OWASP Top 10:2025

OWASP Top 10:2025 – What’s New and Why It Matters:

Your Helpful Guidance for More Secure and Resilient Apps

In early November 2025, OWASP released its latest Top 10 ranking, introducing two new categories – Software Supply Chain Failures (expanding on “Vulnerable and Outdated Components”) and Mishandling of Exceptional Conditions – while merging Server-Side Request Forgery (SSRF) into Broken Access Control. Additionally, Security Misconfiguration jumped from #5 to #2 due to increasingly complex app configurations and traditional risks like Cryptographic Failures, Injection, and Insecure Design each shifted down because secure-by-design practices have improved. This update reflects a broader shift from symptom-focused vulnerability spotting towards addressing systemic issues rooted in design, supply chains and error handling. Our December 2025 Newsletter offers useful guidance to help you build more secure and resilient applications.

Web Applications Security Risks are allegorically like a Market of Glass described hereafter.

In a seaside town, there stood a bustling market made entirely of glass houses. Each stall sold something essential: food, maps, letters, medicines, and tools. The market’s glass walls let sunlight in and made goods visible from faraway.

Traders loved the openness because customers could see exactly what they were buying. As time went by, newcomers built more glass stalls, connected by bridges and pipes that carried letters, coins and minutes of proceedings for secret meetings.

One dawn, a clever fox arrived. The shrewd fox learned how the market worked and how the glass could be used against the owners of the Market of Glass. Some stalls left doors unlocked for convenience. Some used cracked seals to whisper secrets. Some traded on rumor rather than checking the weight of coins.

The deceitful fox exploited all small mistakes and turned them into bigger problems. The townsfolk discovered that a beautiful, transparent market could be robbed not only by force but by subtle tricks, misread signs, and careless neighbors. The town’s elders gathered, discussed how to resolve such an issue and wrote rules: lock your doors, check the seals on your jars, avoid lending your master keys, and always test the strength of bridging pipes before trusting them with treasure.

They taught apprentices to design walls that could be mended from inside, to verify every coin and messenger, and to map the routes foxes liked to travel.

Slowly the Market of Glass grew wiser, trading securely while keeping the light that made it special.

Characters from the Market of Glass & What They Represent for Web Applications Security Risks

• Glass stalls: public-facing Web applications that show data and functionality to users.
• Doors left unlocked: weak authentication and poor session management create opportunities for impersonation. Unattended sessions and insufficient login validation allow cyber-attackers to exploit vulnerabilities and gain unauthorized access.
• Cracked seals on jars: cryptographic failures and sensitive data exposed through weak protection. Poor encryption or none exposes private goods.
• Whispering pipes: insecure communications and APIs that leak or accept dangerous inputs. Messages that are not validated corrupt the receiver.
• Bridges between stalls: broken access control that lets someone cross into places they should not. Users reach restricted stalls and take what they should not.
• Merchants trusting any type of coin: insufficient input validation and injection flaws that accept hostile payloads. Accepting unverified input undermines trust.
• Old tools and patched roofs: vulnerable and outdated components that become easy entry points. Outdated libraries let the fox crawl inside.
• Misplaced keys and shared master keys: privilege escalation and misconfiguration of secrets and credentials. Secrets stored where anyone can read them.
• Signs written in shifting languages: insecure design and inconsistent assumptions across services. Assumptions mismatch, creating hidden pathways for cyber-attackers. Public visibility of secrets and personal data.
• Cunning foxes: automated cyber-attackers, script kiddies, and persistent adversaries exploiting any weakness/vulnerability.
• Open ledgers on display → Sensitive data exposure: public visibility of secrets and personal data.
• Neighbors gossiping without checks → Insufficient logging and monitoring: cyber-attacks go unnoticed until too late.

Short Counselling from the Above Allegory

• Keep doors locked by enforcing strong authentication and session controls.
• Mend cracks with proper encryption and key management.
• Test every pipe and bridge with input validation and access control checks.
• Replace or patch old tools promptly and avoid lending master keys.
• Build designs that assume clever foxes exist and model how they might act.

Within the framework of the Open Worldwide Application Security Project (OWASP), Web Applications Security could be likened to a Market of Glass that can be altogether splendid and fragile. Web Applications Security is therefore the craft of making that allegorical Market of Glass resilient without losing the light that makes it valuable. In addition to the substantial contents published online by OWASP Foundation Website, the monographs cited in the Resources and References Section of this December 2025 Newsletter have also been consulted, abridged and customized for the writing of several parts of this manuscript.

