The OWASP Top 10 remains one of the most influential security benchmarks in software engineering. The 2025 update is the eighth iteration of the list and introduces major shifts that reflect how modern applications fail and not just where vulnerabilities appear, but why they appear.
For UK health-tech organisations operating in high-risk, highly regulated environments, understanding these changes is important. The new edition highlights risks that can directly affect electronic patient data, integrations, API ecosystems, medical device software, cloud systems and third-party suppliers.
This blog breaks down what’s new in OWASP Top 10:2025 and how health-tech organisations can respond with speed and quality.
The 2025 list introduces two new categories, a major consolidation, and several ranking shifts.
Broken access control stays at the top of the list. It remains the most consistently observed category across the dataset, reflecting systemic issues in authorisation logic and role-based access.
OWASP also confirms that Server-Side Request Forgery (SSRF) has been rolled into this category. In 2021, SSRF was a standalone entry at #10 — now it is treated as an access control issue.
Previously #5 in 2021, misconfiguration now takes the second position. OWASP’s data shows this category continues to be widely prevalent and is a root cause of many real-world incidents.
For cloud-first healthcare platforms, misconfigurations in storage buckets, identity providers, API gateways or container orchestration are common and high-impact.
This expanded category replaces the narrower “Vulnerable and Out-of-Date Components” from 2021. OWASP now emphasises the entire software supply chain, including:
dependencies
build systems
package integrity
distribution channels
trust boundaries
This aligns strongly with national and global concerns about software supply-chain compromise.
Previously #2, this category drops two places but remains widespread. Failures include incorrect implementation of cryptography, weak or deprecated algorithms, and insecure configurations.
Injection attacks still represent a major risk, but fall from #3. SQL, command and expression-language injection continue to feature heavily in real-world testing.
Introduced in 2021, this category sees a slight ranking drop. OWASP continues to stress the importance of secure design principles prior to coding, especially in complex or safety-critical systems.
Focused on identification and authentication failures, this category highlights issues such as MFA bypass, insecure password handling and broken session logic.
This category remains unchanged from 2021. It focuses on integrity controls such as signed artefacts, update mechanisms, CI/CD pipelines and tamper resistance.
Renamed from “Security Logging and Monitoring Failures”, this highlights the importance of actionable alerting. Logging alone is insufficient without timely detection and response.
A completely new addition, covering problems such as:
insecure error handling
fail-open behaviour
logic gaps during system faults
unsafe default states when systems are stressed
This is highly relevant to systems processing real-time health data or handling clinical workflows.
Health-tech organisations handle highly regulated, high-value data, including patient records, diagnostic outputs, medical device telemetry and clinical support information. A failure in access control, supply-chain integrity or error handling can directly affect care.
Many healthcare platforms depend on:
cloud-native services
API integrations
third-party apps
external identity providers
open-source libraries
This aligns closely with the issues highlighted in misconfiguration, supply-chain failures and integrity failures.
OWASP’s focus on design, configuration and supply-chain integrity matches the operational reality of UK health-tech platforms, where incidents often stem from underlying design choices rather than isolated code defects.
NHS England, MHRA and the ICO increasingly expect health-tech suppliers to demonstrate strong:
access control governance
supply-chain assurance
secure development practices
incident logging and response
data integrity controls
OWASP Top 10:2025 aligns closely with these requirements.
The OWASP Top 10:2025 is best used as a structured way to understand where your systems are genuinely exposed. Start with a risk-based assessment that maps each category to the parts of your platform that matter most. Look at how access is controlled, how features are designed, what’s configurable in your cloud environment, which third-party components you depend on, and how your software behaves under pressure. This helps you focus effort where clinical, operational or regulatory impact would be greatest.
A major priority should be cloud and API misconfigurations. As this category rises to number two, it’s clear attackers are exploiting mistakes rather than code flaws. Health-tech platforms rely heavily on cloud services, identity providers and interconnected APIs, meaning even a single misconfiguration can expose sensitive data or interrupt clinical workflows. Reviewing these areas early can eliminate high-risk weaknesses.
Supply-chain assurance has also become essential. With the expanded focus on software supply-chain failures, health-tech organisations must ensure the components they use, from open-source libraries to container images and build pipelines, are trustworthy. This means verifying package integrity, maintaining clear software bills of materials and treating vendor assurance as rigorously as internal security controls.
Another critical step is improving how systems handle exceptional conditions. Many applications fail securely under normal operation but break unexpectedly during load spikes, dependency failures or malformed inputs. In a clinical context, this can be dangerous. Testing failure modes helps ensure systems default to secure behaviour, failing closed rather than open.
Finally, logging and alerting must move beyond passive collection. Effective security depends on timely, actionable alerts that highlight suspicious behaviour early. In environments connected to patient care, slow detection can have serious consequences. Mature monitoring turns logs into intelligence rather than clutter.
The OWASP Top 10:2025 shifts attention from isolated vulnerabilities to deeper engineering weaknesses. For UK health-tech organisations, this reflects real-world challenges, from supply-chain complexity to cloud misconfigurations and resilience under clinical load. Addressing these areas with discipline strengthens trust, supports compliance and builds technology that stays secure as demands grow.
By aligning your security with the new OWASP priorities, you strengthen resilience, reduce regulatory exposure, and protect patients and clinicians who rely on your technology every day.
If you’d like support benchmarking your systems against OWASP Top 10:2025 or developing a proactive roadmap, Periculo is here to help.