live_tv
Livestream Starting Soon
00
Hours
:
00
Minutes
:
00
Seconds
Up next in 10
The 2025 OWASP Top 10 reveals a fundamental shift in application security, showing how threats have transformed from simple code flaws like buffer overflows to exploiting the systemic complexity of cloud-native and microservices architectures. This newest list confirms the continued dominance of Broken Access Control (A01) and spotlights the critical surge of Security Misconfiguration (A02) to the number two spot, reflecting that infrastructure has become the primary attack surface. We examine why Software Supply Chain Failures (A03) became the new perimeter—despite limited presence in collected data—and discuss how integrating DevSecOps practices is the only way to meet modern development velocity.
Sponsors:
https://cloudassess.vibehack.dev
https://vibehack.dev
https://airiskassess.com
https://compliance.airiskassess.com
https://devsecops.vibehack.dev
Show More Show Less View Video Transcript
0:00
Welcome back to the deep dive. Today
0:01
we're uh digging into something pretty
0:03
big. 22 years of app security history
0:06
basically mapped out by the AAS POP 10.
0:09
Yeah. And with the 2025 release
0:11
candidate out, it gives us a really
0:13
clear picture, doesn't it?
0:14
It does. We've got this datadriven story
0:16
of where things are heading, what
0:18
leaders really need to focus on. Now,
0:20
that's exactly it. You know, the top 10
0:22
isn't just a list. It's a narrative. It
0:25
tells the story of how everything
0:26
changed. We went from like monoliths and
0:29
simple code errors in 2003 to these
0:32
incredibly complex distributed
0:34
cloudnative systems we see today. The
0:36
whole mindset has to shift. Forget just
0:38
guarding the perimeter. Now it's about
0:40
securing the entire pipeline.
0:41
Exactly. And we know CISOs, security
0:43
teams, well, you're all dealing with
0:45
this complexity daily. So our mission
0:47
here, our deep dive goal is to boil this
0:49
down fast.
0:50
Get to the core.
0:51
Yep. Get you the three big strategic
0:53
shifts the 2025 list really hammers
0:55
home. One, infrastructure is the new
0:57
attack surface. Two, the supply chain.
1:00
That's your new perimeter. And three,
1:02
devs secops isn't some nice to have
1:03
anymore. It's it's mandatory. It's the
1:06
only way to operate at scale.
1:07
We'll definitely get into why things
1:08
like misconfiguration are just
1:10
skyrocketing and uh how these integrity
1:13
failures in the pipeline, they're
1:14
genuinely existential threats now.
1:16
And you know, getting up to speed
1:18
quickly, but really understanding the
1:19
stuff deeply, that's key to managing all
1:21
this complexity.
1:22
Absolutely essential. which is why we
1:24
really want to thank our sponsors for
1:25
backing this deep dive. devs
1:27
secops.vibehack.dev
1:29
cloudasses.vibehack.dev
1:32
and uh you can find the whole suite of
1:34
resources over at www.vibehack.dev.
1:38
Okay, let's jump back. 2003 the
1:40
beginning. What did things actually look
1:42
like then? Set the scene for us.
1:43
Right, so 2003 think physical servers in
1:46
Iraq somewhere. Big monolithic
1:49
applications, one code base pretty much.
1:51
And defense was simple. Build a strong
1:53
firewall, secure the network edge. The
1:55
perimeter is everything inside mostly
1:57
trusted
1:58
and the threats reflected that
1:59
totally very direct things. Unvalidated
2:01
parameters, command injection, remember
2:03
buffer overflows, especially in like C
2:05
and C++ code,
2:07
right?
2:07
Oh yeah, a classic
2:08
and security. It happened after
2:10
developers built the thing, then kind of
2:12
tossed it over the wall. Security tested
2:14
it later.
2:15
Very reactive. But those walls, they
2:17
started crumbling pretty quickly around
2:20
2010 maybe with cloud starting.
2:22
Yeah, that was the first big crack.
2:23
Cloud migration begins and suddenly that
2:26
safe inside assumption gone. Traditional
2:29
network controls, firewalls, they were
2:32
kind of useless against this new elastic
2:34
APIdriven infrastructure, you know, is
2:37
right.
2:38
And that's when security
2:39
misconfiguration really started climbing
2:40
the charts. People just didn't grasp the
2:43
shared responsibility model. thought the
2:45
cloud provider handled everything. Big
2:47
mistake.