Hands-On Overview of OWASP

Established in 2001 as a Computer Security Organization specialized in Web security, applications security and vulnerability assessment, and headquartered in Wilmington, Delaware (USA), OWASP stands for the Open Worldwide Application Security Project – a global nonprofit community that produces free resources, tools, industry standards, and conduct cybersecurity training, workshops and conferences to improve Web applications security throughout the world.

Useful Services Provided by OWASP

• Guides and standards: practical standards like the Application Security Verification Standard (ASVS) and the Software Assurance Maturity Model (SAMS) for assessing and maturing security practices.
• Top projects and lists: widely used resources such as the OWASP Top Ten (critical Web app risks) and domain projects like API Security and Automated Threats to Web Applications.
• Tools and learning platforms: open-source tools and intentionally vulnerable apps for testing and training, for example OWASP ZAP and WebGoat.
• Community and events: local chapters, conferences, training, and volunteer-driven initiatives around the world.

All of the above project types, learning platforms and related examples are researched, developed, designed, documented and maintained by the OWASP global community.

Why Does OWASP Matter for All Organizations Including SMEs?

• De facto computer science industry reference: many standards, compliance programs, and developers rely on OWASP outputs (for example the Top Ten) to prioritize and communicate Web apps security risks.
• Free and opens-source resources: resources are freely available so teams of any size can learn, test, apply and adopt better Web apps security practices.

In a Nutshell – OWASP Top 10 Web Applications Security Risks

Published every four years, the OWASP Top 10 is a community-driven list of the most critical Web applications security risks, used as a baseline for testing, applying, training, and prioritizing fixes.

Figure 1: Condensed Subject Matters of OWASP Top 10 Web Applications Security Risks and Key Mitigation Practices in Brief

Concrete Explanations of OWASP Top 10, Why They Matter for SMEs, Common Causes & Summarized Clarifications of Significant Mitigation Practices

Programmatic Steps to Reduce OWASP Top 10 Web Applications Risks

• Implement secure SDLC practices: threat modeling, security requirements, code review, and automated testing (SAST, DAST, SCA) integrated into CI/CD.
• Enforce strong runtime protections: centralized authorization, TLS everywhere, hardened configurations, and centralized logging and alerting.
• Maintain hygiene: Software Bill of Materials (SBOMs), dependency scanning, patch management, secrets management, and signed artifact pipelines.
• Invest in people and processes: develop training about secure patterns, regular penetration tests, incident response playbooks, and measuring detection and remediation SLAs.

Stacks Tailored Checklist or Prioritized Remediation Plan

Meticulously synopsized below is a checklist tailored to most common stacks or a prioritized remediation plan based on the most common exploitability and impact vectors for Web applications security risks.

Figure 2: Pragmatic Table of Recommended Approaches and Condensed Stacks Comparisons

General Prioritized Remediation Checklist: Applies to Any Stack

1. Inventory and visibility
   • Create an SBOM for all runtime and build-time dependencies.
   • Centralize asset inventory: apps, APIs, servers, ingress/egress points.
2. Authentication and session safety
   • Enforce MFA for all privileged and administrative accounts.
   • Use secure cookie flags: Secure, HttpOnly, SameSite.
   • Rotate and invalidate tokens on password changes and logout.
3. Authorization and least privilege
   • Centralize authorization logic; apply deny-by-default.
   • Validate object ownership on every access.
   • Minimize service roles and permissions for each component.
4. Data protection and cryptography
   • TLS everywhere with modern cipher suites and HSTS.
   • Hash passwords with Argon2/Bcrypt/PBKDF2 and salt them.
   • Manage keys in a vault and rotate regularly.
5. Dependency and supply-chain hygiene
   • Enable SCA in CI to block high/critical CVEs.
   • Pin dependency versions and verify checksums or signatures.
   • Limit third-party script execution and review transitive deps.
6. Input/output safety
   • Use parameterized queries and safe APIs; never concatenate SQL.
   • Escape/encode output for HTML, JS, CSS, URLs, and attributes.
   • Strict input validation with positive allow-lists and canonicalization.
7. Secure build and deployment
   • Sign and verify artifacts; restrict CI/CD permissions.
   • Use immutable builds and automated deployment (IaC).
   • Scan container images and minimize base images.
8. Configuration and hardening
   • Harden defaults; remove unused services and endpoints.
   • Automate configuration checks and drift detection.
   • Avoid storing secrets in code or repos; use secret stores.
9. Logging, monitoring, and response
   • Centralize logs and make them tamper-evident.
   • Log security events with sufficient context and redact secrets.
   • Create alerting thresholds and run incident playbook drills.
10. Runtime protections and network controls
    • Implement WAF and rate limiting for public endpoints.
    • Egress filtering and internal network segmentation.
    • Runtime integrity checks and host/agent-based EDR where appropriate.

