Skip to content
All posts

Mapping findings to the OWASP Top 10 2025

1 min readowasp · owasp-2025 · mapping · product

The OWASP Top 10 got a 2025 refresh, and the renumbering trips people up. Cryptographic Failures moved, Injection moved, Vulnerable and Outdated Components became part of Software Supply Chain Failures, and SSRF folded into Broken Access Control. If your tooling still maps to 2021 numbers, a finding can land under the wrong category.

The 2025 categories we map to

A weak-TLS or missing-HSTS finding maps to A04 Cryptographic Failures. A missing security header or exposed admin path maps to A02 Security Misconfiguration. SQL injection, command injection, and XSS map to A05 Injection. A dependency CVE maps to A03 Software Supply Chain Failures. An authorization gap or SSRF surface maps to A01 Broken Access Control. Auth-flow weaknesses map to A07 Authentication Failures.

Consistency is the whole point

The trap is having three different mappings: one in the worker, one on the dashboard, and one in the exported report. The same finding then shows up under different categories depending on where you look, and an auditor who notices stops trusting all of it. NANOTESTING uses one mapping end to end, so a finding tagged A05 Injection in the scan is A05 Injection on the dashboard and A05 Injection in the PDF.

What it is for

The OWASP mapping is a shared language, not a compliance certificate. It lets a developer, a security reviewer, and an auditor talk about the same finding using categories they all recognise. That is its job, and doing that job accurately, with the current numbering, is worth more than an impressive-looking but stale list.

Related posts