptographic failures, supply chain) rather than symptoms.<\/li>\n<\/ul>\n\n\n\n<p><strong>4. Ranking shifts:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Security Misconfiguration<\/strong> jumps to #2<\/li>\n\n\n\n<li><strong>Software Supply Chain Failures<\/strong> debuts at #3<\/li>\n\n\n\n<li><strong>Insecure Design, Cryptographic Failures, Injection<\/strong> move slightly down but remain core risks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">5. How OWASP Built the 2026 RC<\/h2>\n\n\n\n<p>OWASP describes its methodology clearly: (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Massive data set<\/strong>\n<ul class=\"wp-block-list\">\n<li>Over <strong>2.8 million applications<\/strong> analysed from multiple vendors and organizations. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li><strong>589 CWEs<\/strong> considered in raw data, with <strong>248 CWEs<\/strong> ultimately mapped into the 10 categories. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>CWE + CVE + CVSS analysis<\/strong>\n<ul class=\"wp-block-list\">\n<li>Used OWASP Dependency-Check data to associate CVEs with CWEs. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n\n\n\n<li>Calculated average <strong>Exploitability<\/strong> and <strong>Technical Impact<\/strong> scores using a combination of CVSS v2 and v3. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Prevalence calculation<\/strong>\n<ul class=\"wp-block-list\">\n<li>For each CWE, they looked at the <strong>percentage of applications<\/strong> with at least one instance (not the raw count of issues). (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Root-cause focus<\/strong>\n<ul class=\"wp-block-list\">\n<li>Categories deliberately focus on <strong>root causes<\/strong> (e.g., \u201cSoftware Supply Chain Failures\u201d) instead of just symptoms. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Community survey<\/strong>\n<ul class=\"wp-block-list\">\n<li>Only <strong>8 of the 10 categories<\/strong> strictly come from data; <strong>2 are promoted<\/strong> by the global community survey to make sure emerging risks (like supply-chain or logging issues) are not missed. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Release Candidate &amp; feedback loop<\/strong>\n<ul class=\"wp-block-list\">\n<li>RC1 published 6 November 2026, with a public comment period via GitHub issues and feedback forms. (<a href=\"https:\/\/owasp.org\/Top10\/2025\/0x00_2025-Introduction\/\" target=\"_blank\" rel=\"noopener\">OWASP Foundation<\/a>)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<h2 class=\"wp-block-heading\">6. What Does the 2026 RC Mean for You (Practically)?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">For training and slides<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can now <strong>teach both<\/strong>:\n<ul class=\"wp-block-list\">\n<li><strong>OWASP Top 10:2021<\/strong> \u2013 still the <strong>current \u201cofficial\u201d stable<\/strong> list<\/li>\n\n\n\n<li><strong>OWASP Top 10:2026 RC1<\/strong> \u2013 the <strong>upcoming version<\/strong>, showing where the industry is heading.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Emphasize <strong>supply chain risk<\/strong> and <strong>exception-handling issues<\/strong>, since these are the standout additions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">For secure SDLC \/ DevSecOps<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Strengthen:\n<ul class=\"wp-block-list\">\n<li><strong>SBOMs and SCA<\/strong> (Software Supply Chain Failures)<\/li>\n\n\n\n<li><strong>CI\/CD hardening, artifact signing, package provenance<\/strong><\/li>\n\n\n\n<li><strong>Error\/exception-handling patterns<\/strong>, especially \u201cfail-closed\u201d behavior<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Update your:\n<ul class=\"wp-block-list\">\n<li>Threat modeling checklists<\/li>\n\n\n\n<li>Secure coding standards<\/li>\n\n\n\n<li>Test cases and pipelines (e.g., scanning dependencies &amp; images)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">For your future OWASP course<\/h3>\n\n\n\n<p>I\u2019d strongly suggest:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Have <strong>one module on 2021<\/strong> (because many compliance docs still reference it).<\/li>\n\n\n\n<li>Have a <strong>\u201cNew in 2026\u201d module<\/strong> that:\n<ul class=\"wp-block-list\">\n<li>Explains A03 and A10 in depth<\/li>\n\n\n\n<li>Shows how A06 (Vulnerable Components) \u2192 A03 (Supply Chain Failures) evolved<\/li>\n\n\n\n<li>Highlights SSRF\u2019s consolidation into A01<\/li>\n\n\n\n<li>Links 2026 categories to ASVS, WSTG, and SAMM.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\">\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OWASP Top 10:2026 \u2013 Release Candidate (RC1) is the new draft version of the OWASP Top 10, published on 6 November 2026 as the 8th edition of the project. It\u2019s&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[11138],"tags":[],"class_list":["post-54272","post","type-post","status-publish","format-standard","hentry","category-best-tools"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54272","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=54272"}],"version-history":[{"count":2,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54272\/revisions"}],"predecessor-version":[{"id":59901,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/54272\/revisions\/59901"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=54272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=54272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=54272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}