Stack-Specific Checklists for Any Type of Organization

Node.js / Express

• Dependency management: enable npm audit/Snyk/GitHub Dependabot; pin package.json; make use of package-lock.json.
• Runtime safety: avoid eval, Function, and untrusted template engines; use helmet for headers.
• Database: use parameterized queries or ORM prepared statements.
• APIs: validate JSON schemas; limit request body size and rate.
• Build: sign artifacts; CI runs SAST and SCA; container images minimal.

Java / Spring

• Dependencies: use a SBOM; run OWASP dependency-check; upgrade Spring components promptly.
• Deserialization: disable default Java deserialization; use safe serializers.
• Endpoint security: centralize with Spring Security; enforce CSRF protection for state-changing ops.
• Config: externalize secrets to a vault; avoid exposing actuator endpoints to public.
• Monitoring: enable structured logs and correlate with trace IDs.

.NET / ASP.NET Core

• Authentication: use ASP.NET Identity or Azure AD; require MFA for admin roles.
• Cookies and sessions: enforce SameSite=Lax/Strict where appropriate.
• File uploads: validate type, scan for malware, store outside Webroot.
• Dependencies: run NuGet audits; keep runtime patched.
• Host: enable Kestrel TLS, disable debug endpoints in production.

Python / Django / Flask

• Templates: rely on auto-escaping; avoid unsafe template features.
• ORM use: use query parameters and ORM query APIs rather than raw SQL.
• Virtual environments: pin requirements.txt and use pip-audit/Safety.
• Secrets: use environment variables with a vault; avoid committing to .env.
• WSGI: run behind a hardened reverse proxy; limit exposed server headers.

PHP / Laravel / Symfony

• Framework features: use built-in CSRF, auth, and validation features.
• Composer: run composer audit and lock versions in composer.lock.
• Output encoding: use blade/twig escaping by default; escape raw outputs.
• Uploads: enforce strict MIME and extension checks; store outside public path.
• Configuration: disable debug mode in production; secure .env file permissions.

Fast First 7-Day Remediation Plan for Stack-Specific Checklists

Day 1–2

• Inventory and high-risk scanning
• Generate SBOM; run SCA and quick DAST against public endpoints.

Day 3–4

• Authentication and access controls
• Enforce MFA for admins; audit roles and revoke excessive permissions.

Day 5

• Patch and dependency actions
• Patch critical/high CVEs; pin and test dependency upgrades.

Day 6

• Logging and detection
• Centralize logs; create at least three alerts for auth failures, privilege changes, and high error rates.

Day 7

• Deploy mitigations
• Add WAF rules, rate limits, and enable TLS hardening; validate with smoke tests.

How Can Canadian SMEs Further Reduce OWASP Top 10 Web Applications Security Risks?

Canadian SMEs can additionally reduce OWASP Top 10 Web applications security risks by adopting lightweight, scalable security practices that focus on secure defaults, automation, and staff awareness—without needing enterprise-level resources. Shortened below is a practical breakdown tailored for SMEs doing business throughout Canada:

1. Start with Secure Defaults

• Use frameworks and platforms that enforce secure-by-default settings (e.g.: secure cookies, CSRF protection).
• Disable unused features, verbose errors, and debug endpoints in production.

2. Automate Security Checks

• Integrate static and dynamic analysis tools into CI/CD pipelines (e.g.: Snyk, OWASP ZAP, SonarQube).
• Use dependency scanners to catch vulnerable packages early.

3. Prioritize Access Control and Authentication

• Implement role-based access control (RBAC) and test for privilege escalation.
• Use phishing-resistant MFA (e.g.: FIDO2) and secure session management.

4. Harden Configuration and Infrastructure

• Apply CIS Benchmarks for servers, containers, and cloud services.
• Use Infrastructure-as-Code (IaC) tools like Terraform with security modules.

