Introduction
Nowadays, web application security is huge. Everything from banks to health records goes through these web apps, making them the main target for attacks. We need frameworks to help us know what vulnerabilities to fix first. Right now, we have two big players in 2025: the classic, 20-year-old OWASP Top 10 (Open Worldwide Application Security Project) and the newer, data-driven AWASP Top 10 (Actual Web Application Security Project), which is built strictly on real breach evidence.
This article is my take. I'm going to introduce both, compare them head-to-head, and figure out when you should use one over the other. My goal is to give security folks a clear plan.
OWASP
The Open Worldwide Application Security Project (OWASP) - renamed in early 2023 from Open Web Application Security Project - is a non-profit community launched in 2001 and incorporated in 2004. Its mission is to improve software security through open-source projects, tools, documentation, and events. OWASP's most recognised output is the OWASP Top 10, a standard document listing the ten most critical web application security risks. The 8th edition, OWASP Top 10:2025, was released on November 6, 2025, superseding the 2021 edition. It is globally recognised as the foundational document for secure software development and is referenced by numerous compliance frameworks, training programs, and regulatory standards.
OWASP Top 10 — 2025 Categories
The current edition, released November 2025, includes the following ten categories. Compared to the 2021 edition, there are two new categories (A03 and A10), one consolidation (SSRF merged into A01), and several positional changes:
- A01:2025 - Broken Access Control
- A02:2025 - Security Misconfiguration
- A03:2025 - Software Supply Chain Failures
- A04:2025 - Cryptographic Failures
- A05:2025 - Injection
- A06:2025 - Insecure Design
- A07:2025 - Authentication Failures
- A08:2025 - Software or Data Integrity Failures
- A09:2025 - Security Logging and Alerting Failures
- A10:2025 - Mishandling of Exceptional Conditions
AWASP
The Actual Web Application Security Project (AWASP), founded by Chris Wallis (Intruder), is a new initiative responding to perceived limitations in OWASP. AWASP originated as a thought experiment to create a Top 10 list based solely on confirmed breach and exploitation data, not security scanner or penetration tester findings. AWASP is independent, unaffiliated with OWASP, and publishes an annual list based on primary data sources focusing on actual attacker activities.
AWASP Top 10 — 2025 Categories
The AWASP Top 10 is ranked by confirmed exploitation frequency across breach reports, incident response, and public CVE data. Unlike OWASP, which mainly covers custom application code, AWASP notes that most of its top ten involve vulnerabilities in web-accessible vendor software (e.g., SharePoint, SAP NetWeaver, Apache Tomcat, enterprise access tools). The following table lists the ten categories and their nearest OWASP 2021 equivalent.
| # | Vulnerability | OWASP Equivalent |
|---|---|---|
| 1 | Stolen Credentials & Credential Stuffing | A07:2021 |
| 2 | Broken Access Control & Authorisation Bypass | A01:2021 |
| 3 | Web Application Deserialisation & RCE | A08:2021 |
| 4 | Server-Side Injection (SQLi, OS Command, Code Injection) | A03:2021 |
| 5 | Web Skimming & Client-Side Supply Chain Attacks | No OWASP equivalent |
| 6 | Unauthenticated File Upload & Web Shell Deployment | A01:2021 |
| 7 | Third-Party & Supply Chain Compromise | A06:2021 |
| 8 | Cross-Site Scripting (XSS) | A03:2021 |
| 9 | API Security Misconfiguration & Excessive Data Exposure | A05:2021 |
| 10 | Path Traversal in Web Applications | A01:2021 |
The Importance of Each Framework
Why OWASP Matters
OWASP's biggest impact is the cultural and educational shift it drove by creating a universal vocabulary for web application security. Before OWASP, security risks lacked a common language, hindering communication between developers and security teams. Now, OWASP is foundational in university courses, developer training, and global compliance. Its practical importance is multi-dimensional:
- Compliance: OWASP is a mandatory reference in standards like PCI DSS, ISO 27001, and NIST SP 800-53, often required for audit passage.
- Shifting Left: It's written for developers, focusing on design and coding decisions (like the new emphasis on root causes), making it ideal for integrating security into the SDLC.
- Comprehensive Coverage: It addresses systemic weaknesses like Insecure Design (A06) and Mishandling of Exceptional Conditions (A10), providing a complete security framework.
- Ecosystem: OWASP supports a vast community and provides free tools (ZAP, Dependency-Check), checklists (ASVS, WSTG), and training (WebGoat).
- Shared Language: The phrase 'OWASP Top 10' offers immediate, shared understanding among all stakeholders, providing significant organisational value.
Why AWASP Matters
AWASP addresses the fundamental problem that the industry may be prioritising the wrong web threats. If common scanner findings don't match actual attacker exploitation, an OWASP-focused program may protect against theoretical risks while remaining exposed to current attack vectors.
