A04:2025 - Cryptographic Failures - Reconsider Placement - Should be higher considering known PQC & Cryptographic Agility Gaps

[TimDWilliams-ProteQC-CTO]

TLDR;
This Issue argues, based on cited evidence, that it would be wrong for OWASP to reduce the priority of Cryptographic Failures by 2 places between the OWASP Top 10:2021 and the OWASP Top 10:2025 and that Cryptographic Failures need, for the reasons provided, to be ranked 1 in the OWASP Top 10:2025.

Per the release candidate text for A04:2025 (https://owasp.org/Top10/2025/0x00_2025-Introduction/) "The contributed data indicates that, on average, 3.80% of applications have one or more of the 32 CWEs in this category" while the release candidate text for A01:2025 states "the contributed data indicates that on average, 3.73% of applications tested had one or more of the 40 Common Weakness Enumerations (CWEs) in this category".

Clearly prevalence in historic data is only one of many factors which must be considered in determining the OWASP Top 10 descending priority order.

However, the proposed "demotion" of cryptographic failures from "A02:2021" to "A04:2025" signals the very opposite of the upwards global trend in the significance of cryptographic vulnerabilities at the time of publication of this current release of the OWASP Top 10 which can only be expected to rise over the coming three to four years until the next OWASP Top 10 is published.

Not only did NIST publish the first 3 approved royalty-free Post Quantum Cryptography (PQC) algorithms (https://en.wikipedia.org/wiki/Post-quantum_cryptography) in August 2024 (https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards) which now need to be rolled-out globally and not only did OpenSSL release v3.5 with PQC support in April 2025 (https://openssl-foundation.org/post/2025-04-22-pqc/), but multiple governments and security agencies have issued advisories alerting stakeholders of the importance of starting comprehensive cryptographic discovery and inventory work without delay and migrating significant systems to PQC algorithms by 2030 (https://digital-strategy.ec.europa.eu/en/library/coordinated-implementation-roadmap-transition-post-quantum-cryptography, https://www.ncsc.gov.uk/guidance/pqc-migration-timelines, https://www.cyber.gov.au/sites/default/files/2025-09/Planning%20for%20post-quantum%20cryptography%20%28September%202025%29.pdf, https://www.fsisac.com/hubfs/Knowledge/PQC/PQC%20Timelines.pdf?hsLang=en).

The Global Risk Institute has been publishing Quantum Threat Timeline reports annually since 2019 (most recently in 2024 https://globalriskinstitute.org/publication/2024-quantum-threat-timeline-report/) warning of the need to update cryptographic algorithms.

The EU Digital Operational Resilience Act (DORA) which came into force on 12th January 2025 requires 22,000 regulated financial entities to manage cryptographic risks including "threats from quantum advancements" (Ref: Regulatory Technical Standard for ICT Risk Management Recital 9 (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202401774#rct_9) and needing to be able to "change or replace cryptographic mechanisms in response to developments in cryptographic analysis (Ref: Regulatory Technical Standard for ICT Risk Management Article 6.4 (https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202401774#art_6).

Moreover the United Nations declared Quantum 2025 (https://quantum2025.org) and this year multiple vendors have announced breakthroughs in Quantum Computing QuBit capacity signalling that the famous 1994 factorisation algorithm of Peter Shor (https://en.wikipedia.org/wiki/Shor%27s_algorithm) and the famous 1996 search algorithm of Lov Grover (https://en.wikipedia.org/wiki/Grover%27s_algorithm) are likely to become practical possibilities sooner than expected.

Furthermore there are also very significant extended supply chain issues associated with PQC migrations (https://www.etsi.org/deliver/etsi_tr/103600_103699/103619/01.01.01_60/tr_103619v010101p.pdf, https://media.defense.gov/2023/Aug/21/2003284212/-1/-1/0/CSI-QUANTUM-READINESS.PDF) meaning in the context of the OWASP Taxonomy (which of course cannot avoid overlaps) there is a tension between raising the rank order of supply chain vulnerabilities and reducing the rank order of cryptographic vulnerabilities. Arguably the best way to resolve this would be by a strong 1, 2 ordering of Cryptographic Vulnerabilities (with forward signposting of supply chain aspects) followed by Supply Chain vulnerabilities (with backward signposting of Cryptographic aspects) resulting in a very clear and coherent opening to the OWASP Top 10 narrative flow.

For OWASP to signal in the final 2025 version of OWASP Top 10 that cryptographic vulnerabilities are decreasing in importance just as the most significant challenges in deploying new cryptographic algorithms to have been necessary over the last 25 years since the TLS 1.0 spec was approved in 1999 and the RSA algorithm went out of patent in 2000 would send misleading messages to OWASPs global reliance community and likely be harmful to OWASP's long term reputation and influence because it would become increasingly obvious over the period of this release that the demotion of cryptographic weaknesses was not justified.

I would therefore advocate strongly for Cryptographic failures not to be demoted from priority rank order 2 and to be increased to priority rank order 1. At the very least Cryptographic failures should not be ranked lower by OWASP in 2025 than they were in 2021.

Now I need at this point to declare a potential conflict of interest, so that this argument can be considered on its merits and the preponderance of evidence not because of who wrote this issue or why I, my colleagues and other vendors working in the competitive global PQC supply chain might benefit from OWASP ranking Cryptographic Failures higher rather than lower. For full transparency I am the CTO of a recently-formed UK start-up called ProteQC.com (currently not yet fully launched) which is seeking to provide expert, vendor-neutral consultancy mainly in the financial services sector to organisations that need assistance with migrating to PQC algorithms and implementing cryptographic agility quickly, efficiently, accurately and at reasonable cost.