5. Manage Software Supply Chain Risks

• Maintain a Software Bill of Materials (SBOM) for all projects.
• Use trusted registries and verify package signatures.
• Regularly audit third-party components and vendors.

6. Secure Design and Threat Modeling

• Use OWASP Threat Dragon or similar tools for lightweight threat modeling.
• Define security requirements early in the development lifecycle.

7. Improve Logging and Monitoring

• Centralize logs using tools like ELK stack or cloud-native logging.
• Set up alerts for suspicious behavior (e.g.: failed logins, privilege changes).

8. Handle Errors Safely

• Sanitize error messages to avoid leaking internal logic.
• Implement structured exception handling and graceful degradation.

9. Train and Empower Staff

• Provide OWASP Top 10 training for developers and testers.
• Encourage a security-first culture with regular awareness sessions.

10. Conduct Regular Security Reviews

• Schedule periodic audits and penetration tests (even lightweight ones).
• Use OWASP ASVS or MASVS as a checklist for secure development.

Figure 3: Hands-On Tools for Canadian SMEs to Alleviate OWASP Top 10

Feasible Approaches: OWASP Top 10 Mitigations for Canadian SMEs Working with European Union Clients under GDPR or European Union Cyber Resilience Act

The approaches below align Canadian SMEs working with GDPR or European Union Cyber Resilience Act (CRA) 2024/2847 expectations and legal requirements while addressing OWASP Top 10 cyber-risks.

1. Access Control & Authentication

• Enforce role-based access control (RBAC) with multi-tenant isolation.
• Implement phishing-resistant MFA (e.g.: FIDO2).
• Secure session management (short lifetimes, rotation, invalidation).

2. Configuration & Infrastructure

• Apply CIS Benchmarks to servers, containers, and cloud services.
• Automate secure configuration baselines (IaC tools like Terraform).
• Disable unused features, verbose errors, and debug endpoints.

3. Software Supply Chain

• Maintain SBOMs for all deployed applications.
• Scan dependencies for vulnerabilities and license risks.
• Use trusted registries and verify package signatures.

4. Cryptography & Data Integrity

• Enforce TLS 1.2+ with strong cipher suites.
• Use modern crypto libraries (e.g.: libsodium).
• Sign code, containers, and updates.

5. Input Validation & Injection Prevention

• Use parameterized queries and ORM frameworks.
• Validate and sanitize all user inputs contextually.
• Apply least privilege to backend systems.

6. Secure Design & Threat Modeling

• Conduct lightweight threat modeling (e.g.: OWASP Threat Dragon).
• Define security requirements early in SDLC.
• Use secure design patterns and reference architectures.

7. Logging & Monitoring

• Centralize logs with secure transport and storage.
• Monitor for anomalies and trigger actionable alerts.
• Test incident response playbooks regularly.

8. Error Handling & Exceptional Conditions

• Sanitize error messages to avoid leaking internal logic.
• Implement structured exception handling and graceful degradation.
• Fail securely and log all abnormal conditions.

Cheap, High-Impact Cross-Cutting Controls for SMEs

• Automate scans in CI: SAST for code smells, SCA for dependencies, and simple DAST for public endpoints; fail builds on critical issues.
• Use managed services for auth (Auth0, Azure AD B2C) and secrets (AWS Secrets Manager, Azure Key Vault) to offload hard problems.
• Deploy a basic WAF and rate-limiting rules for public endpoints; enable TLS and HSTS via managed load balancers.
• Run quarterly external scans and at least one yearly penetration test or targeted audit for critical Web applications.

Minimal Roadmap (30/60/90 Days)

• 0–30 days: Inventory (SBOM, assets), enable TLS, enforce MFA for admins, enable dependency alerts in repo.
• 31–60 days: Add CI scans (SAST + SCA), centralize logs and three core alerts, fix critical/high CVEs.
• 61–90 days: Threat modeling on core flows, deploy WAF rules, sign artifacts and harden CI/CD permissions.

Low-Cost Tools & Resources for SMEs

• Dependency scanners: Dependabot (GitHub), GitLab SCA, npm audit, pip-audit, Trivy for containers.
• SAST/DAST options: free tiers of open-source tools and community editions (e.g.: OWASP ZAP for DAST).
• Secrets & auth: use cloud-managed secrets stores and identity providers rather than home-grown solutions.
• Training: short targeted developer training (1–2 hours) on injection, auth, and access control pays immediate dividends.