2:47
And then came speed. DevOps. 2013ish,
2:50
suddenly we're talking hundreds of
2:52
deployments a day.
2:53
Exactly. That velocity just broke the
2:55
old security model. Manual testing, no
2:57
way to keep up. But the really critical
2:59
thing in 2013 wasn't just speed.
3:01
What was it?
3:01
It was trust or uh lack of it in new
3:05
places. The list added using components
3:07
with known vulnerabilities. That was
3:09
huge. It signal a shift. We weren't just
3:12
worrying about the code he wrote
3:13
anymore. Ah, right. It was about all the
3:15
third party stuff we were pulling in.
3:17
Precisely. The software supply chain
3:19
risk was officially born. We started
3:22
depending on code we didn't write and
3:24
frankly didn't always understand.
3:26
Which leads us straight to 2017.
3:28
Microservices, containers, Kubernetes,
3:32
the application itself just kind of
3:34
exploded in pieces.
3:35
Yeah, fragmented is the word. We weren't
3:37
securing a single house anymore. We were
3:39
trying to secure a whole distributed
3:41
city. Complexity went through the roof.
3:42
And the list reflected that complexity.
3:44
Absolutely. Broken access control
3:46
surged. Why? Because now you had to
3:48
manage authorization across maybe dozens
3:51
of tiny separate services, APIs
3:54
everywhere, lots of places for things to
3:56
go wrong.
3:57
And we also finally started waking up to
3:58
the risks in the environment itself.
4:00
Vulnerable containerbased images,
4:02
misconfigured Kubernetes, the stuff
4:04
running the application became a prime
4:06
target.
4:06
Okay. So, if 2017 was about
4:08
fragmentation, creating complexity, it
4:10
feels like the 2025 list is saying,
4:12
"Okay, we haven't really mastered
4:14
securing that complexity yet."
4:16
That's a good way to put it. The 2025
4:18
candidate definitely focuses more on
4:19
root causes, these big architectural
4:21
issues, rather than just symptoms. Take
4:23
AO1, broken access control, still number
4:27
one.
4:27
Still a king. It just won't go away,
4:29
will it?
4:30
Nope. It held the top spot in 2021, and
4:33
it's still there in 25.
4:34
Mhm. affecting what 3.73% of tested
4:37
apps. The reason it persists is that
4:39
share complexity we talked about. Every
4:42
micros service, every API, another
4:44
potential failure point for who gets
4:46
access to what.
4:47
And it's evolved too, right? With SSRF
4:49
being included now,
4:50
right? That's a key update in the 2025
4:52
list, including serverside request
4:54
forgery under AO1 acknowledges that
4:57
access control isn't just usertos server
4:58
anymore. It's also server to server,
5:00
preventing attackers from making the
5:02
server itself reach out and attack other
5:03
internal systems. lateral movement.
5:05
And this idea of agentic AI
5:07
amplification, that sounds like a whole
5:09
new level of scary for access control.
5:11
How is that different? Isn't it just
5:12
another way authorization can fail?
5:14
Well, yes and no. The failure might look
5:17
similar. Bad permissions, but the actor
5:19
is different. And that changes the game.
5:22
Before it was a human mistake exploited
5:25
by a human attacker. Now,
5:26
an AI agent.
5:28
Exactly. Imagine an autonomous AI agent.
5:30
If it has bad permissions, a broken
5:32
access control, it could potentially
5:34
start pulling massive amounts of data or
5:36
changing critical systems on its own. No
5:38
human needed to drive the attack second
5:40
by second.
5:41
Wow. The speed and scale
5:42
exponentially higher. A human needs time
5:45
to poke around, figure things out. An AI
5:47
agent working autonomously, it could do
5:49
immense damage almost instantly. That's
5:51
the amplification risk.
5:53
Okay, that definitely sets a worrying
5:54
stage for the next big mover you
5:56
mentioned, AO2 security
5:57
misconfiguration. jump from number five
5:59
all the way to number two. That's the
6:00
biggest leap on the list.
6:01
It is and it's the clearest signal that
6:03
infrastructure is the attack surface
6:05
now. 3% of tested applications affected.
6:08
It's just the sheer volume of settings
6:10
in cloud environments, especially
6:12
multicloud, it's overwhelming.
6:13
And infrastructure as code makes it
6:15
worse.
6:15
It can. Yeah, IA is powerful, but a
6:18
mistake in one template, boom, it gets
6:20
replicated across potentially thousands
6:22
of resources instantly. And Kubernetes
6:25
misconfigs. Yeah,
6:27
they're a gold mine for attackers, often
6:29
leading to complete cluster takeover.
