The new OWASP Top 10:2025 (Release Candidate) has dropped and it’s a clear reflection of the complex challenges developers and security teams face today. This new list confirms securing applications is a two-front war.
Teams have to “shift-left” to find flaws early in development, but must also “shield-right” to protect live, running applications from exploits—especially zero-days.
Relying only on security testing with tools that lack application-context insight, such as SAST or DAST, leaves apps in production exposed. Relying only on protection (like a WAF) is like a building with the doors unlocked. Teams need a platform that bridges this gap.
The Unified Solution: IAST for Testing, RASP for Protection
That’s where a unified IAST (Interactive Application Security Testing) and RASP (Runtime Application Self-Protection) strategy, like the one from Waratek, becomes a game-changer. Think of this as the perfect “1-2 punch” for application security:
- Waratek IAST (Shift-Left): This is a developer’s new best friend. Operating in the QA/testing phase, IAST instruments the running application. As a team runs its normal unit or functional tests, the IAST tool analyzes the code in real-time from the inside. It provides immediate, highly accurate (minimum-to-zero false positives) and contextual feedback to developers, allowing them to find and fix complex security flaws like injection and data leaks before they ever hit production.
- Waratek RASP (Shield-Right): This is a production guardian. RASP operates inside the live application’s runtime (e.g., the JVM). It doesn’t just guess at attacks by looking at HTTP traffic; it uses patented data flow tracing to see exactly what the application is doing. When it detects an attack—like untrusted data attempting to alter the structure of an SQL query—it neutralizes the threat instantly by remediating the vulnerable code in memory. No code changes, no restarts, no false positives.
How Waratek’s IAST + RASP Address the 2025 Top 10
Two new categories have been added, A03: Software Supply Chain Failures and A10: Mishandling of Exceptional Conditions, and a notable consolidation of Server-Side Request Forgery (SSRF) into A01: Broken Access Control.
A03: Software Supply Chain Failures
This new category expands on “Vulnerable and Outdated Components” to cover the entire tech stack. With the introduction of this new category in the 2025 Top 10, OWASP now highlights that security risks aren’t limited to the code you write. Security risks live in your dependencies, build systems, delivery pipelines and third-party artefacts as well. This is where Waratek’s RASP truly shines.
When a zero-day vulnerability (like Log4Shell) is announced in a third-party library, your organization is in a race against time. The old “scan, find, patch, test, redeploy” cycle can take weeks.
Waratek RASP can deploy a virtual patch in minutes. The RASP rule blocks the specific exploit path at the runtime level. Production systems are immediately protected from the CVE, giving development teams the breathing room to update, test, and deploy the new library securely without a fire drill.
A05 (Injection) & A01 (Broken Access Control)
Injection remains a top threat, and A01 is still number one, now including SSRF.
- During Development and Testing (IAST): As automated tests run, IAST sensors trace the data flow from user input to the “sink” (e.g., a database query or a file system call). It can instantly identify security flaws, such as SQL injection, command injection, and SSRF flaws with pinpoint accuracy, showing the developer the exact line of code to fix.
- In Production (RASP): If an injection flaw is missed, RASP provides the ultimate safety net. Its tainting engine tracks all untrusted data. The moment that data is used in a dangerous way, RASP blocks the individual instruction from executing. It doesn’t block the whole request, just the malicious part, ensuring zero false positives and zero impact on legitimate users.
A08 (Software or Data Integrity Failures) & A10 (Mishandling of Exceptional Conditions)
These categories cover complex runtime issues like insecure deserialization (A08) and “fail-open” errors (A10).
- A08: Waratek’s RASP is a master at stopping insecure deserialization attacks. By monitoring the JVM, it can identify and block malicious gadgets in the data stream before they can be weaponized for Remote Code Execution (RCE).
- A10: This new category is about improper error handling. Waratek’s RASP operates at a deep level, allowing it to control application execution and prevent “failing open.” It can catch and handle unexpected errors securely, preventing them from leaking sensitive stack traces or creating a Denial-of-Service condition.
A02 (Security Misconfiguration) & A04 (Cryptographic Failures)
These are often issues of policy and standards.
- During Testing (IAST): IAST monitors and analyzes all data flows and identifies weak or missing encryption, deprecated cryptographic algorithms, improper key usage or insecure protocols during runtime. Additionally, IAST detects vulnerabilities resulting from security misconfiguration or dangerous defaults. For example, IAST has the application context required to identify insecure endpoints, lack of session timeout or cookies without the secure flag.
- In Production (RASP): Waratek’s RASP can act as a runtime policy engine to enforce immutable secure configurations and policies on the fly.
A09: Logging & Alerting Failures
A WAF log lacks application context and is often noisy. Runtime security logs are clear, contextual and impactful. This OWASP item isn’t just about having logs; it’s about having actionable alerts. When Waratek RASP blocks an attack, it provides a rich, contextual alert that includes:
- The exact line of code that was targeted.
- The full payload of the attack.
- The backend SQL query or command that was attempted.
- The user and session information.
This isn’t just logging; it’s instant, real-time, actionable threat intelligence that your SOC and dev teams can actually use.
Final Thoughts
The 2025 OWASP Top 10 makes it clear that security is needed at every stage of the SDLC. A unified IAST/RASP platform is no longer a “nice to have”—it’s the most logical and effective way to secure apps as they are built (IAST) and protect them as they run (RASP).
By finding flaws early with IAST and neutralizing exploits (including zero-days) in production with RASP, the loop between development, security, and operations is finally closed.
To learn more about how to get this “shift-left” and “shield-right” protection, ask for a demo today.