Ultimate Recommendations for Integrating OWASP Top 10 into SDLC & Compliance Strategy

Start with visibility (inventory + automated dependency checks), lock down authentication and access control, centralize logging/alerting, then expand to automated code and runtime checks; iterate remediation in short cycles to reduce the highest cyber-risks quickly. Summarized below is a tailored roadmap to help SMEs across Canada integrate the OWASP Top 10:2025 into their Software Development Life Cycle (SDLC) and interconnected compliance strategy. This is especially relevant for Canadian SMEs working with European clients under regulatory frameworks like the GDPR or the European Union Cyber Resilience Act (CRA) 2024/2847.

PHASE 1: Foundation & Awareness

Goal: Establish a shared understanding of OWASP Top 10 and its relevance to your business operations and regulatory obligations.

• Conduct OWASP Top 10 training for software developers, QA, and product teams.
• Map OWASP risks to CRA 2024/2847 essential requirements and GDPR cybersecurity principles.
• Adopt OWASP ASVS as a baseline for secure software coding and testing.
• Define security roles and responsibilities across the SDLC.

PHASE 2: Design & Architecture

Goal: Embed security early through secure design and threat modeling.

• Integrate A06: Insecure Design into architecture reviews.
• Use OWASP Threat Dragon or STRIDE for lightweight threat modeling.
• Define security requirements for each feature (e.g.: access control, logging, cryptography).

PHASE 3: Development & Build

Goal: Prevent vulnerabilities through secure coding, dependency hygiene, and automation.

• Enforce secure coding standards aligned with OWASP Top 10.
• Scan for A03: Software Supply Chain Failures using tools like Snyk/Dependabot or OWASP Dependency-Check.
• Implement secure authentication (A07), input validation (A05), and error handling (A10).
• Maintain SBOMs and verify component integrity.

PHASE 4: Testing & Verification

Goal: Detect OWASP Top 10 risks before deployment.

• Integrate static (SAST), dynamic (DAST), and interactive (IAST) testing tools.
• Perform fuzzing and abuse-case testing for A10: Exceptional Conditions.
• Use OWASP ZAP or Burp Suite to test for A01–A05 vulnerabilities.
• Validate logging, alerting, and telemetry coverage (A09).

PHASE 5: Deployment & Operations

Goal: Ensure secure configuration, observability, and incident readiness.

• Harden environments against A02: Security Misconfiguration using CIS Benchmarks.
• Monitor for anomalies and enforce log integrity (A09).
• Implement runtime integrity checks for A08: Software/Data Integrity Failures.
• Prepare breach notification workflows aligned with GDPR Article 33.

PHASE 6: Continuous Improvement

Goal: Sustain security maturity and regulatory alignment.

• Conduct regular security reviews and OWASP Top 10 gap assessments.
• Update threat models and SBOMs with each release.
• Stay current with OWASP projects (e.g.: API Top 10, MASVS, CycloneDX).
• Align with evolving CRA 2024/2847 guidance and ENISA recommendations.

Conclusion

The OWASP Top 10:2025 Web Applications Security Risks will remain the primary, consensus-driven snapshot of critical Web-app risks while evolving to reflect new technologies, cyber-attacker methods, and software delivery practices. The future editions of the list will emphasize root causes, system complexities, and IT ecosystem risks rather than only individual exploit types.

The OWASP Top 10:2025 signals a significant shift toward systemic resilience, secure design, and supply chain integrity—trends that will shape future AppSec priorities, tooling, and compliance frameworks. Abridged hereunder is a look at the emerging I-Trends and II-Prospects based on the OWASP Top 10:2025 release and expert predictions.

I – Major Trends Shaping the Content of Future OWASP Top 10

1. Root-Cause Focus Over Symptom-Based Fixes

• OWASP is moving away from isolated vulnerabilities toward underlying architectural flaws.
• Categories like Insecure Design and Mishandling of Exceptional Conditions emphasize secure-by-default behavior, not just patching.

2. Supply Chain Security as a Core Concern

• Software Supply Chain Failures (A03:2025) reflects growing threats from compromised dependencies, build pipelines, and third-party integrations.
• Expect increased adoption of SBOMs, dependency attestation, and runtime integrity checks.