6:31
The numbers are pretty stark, too.
6:33
Something like 83% of orgs had a cloud
6:35
incident in 2024, and misconfigurations
6:38
were involved in almost a quarter of
6:39
them.
6:39
That sounds right. And the cost, what
6:41
was it? Over $4 million average per
6:44
misconfiguration incident.
6:46
$4.24 million. Yeah, that's staggering.
6:49
It really is. 4 million bucks. It just
6:50
screams that doing this manually
6:52
checking configs by hand, it's just not
6:54
viable anymore. the speed, the
6:56
complexity, the risk, you need
6:59
automation, continuous checking,
7:00
which brings us neatly to managing that
7:02
risk. It's clear you need that automated
7:04
posture management. And we should thank
7:05
our sponsor cloudassis.viphack.dev
7:08
here because that's exactly what they
7:09
help teams do. Assess and fix these
7:11
cloud configuration risks continuously
7:13
before they turn into that multi-million
7:15
dollar headache.
7:16
Absolutely critical tooling for AO2,
7:19
which then leads us to AO3, software
7:21
supply chain failures. It's basically
7:23
the new perimeter. Wouldn't you say? It
7:24
really feels like it. It's not just
7:26
about checking your dependencies
7:27
anymore, is it?
7:28
Oh, not even close. It's the whole life
7:29
cycle now. Compromised build pipelines,
7:32
malicious packages snuck into public
7:34
repos like npm or Pippi, those tricky
7:37
dependency confusion attacks.
7:39
But it's a much broader threat landscape
7:41
and the attacks are increasing,
7:42
doubled in 2024 according to the
7:44
sources. And the projected cost is
7:46
insane. Something like 138 billion
7:49
annually by 2031. Wow, that XZ utils
7:53
near miss really drove home how
7:54
sophisticated these can be,
7:56
didn't it? Just that was a patient
7:58
multi-year social engineering attack
8:00
targeting foundational Linux code. It
8:03
really highlights the leverage attackers
8:04
have. Think about it. The average app
8:06
pulls in what? Over 200 third party
8:08
libraries.
8:09
2003. Yeah.
8:10
Right. So one single compromised
8:12
dependency upstream. It can ripple
8:14
outwards and compromise thousands maybe
8:16
millions of systems downstream. your
8:18
security is literally only as strong as
8:20
your weakest link in that chain.
8:22
Okay, so if the pipeline is the
8:23
perimeter and we're deploying
8:25
constantly, that brings us right back to
8:27
DevSec Ops. You can't have manual
8:30
security reviews blocking thousands of
8:32
deploys a day.
8:33
No way. It just doesn't scale. It
8:35
becomes a bottleneck and uh frankly
8:37
developers will find ways around it if
8:39
it slows them down too much. The sources
8:41
point to a couple of categories that
8:42
really show how security needs to shift
8:46
left become part of the foundation
8:48
like AO6 insecure design.
8:50
Exactly. This shows a kind of maturity
8:53
actually. We're moving beyond just
8:55
fixing code bugs to preventing flaws at
8:57
the design stage threat modeling
8:59
defining security requirements before
9:01
you even write line one of code that
9:03
tackles the root cause.
9:04
So it's about architecting security in
9:06
from the start. Precisely. The fact AO6
9:09
is actually dropping a bit relatively
9:11
might even be good news. Maybe secure
9:12
design thinking is slowly becoming more
9:14
standard.
9:14
And then there's AO8 software and data
9:16
integrity failures. That sounds like it
9:18
targets the build process itself.
9:20
Yes, AO8 is fundamental. It covers
9:22
things like insecure deserialization.
9:25
But crucially, it calls out CI/CD
9:28
pipeline security and integrity checks.
9:31
If you can't trust the process that
9:32
builds and deploys your software,
9:34
then nothing else matters. Pretty much
9:36
your whole security posture is built on
9:37
sand. Verifying the integrity of your
9:40
artifacts, your pipeline steps. That's
9:42
non-negotiable in this cloudnative
9:44
world.
9:44
Okay, we've traced the history, the
9:46
shifts, the current crisis points in the
9:48
2025 list. Let's get practical for you
9:50
listening. What are the big impact
9:52
controls? The things that give the most
9:54
risk reduction bang for the buck against
9:56
these top threats.
