Airlock and the OWASP Top 10 Web Application Security Risks 2025
This site describes the OWASP Top 10 Web Application Security Risks for 2025 and how Airlock addresses them. Airlock Gateway and Airlock Microgateway deliver WAF and WAAP capabilities – Gateway as an appliance, Microgatway as a container-native solution for Kubernetes envirnonments. Airlock IAM enforces strong authentication and centralised identity and access management across applications and APIs.
Table of contents
- A01:2025 Broken Access Control
- A02:2025 Security Misconfiguration
- A03:2025 Software Supply Chain Failures
- A04:2025 Cryptographic Failures
- A05:2025 Injection
- A06:2025 Insecure Design
- A07:2025 Authentication Failures
- A08:2025 Software or Data Integrity Failures
- A09:2025 Security Logging and Alerting Failures
- A10:2025 Mishandling of Exceptional Conditions
A01:2025 Broken Access Control
Broken Access Control refers to failures in enforcing authorisation rules, allowing users to access data or functionality beyond their privileges. Common examples include insecure direct object references (IDOR), missing server-side access checks, privilege escalation, and server-side request forgery (SSRF).
A02:2025 Security Misconfiguration
Applications are exposed to attack when insecure defaults, incomplete configurations, misconfigured security headers, or improper error handling are legt unaddressed.
A03:2025 Software Supply Chain Failures
When third-party components, build pipelines, or update mechanisms are compromised, vulnerabilities or malicious code can be intriduced into an application undetected.
A04:2025 Cryptographic Failures
Sensitive data is exposed when encryption is absent, weak cryptographic algorithms are used, or key management is handled insecurely.
A05:2025 Injection
Malicious input is interpreted as commands or queries when user-supplied data is not properly validated or sanitised, enabling attacks such as SQL injection, command injection, and cross-site scripting (XSS).
A06:2025 Insecure Design
When security controls are missing or ineffective at the architectural level, exploitable weaknesses emerge that cannot be remediated through implementation fixes alone, but require fundamental design changes.
A07:2025 Authentication Failures
Weak or incorrectly implemented authentication and session management allows attackers to impersonate users or bypass login mechanisms, including through missing MFA, weak credential recovery, or lack of protection against automated attacks such as credential stuffing and brute force.
A08:2025 Software or Data Integrity Failures
Untrusted or modified code and data are processed as trusted when integrity checks are absent, enabling attacks such as insecure deserialisiation or the injection of malicious updates.
A09:2025 Security Logging and Alerting Failures
When logging and alerting are insufficient or misconfigured, security incidents go undetected or unaddressed for longer, giving attackers more time to cause damage.
A10:2025 Mishandling of Exceptional Conditions
When unusual or unexpected conditions are not properly handled, systems may crash, leak sensitive information, or become unavailable due to denial of service.
Capabilites marked [IAM] are provided by Airlock IAM. All other capabilities are part of Airlock Gateway/Microgateway. Some capabilities apply to both products.
About OWASP
The Open Worldwide Application Security Project (OWASP) is a global, open community focused on improving software security. It provides free resources such as tools, documentation and standards to support organisations in building and operating secure aplications. More information: www.owasp.org
OWASP Top 10 Web Application Security Risks
The OWASP Top 10 for Web Application Security is published every three to four years and serves as a key reference for application security awareness. It highlights the most critical risks. OWASP also publishes separate Top 10 lists for APIs and non-human identities – each targeting a distinct attack surface. Airlock addresses all these threats across the full HTTP stack, combining WAF/WAAP-based request protection and authorisation enforcement with Airlock IAM for strong authentication.