AWASP matters because it provides:
- Threat-informed prioritisation: It anchors its list in breach data and exploitation evidence, guiding security teams to where attackers are actually focused.
- Credential abuse reality check: The 2025 Verizon DBIR showed 88% of web breaches involved stolen credentials. AWASP makes authentication controls and MFA the top priority, a focus OWASP's testing-derived data structurally cannot match.
- Vendor software blind spot: Most web breaches exploit CVEs in vendor products (e.g., Ivanti, Fortinet), not custom code. AWASP surfaces this reality, whereas OWASP, designed for custom development, only addresses vendor risk secondarily.
- Annual currency: Its annual refresh from live data sources keeps practitioners working with current intelligence, unlike OWASP's four-year cycle.
- Honest methodology: AWASP is transparent about the difficulty of tracking exploitation in bespoke custom applications, aiding practitioners in calibrating risk.
Addressing Framework Limitations
AWASP Addressing OWASP's Limitations
AWASP addresses key limitations of OWASP:
Exploitability vs. Discoverability
OWASP ranks by discoverability; AWASP ranks by exploitation (what attackers actually do), providing an exploitation-grounded threat model.
Identity-Based Attacks
OWASP groups credential theft under general authentication failures (A07). AWASP prioritises credential stuffing as a top identity security problem (requiring MFA, breach monitoring, ATO detection), not just a code vulnerability.
Vendor/Third-Party Exploitation
OWASP focuses on custom code. AWASP, using CISA KEV and Mandiant data, identifies vendor software exploitation (CVEs in enterprise products, CMS, etc.) as the dominant real-world attack vector.
Data Refresh Cycle
OWASP's multi-year updates (e.g., 2025 update covering 2021–2024) cannot reflect current threats. AWASP commits to annual, live-data updates to respond to emerging attack patterns.
Ranking Evidence
OWASP uses community surveys for two categories where testing tools fail, introducing subjectivity. AWASP eliminates surveys, relying entirely on evidence and explicitly noting data gaps.
OWASP Addressing AWASP's Limitations
Custom Application and Design-Level Coverage
AWASP's data is vendor-biased toward CVEs; it misses bespoke custom application risks. OWASP is more actionable for custom code as it addresses design patterns, coding practices, and architectural decisions that AWASP openly admits it cannot cover with hard data.
Preventive and Developmental Guidance
AWASP is purely diagnostic (what attackers exploit). OWASP is both diagnostic and prescriptive (how to build securely). OWASP's 2025 categories (Insecure Design, Integrity Failures, Mishandling of Exceptional Conditions) address systemic architectural weaknesses requiring developmental changes, a focus AWASP lacks.
Compliance and Regulatory Utility
AWASP is not referenced in any major 2025 compliance framework. OWASP is mandatory or embedded in PCI DSS, ISO 27001 guidance, and industry penetration testing requirements. For regulated environments, OWASP compliance is often a necessity.
Business Logic and Application-Specific Risk
AWASP acknowledges business logic flaws are significant but cannot quantify them publicly. OWASP's ASVS and broader ecosystem provide frameworks for identifying and testing these application-specific vulnerabilities, filling a gap AWASP cannot currently address.
Developer Education and Ecosystem
OWASP is the primary educational framework for secure coding, offering tools and training. AWASP provides a prioritisation framework but lacks training resources, code-level guidance, or developer documentation. OWASP is the foundational framework for building secure software development lifecycles.
Practical Guidance: How to Use Both
OWASP and AWASP are not competing frameworks — they answer different questions and are most powerful when used together. The following guidance reflects how practitioners can integrate both:
| When to use OWASP | When to use AWASP |
|---|---|
| Building or reviewing custom application code | Prioritising your vulnerability management and patching program |
| Training developers on secure coding practices | Scoping a threat-informed penetration test |
| Meeting compliance requirements (PCI DSS, ISO 27001) | Briefing leadership on where real-world attacks are landing |
| Establishing an application security testing program | Assessing your authentication and identity security posture |
| Conducting code reviews and threat modelling | Evaluating vendor product CVE exposure in your environment |
| Assessing supply chain and dependency risk (A03:2025) | Understanding which vulnerability classes feature in confirmed breach data annually |
Conclusion
OWASP and AWASP offer distinct, complementary views on web application security. OWASP, a global, developer-centric baseline (now with the 2025 update including supply chain failures), focuses on build-time security and compliance. AWASP, based on breach and exploitation data, provides crucial threat intelligence that OWASP lacks.
Neither framework is sufficient alone. OWASP helps build secure software by addressing frequent vulnerabilities found by scanners. AWASP helps prioritise defences against active exploitation vectors.
A mature security program will use both: OWASP for development and training, and AWASP for defence prioritisation and threat intelligence, providing a complete security picture.