3. Operational Resilience and Observability

• Logging & Alerting Failures (A09:2025) highlights the need for telemetry, anomaly detection, and incident readiness.
• Future tooling will prioritize forensics, alert fidelity, and response automation.

4. Secure Design and Threat Modeling

• Insecure Design (A06:2025) encourages early-stage security practices like abuse-case analysis, secure architecture patterns, and design-time controls.
• Threat modeling tools (e.g.: OWASP Threat Dragon) will become more integrated into SDLC pipelines.

5. Cloud-Native and API-Centric Risks

• Though not a standalone category, cloud and API misconfigurations are embedded in Security Misconfiguration and Broken Access Control.
• Future OWASP guidance may include API-specific Top 10, container security, and multi-cloud posture management.

6. AI and Automation in AppSec

• As AI-generated code and AI-powered testing grow, OWASP may evolve to address AI model exposure, prompt injection, and automated vulnerability exploit detection.
• Expect future OWASP projects to explore AI-specific risks and secure ML pipelines.

II – Prospects for OWASP Top 10 Adoption and Influence

• Regulatory alignment: OWASP Top 10:2025 will be increasingly referenced in frameworks like GDPR, CRA 2024/2847, PCI DSS, and ISO/IEC 27001.
• Training and certification: OWASP categories shape developer education, secure coding standards, and AppSec certifications.
• Tooling integration: Security scanners, CI/CD platforms, and cloud security posture tools are embedding OWASP checks natively.

Final Factual Observations

OWASP Top 10 will continue to be the canonical, evolving pulse of Web applications security risks, moving from individual vulnerability classes towards systemic, architecture- and supply-chain-centered risks driven by cloud computing, APIs, and automation. Organizations that adopt threat-focused design, continuous dependency governance, and runtime observability will be best positioned to avoid exposures from the future release of OWASP Top 10 Web Applications Security Risks.

