OWASP Top 10 2025 and the Identity Reality Gap

Dr. Heiko Klarl

Why Application Security Alone No Longer Closes Enterprise Risk

The OWASP Top 10 2025 [1] reflects the most critical application security risks observed across industries. While the list remains application-centric by design, it increasingly exposes a broader enterprise challenge: many of these risks persist not because security controls are missing, but because identities, access, and third parties are insufficiently governed across complex ecosystems.

This article examines selected OWASP Top 10 2025 categories through an identity, governance, and enterprise risk lens and explains where Nexis, through the NEXIS Platform, contributes materially to reducing these risks.

A01: Broken Access Control

Broken access control occurs when authorization is not enforced consistently, allowing users to access data or perform actions outside their intended permissions. OWASP states that 100% of the applications tested were found to have some form of broken access control.

Highlights

• Missing or inconsistent authorization checks

• Excessive privileges and privilege escalation paths

• Object-level and function-level access not validated

• Failures often exploitable without advanced techniques

NEXIS Platform Perspective

Broken access control remains the most prevalent application risk because enterprise authorization landscapes evolve continuously and often without sufficient governance. Access accumulates over time, ownership of entitlements becomes unclear, and changes in roles, responsibilities, or third-party relationships are not consistently reflected in effective permissions. The NEXIS Platform addresses this challenge by establishing structured and automated access reviews, enforcing Segregation of Duties (SoD) controls, and providing continuous transparency into who can do what across systems. By governing access decisions throughout their lifecycle, including internal and third-party access, authorization drift is reduced before it materializes as exploitable access control failures.

A02: Security Misconfiguration

Security misconfiguration occurs when systems, applications, or components are deployed with insecure default settings, incomplete hardening, or inconsistent configuration, increasingly as security-relevant behavior is moved from code into configuration. OWASP states that 100% of the applications tested were found to have some form of misconfiguration.

Highlights

• Insecure default configurations

• Incomplete or ad-hoc hardening

• Configuration drift across environments

• Overexposed services, roles, or permissions

• Default accounts and their passwords are still enabled and unchanged

NEXIS Platform Perspective

In modern enterprises, a significant share of security misconfiguration manifests at the identity and access layer rather than in infrastructure alone. IAM Governance Documentation, authorization and role definitions, attribute mappings, and third-party access rules represent configuration artifacts with direct security impact. The NEXIS Platform addresses this risk by continuously validating documented IAM governance structures against effective access, identifying deviations, and enforcing governance workflows when changes occur.

Building on this foundation, the NEXIS Platform combines identity analytics and Identity Security Posture Management (ISPM) to detect unused, excessive, or anomalous authorizations across systems. Capabilities such as the License Killer remove unnecessary access and privileges and allow organizations to identify associated unused features or services that no longer need to be active. This directly reduces the effective attack surface by eliminating functionality and access paths that should not exist.

On top of these capabilities, the NEXIS Platform will introduce the Evidence Collector, an AI-based evidence collection and verification service. The Evidence Collector closes a critical gap by performing end-to-end integrated checks that configurations and security-relevant settings within applications are implemented exactly as defined in IAM Governance Documentation. By automatically collecting, correlating, and validating evidence, the platform ensures that documented intent, technical configuration, and effective access remain continuously aligned. This significantly narrows the misconfiguration gap by moving from assumed compliance to verifiable and continuously monitored implementation.

A03: Software Supply Chain Failures

Software supply chain failures occur when applications rely on compromised components, build processes, or external providers, implicitly trusting software artifacts and operational processes that are not sufficiently governed or verified.

Highlights

• Compromised third-party libraries or dependencies

• Insecure or poorly governed CI/CD pipelines

• Excessive trust in external components or providers

• Limited visibility into who can change or deploy software

NEXIS Platform Perspective

Software supply chains are no longer purely technical constructs. They are operated and influenced by identities, service accounts, and external parties that span organizational and contractual boundaries. The NEXIS Platform contributes to reducing supply chain risk by governing who is allowed to administer applications, pipelines, and integrations, and by enforcing least-privilege access across internal and third-party actors. Through its Third-Party Risk Management capabilities, the platform provides GRC functionality to assess, classify, and govern third parties, including structured assessments and risk scoring. This establishes a holistic governance layer that connects access, authorization, and risk context, ensuring that trust in suppliers and service providers is explicit, measurable, and continuously reviewed. While the platform does not replace dependency scanning or integrity verification, it mitigates a critical class of supply chain risk where insufficient governance of third parties and their access becomes the primary attack vector.

A06: Insecure Design

Insecure design refers to weaknesses that originate from missing or insufficient security controls at the design and architecture level, often due to absent threat modeling, flawed assumptions, or security being addressed too late in the lifecycle.

