Hello and welcome to the Thursday, November 13th,

2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu graduate certificate program in

cybersecurity engineering. Earlier this week, the OASP Foundation did release a release candidate

for its 2025 edition of its top 10 weblication vulnerability list. This is of course always important given that there are some compliance programs

that refer to the OSP top 10, but also a lot of application security programs use them

sort of as a guideline.

There are, well, in some ways, sadly not a lot of changes.

So really a lot of the old vulnerabilities are still important, like, you know, the good old

things like injection and cryptographic failure, insecure design, broken access control.

They changed the order a little bit, but they're still part of the old WASP top 10.

Now, they did merge server-side request forgery into broken access control, which makes perfect sense because, well, server-side request

for jury really takes advantage of some of the insufficient access control that sort of built

around some of the trust relationships between internal applications.

There is also a new one, well, sort of a new one that was added, and that's software supply chain

failures that used to be called vulnerable and outdated components. However, it's really

more than just components, the supply chain.

And that's really what they're acknowledging here with that change in naming that it's

outright malicious components, for example, that weren't really covered, at least in the

title of the old item.

And also, things like developer tools and such are often talk about that can lead

...