RESOURCES AND REFERENCES

1. Open Worldwide Application Security Project – OWASP Foundation Multilayered Website. OWASP Top 10:2025 – Web Applications Security Risks: Release Candidate One (RC1) Dated the 6^th of November 2025. Multidimensional cybersecurity knowledge and content published online. OWASP Headquarters – Wilmington, Delaware, USA. Hyperlink 1: Introduction – OWASP Top 10:2025 RC1 Hyperlink 2: OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation
2. Jinfeng Li and Haorong Li. “Evolution of Application Security based on OWASP Top 10 and CWE/SANS Top 25 with Predictions for the 2025 OWASP Top 10” in the compilation selection of the 2025 International Conference on Inventive Computation Technologies (ICICT) – Kirtipur, Nepal – 23^rd to 25^th April 2025. Published by IEEE Xplore Digital Library on 23^rd May 2025. Evolution of Application Security based on OWASP Top 10 and CWE/SANS Top 25 with Predictions for the 2025 OWASP Top 10 | IEEE Conference Publication | IEEE Xplore
3. Min, N.M., Visoottiviseth, V., Teerakanok, S. and Yamai, N. in the compilation selection of the 24^th International Conference on Advanced Communication Technology (ICACT), published by Scientific Research Open Access – An Academic Publisher: Pyeongchang, South Korea, 13^th to 16^th February 2023, pp. 317-322. Min, N.M., Visoottiviseth, V., Teerakanok, S. and Yamai, N. (2022) OWASP IoT Top 10 Based Attack Dataset for Machine Learning. 2022 24th International Conference on Advanced Communication Technology (ICACT), PyeongChang Kwangwoon_Do, 13-16 February 2022, 317-322. – References – Scientific Research Publishing
4. Davide Fucci, Emil Alégroth, Michael Felderer and Christoffer Johannesson. “Evaluating Software Security Maturity Using OWASP SAMM: Different Approaches and Stakeholders Perceptions” in The Journal of Systems and Software, Volume 214 – August 2024, Series 112062, published by ScienceDirect – Elsevier, Amsterdam, The Netherlands. Open Access Article published under a Creative Commons License – Evaluating software security maturity using OWASP SAMM: Different approaches and stakeholders perceptions – ScienceDirect
5. Shao-Fang Wen and Basel Katt. “A Quantitative Security Evaluation and Analysis Model for Web Applications Based on OWASP Application Security Verification Standard” in Computers and Security Journal, Volume 135 – December 2023, Series 103532, published by ScienceDirect – Elsevier, Amsterdam, The Netherlands. Open Access Article published under a Creative Commons License – A quantitative security evaluation and analysis model for Web applications based on OWASP application security verification standard – ScienceDirect
6. Rob Botwright et al. OWASP Top Ten Vulnerabilities: Beginner’s Guide to Web Application Security Risks, 4 Books in 1 Stack, Paperback 2^nd Edition, Morden, London, England (UK): jointly published by Google Books and Pastor Publishing Co. Ltd., 11^th January 2024, 392 pages. Hyperlink 1: OWASP Top 10 Vulnerabilities: Beginner’s Guide To Web Application Security Risks – Rob Botwright – Google Books Hyperlink 2: OWASP Top 10 Vulnerabilities: Beginner’s Guide To Web Application Security Risks: Botwright, Rob: 9781839386299: Books – Amazon.ca
7. Landen Howe. Practical OWASP Security Testing: Hands-On Strategies for Detecting and Mitigating Web Vulnerabilities in the Age of AI, 1^st Paperback Edition, Large Print and e-Book Formats. Seattle, Washington, USA: Amazon Publishing USA, 18^th of July 2025, 165 pages, ISBN: 979-8293086450. Practical OWASP Security Testing: Hands-On Strategies for Detecting and Mitigating Web Vulnerabilities in the Age of AI: Howe, Landen: 9798293086450: Books – Amazon.ca
8. Rajesh Dangi. OWASP for Secure Web Applications, Computer Science and Information Technology Series, Paperback 1^st Edition, Chennai, Tamil Nadu, India: Notion Press Print Media, 1^st August 2024, 178 pages. Hyperlink 1: OWASP for Secure Web Applications Hyperlink 2: OWASP for Secure Web Applications: Rajesh Dangi: 9798895194348: Books – Amazon.ca
9. Bryan Schroeder. OWASP Application Security Practitioner Exam Prep: 500 Practice Questions with Detailed Explanations, 1^st Paperback Edition, Large Print and e-Book Formats. Seattle, Washington, USA: Amazon Publishing USA, 11^th August 2025, 309 pages, ISBN: ‎979-8297491144. OWASP Application Security Practitioner Exam Prep: 500 Practice Questions with Detailed Explanations: Schroeder, Bryan: 9798297491144: Books – Amazon.ca
10. Daniel Finnian. Cyber Security for Developers with OWASP and Security Headers: A Programmer’s Blueprint for Fortifying Web Services Against Critical Vulnerabilities, 1^st Paperback Edition, Large Print and e-Book Formats. Seattle, Washington, USA: Amazon Publishing USA, 2^nd September 2025, 186 pages, ISBN: ‎979-8263575267. Cyber Security For Developers With OWASP And Security Headers: A programmer’s Blueprint For Fortifying Web Services Against Critical Vulnerabilities: Finnian, Daniel: 9798263575267: Books – Amazon.ca
11. Taylor Chadwick. End-to-End Web App Protection with OWASP ASVS: Step-by-Step Methods to Harden Authentication, Access Control, Encryption, and Serverless Deployments, 1^st Paperback Edition, Large Print and e-Book Formats. Seattle, Washington, USA: Amazon Publishing USA, 29^th July 2025, 291 pages, ISBN: ‎979-8294673376. End-to-End Web App Protection with OWASP ASVS: Step-by-Step Methods to Harden Authentication, Access Control, Encryption, and Serverless Deployments: Chadwick, Taylor: 9798294673376: Books – Amazon.ca

Contributions

Special thanks for the financial support of the National Research Council Canada (NRC) and its Industrial Research Assistance Program (IRAP) benefitting innovative SMEs throughout the 10 provinces and 3 territories of Canada.

Newsletter Executive Editor:

Alan Bernardi, SSCP, PMP, Lead Auditor for ISO 27001, ISO 27701 and ISO 42001
B.Sc. Computer Science & Mathematics, McGill University, Canada
Graduate Diploma in Management, McGill University, Canada

Author-Amazon USA, Computer Scientist, Certified Professional Writer & Translator:

Ravi Jay Gunnoo, C.P.W. ISO 24495-1:2023 & C.P.T. ISO 17100:2015
B.Sc. Computer Science & Cybersecurity, McGill University, Canada
B.Sc. & M.A. Professional Translation, University of Montreal, Canada

This content is published under a Creative Commons Attribution (CC BY-NC) license.