Highlights

• Missing or incomplete threat modeling

• Weak or implicit trust boundaries

• Security controls added only after incidents occur

• Overreliance on reactive rather than preventive measures

NEXIS Platform Perspective

In large enterprises, insecure design frequently manifests in access and authorization structures that were never deliberately designed but instead evolved organically over time. Authorizations, roles, and approval paths are introduced incrementally, often without a clear target model, consistent documentation, or alignment to risk and compliance requirements. The NEXIS Platform addresses this by enforcing structured IAM Governance Documentation during application onboarding and lifecycle changes, requiring explicit definition of authorizations, roles, access rules, Segregation of Duties constraints, and ownership.

This design discipline is complemented by the platform’s GRC capabilities, which define and enforce controls mapped to established standards such as ISO 27001, DORA, SOX, or HIPAA. By linking authorization structures to control objectives, risk classifications, and compliance requirements, the platform establishes a governance layer that makes access design intentional, reviewable, and auditable. Extending this approach to third-party integrations ensures that insecure design patterns are not reintroduced at ecosystem boundaries.

A07: Authentication Failures

Authentication failures occur when authentication mechanisms are weak, misconfigured, or inconsistently enforced, enabling attackers to compromise accounts or gain unauthorized access.

Highlights

• Missing or weak multi-factor authentication

• Poor credential handling and storage

• Insecure session management

• Reuse of compromised or shared credentials

NEXIS Platform Perspective

Authentication failures in enterprise environments are rarely caused by authentication mechanisms alone. They are frequently amplified by poor identity hygiene, unclear ownership, and a lack of governance over identities and authentication-relevant configurations. Orphaned accounts, dormant users, shared identities, and unmanaged third-party accounts undermine even strong authentication controls.

The NEXIS Platform strengthens authentication posture by governing the full lifecycle of identities and access. Within IAM Governance Documentation, authentication-related configurations can be documented, assessed, and governed, including requirements for proper MFA settings, secure fallback mechanisms, and evidence that controls are implemented and effective. By combining structured access reviews, configuration evidence, continuous anomaly detection, and third-party governance, the platform reduces the risk that authentication controls are rendered ineffective by identities or configurations that should have been removed, restricted, or revalidated.

A09: Security Logging and Alerting Failures

Security logging and alerting failures occur when security-relevant events are not sufficiently recorded, monitored, or acted upon, preventing timely detection, investigation, and response to attacks.

Highlights

• Missing or incomplete security logs

• Alerts that are generated but not reviewed or acted upon

• Delayed detection of security incidents

• Insufficient evidence for forensic analysis and audits

NEXIS Platform Perspective

In enterprise environments, logging and alerting failures are often not caused by missing technical telemetry, but by the absence of governance, context, and actionable intelligence around identity and access-related events. The NEXIS Platform addresses this gap through identity analytics and Identity Security Posture Management (ISPM), continuously analyzing identity, access, and authorization data to detect anomalies, deviations, and risk patterns.

As an Identity Visibility and Intelligence Platform (IVIP), the NEXIS Platform follows a clear principle: visibility must lead to intelligence, and intelligence must lead to action (cf. Gartner’s VIA model [2]). Detection of anomalies and deviations therefore triggers governance workflows, remediation measures, or enforced reviews to restore a secure and compliant posture. By embedding audit-proof traceability, analytics-driven detection, and remediation into IAM Governance Documentation and governance workflows, the platform closes the gap between detection and response and complements SIEM and SOC tooling with context-rich, actionable governance.

Key Takeaways for CISOs

• OWASP Top 10 2025 risks increasingly materialize through identity, access, and third-party complexity, not only through vulnerable code

• Broken access control and misconfiguration remain universal problems because authorization and configuration drift are rarely governed continuously

• Supply chain risk is inseparable from third-party access and identity governance

• Insecure design often starts with undocumented or poorly governed authorization models and applications

• Authentication controls fail when identity hygiene and governance are missing

• Logging without context is insufficient; analytics, intelligence, and remediation are required to reduce risk sustainably

• The NEXIS Platform provides a holistic identity, governance, and risk layer that complements application security controls and helps close the enterprise reality gap highlighted by OWASP

References

[1] OWASP Top 10: 2025, January 2026. Available at: https://owasp.org/Top10/2025/

[2] The Visibility, Intelligence, Action (VIA) Model, in: Gartner, Market Guide for Identity Governance and Administration, Steve Wessels, Paul Mezzera, Brian Guthrie, Rebecca Archambault, 2 October 2025, Document ID: G00836197. Available at: https://www.gartner.com/document-reader/document/7012098