9:56
Yeah, the sources are quite clear on
9:58
this. There are basically four core
9:59
controls that deliver maybe 80 90% of
10:03
the value. the good enough solution, if
10:05
you will,
10:05
right? Core control number one,
10:06
access and authentication. Simple but
10:09
powerful. Enforce multiffactor
10:11
authentication everywhere ruthlessly.
10:14
The data suggests this alone cuts risk
10:16
by something like 40%.
10:18
40%. Wow.
10:19
Yeah. It's the single biggest impact
10:20
control. Hits A1 AO7. If a SASO does
10:24
only one thing tomorrow, it should be
10:26
universal MFA. Seriously.
10:28
Okay. Number two,
10:29
configuration management. This is your
10:31
AO2 defense. Deploy cloud security
10:34
posture management CSPM tools. Automate
10:36
finding those misconfigurations. That
10:38
gives you at least another 10% risk
10:40
reduction across the board.
10:42
Number three got to be the supply chain.
10:44
You got it. Supply chain defense.
10:45
Implement software composition analysis
10:47
sea tools generate software bills and
10:49
materials. SBMS. You need to know what's
10:52
in those 203 dependencies to handle AO3.
10:56
Transparency
10:57
makes sense. And number four,
10:58
detection and response. You need
11:00
visibility, centralized logging feeding
11:03
into assigned security information and
11:05
event management system. Why? To slash
11:07
detection time,
11:08
right? Because breaches happen, but
11:09
finding them fast matters
11:11
hugely. Good logging and seam can take
11:13
detection time down from like months.
11:15
The average used to be over 200 days
11:17
down to hours or days that minimizes the
11:19
damage from things like A9 and A10.
11:21
So these controls, MFA, CSPM, SCA, SIM,
11:24
automating them seems key. Embedding
11:26
them right into the workflow. That
11:28
sounds like DevSec Ops orchestration.
11:30
It absolutely is. You can't bolt these
11:32
on effectively at modern scale.
11:34
They have to be integrated. That's the
11:36
only way.
11:36
And that integration, that automation,
11:39
that's where our sponsor dev
11:41
seccops.vipac.dev
11:42
comes in providing platforms to actually
11:45
enable that security automation and
11:47
orchestration. It really is central to
11:49
making dev sec ops work in practice.
11:51
Definitely, which kind of brings us full
11:53
circle, doesn't it? Appsc is this
11:54
journey of constant adaptation. The 2025
11:57
OASP list isn't just shuffling
11:59
categories. It's reflecting a
12:01
fundamental shift away from isolated
12:03
code books
12:04
towards systemic architectural risks.
12:06
The perimeter's gone. The pipeline's the
12:08
new battleground. Security has to be
12:09
baked in foundational, not sprinkled on
12:12
top.
12:12
Couldn't said it better. Yeah. And you
12:14
know, looking even further ahead, what
12:16
might the 2028 list look like?
12:17
Yeah. What's the next frontier?
12:19
Well, the elephant in the room across
12:21
almost all these categories now is AI.
12:23
The AI security dimension. We're already
12:25
seeing prompt injection. People are
12:27
calling it the SQL injection for AI.
12:29
Basically tricking large language
12:31
models.
12:31
That's getting a lot of attention, but
12:33
it's bigger than just prompt injection,
12:34
isn't it?
12:35
Oh, yeah. Think about AI model
12:37
poisoning. That's essentially a new very
12:40
sophisticated type of supply chain
12:43
attack, tampering with the models
12:45
themselves or the data they're trained
12:46
on.
12:48
So, the provocative thought for you
12:49
listening is, how are you treating your
12:52
AI models today? m
12:54
the ones you're building or using. Are
12:56
you applying the same security rigor,
12:58
integrity checks, access controls,
13:01
monitoring as you do to your critical
13:03
application code? Because that that
13:06
feels like the next great security
13:07
challenge.
13:08
That's a really potent question to end
13:10
on, especially with AI adoption moving
13:12
so fast. Excellent point.
13:13
Definitely something to think about.
13:15
Absolutely. Well, huge thanks again to
13:17
our sponsors for helping us make this
13:19
deep dive happen. debcops.vibehack.dev
13:22
dev cloudasses.viphack.dev
13:24
and find all their resources at
13:26
www.vibehack.dev.
13:28
We really appreciate their support.
13:30
Thanks everyone
13:30
and thank you for tuning in. We'll catch
13:32
you on the next deep dive.