Finally I need to clarify that this issue is submitted with the greatest respect to all of the expert contributors who have completed all the great and necessary detailed data analysis and CWE mapping work to make this release of the OWASP Top 10 possible. These arguments are only about the high level presentation and sequencing, not about the underlying extremely rigorous and data-driven analysis.

[drwetter]

Hi,
it seems to me that rank is appropriate, if not too high. The exploitablity of weak crypto at least in transit is often overestimated as one needs to have access to a network (nation states, network operator, admins, open wifi networks, ..) and then breaking weak crypto is not as easy.

You're right, we need to prepare now for PQC, that is common sense. And actually the wording needs improvement. But to my knowledge high risk systems are supposed to be qc safe within the next 5 years and other systems until 2035 -- that's what the regulations say.

I don't have a CoI but if you did a shameless plug here (to put it this way), pls allow me to do the same and point to a great FOSS tool which checks for server side TLS configuration which I also checks whether the server side supports quantum key exchange algorithms . ;-)

[drwetter]

some fast improvements #850 . More maybe later...

[TimDWilliams-ProteQC-CTO]

Hi, it seems to me that rank is appropriate, if not too high. The exploitablity of weak crypto at least in transit is often overestimated as one needs to have access to a network (nation states, network operator, admins, open wifi networks, ..) and then breaking weak crypto is not as easy.

You're right, we need to prepare now for PQC, that is common sense. And actually the wording needs improvement. But to my knowledge high risk systems are supposed to be qc safe within the next 5 years and other systems until 2035 -- that's what the regulations say.

I don't have a CoI but if you did a shameless plug here (to put it this way), pls allow me to do the same and point to a great FOSS tool which checks for server side TLS configuration which I also checks whether the server side supports quantum key exchange algorithms . ;-)

@drwetter https://testssl.sh is truly a great Open Source resource and I applaud your publicising it. We are 100% proponents of Open Source and work actively to promote economic commons.

However, I think I've failed adequately to communicate why it is so important to OWASP as the world's leading trusted source of software vulnerability information to signal clearly that a once in a generation shift is occurring in cryptographic requirements, necessitating an exceptional re-allocation of resources and attention. As the late great Dr Ross Anderson explicated in his seminal 2001 Security Economics paper "Why Information Security is Hard" (https://www.acsac.org/2001/papers/110.pdf), the underlying causes of insecurities are primarily economic rather than technical. For the last 25 years almost all organisations have treated asymmetric cryptography as an economic externality requiring no investments in maintenance. Ross's argument that microeconomic factors (network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons) provide better explanations of persistent security weaknesses than technical explanations rings true, particularly when it comes to the failure of almost all organisations to budget for and plan for cryptographic upgrades, let alone cryptographic agility. Ask any group of CISOs (let alone any group of CFOs) if they have regular annual budgets for cryptographic upgrades and it soon becomes clear that cryptographic failures have been economically neglected for years.

For OWASP as institution, there are 3 compelling reasons for prioritising cryptographic failures in the Top 10 2025:

1. Semiotics - OWASP's impact on the world is primarily symbolic through generating and publicising readily understandable abstract representations of complex underlying sociotechnical phenomena in such a manner as to impact software cultures globally and effect beneficial changes. OWASP acts most effectively as an instrument of change when it understands its own agency and reflects deeply on what would be the most effective symbols to promote until the next Top 10 release.

2. Synthesis - the value of OWASP's deep multi-disciplinary and multi-stakeholder global analysis of historic software vulnerability data and recent trends is that it results in informed, expert views which integrate both objective empirical observations and the subjective knowledge of expert professionals to create new and valuable knowledge. At this point during the final review of the OWASP Top 10 Release Candidate the opportunities for synthesis are immense. It would be a great shame if there were to be any "closing of ranks" or "group think" around the idea that a consensus has been building within OWASP that cryptographic failures should be down-ranked from 2 to 4 just at the point in history when external leading indictors are signalling that the cryptographic failures are about to become existential threats in multiple industry sectors. In particular Harvest Now Decrypt Later (HDNL)/Store Now Decrypt Later (SNDL) attacks are not currently detectable/provable (so outside OWASP's traditional evidence base) but OWASP needs to be aware of it's own limits of knowledge (known unknowns) and adjust for them when synthesising its known data inputs to create knowledge. As Dr Michele Mosca has stated, it's OK to be a day early with PQC transitions but not a day late. If OWASP were to "kick into touch" any signalling that cryptographic failures need to move up priority lists not down until the next OWASP Top 10 then (assuming that an emergency fix to the OWASP Top 10 were not to be rolled-out in 2026 to fix the downgrading of cryptography) OWASP would risk its reputation as a trustworthy source of reliable software vulnerability data because the next release of the OWASP Top 10 would come long after when organisations need to start focusing on cryptographic upgrades, given the long time periods involved. Taking as an example of why it is so important to take account of lead times, the first proven attack on the SHA-1 hash algorithm occurred in 2005 but it was not formally deprecated by NIST until 2011 and it is not due to be fully retired until 2030 (https://csrc.nist.gov/news/2022/nist-transitioning-away-from-sha-1-for-all-apps), 25 years after first being broken and 19 years after first being deprecated.

3. Ethics - considering all 3 leading ethical theories (utilitarianism, virtue ethics and deontology) OWASP's mission to improve software security through Open Source initiatives and community education are best served by promoting economic commons in software, which in the context of the likely 70% of the world's population threatened by the failure of asymmetric algorithms and the long timescales needed to prepare, translates into needing to provide maximum clarity both about the relative importance of cryptographic failures, about the urgency of starting to transition now and about how specifically to prepare. Providing this clarity in the OWASP Top 10:2025 fulfils OWASPs mission and established ways of working (deontologically ethical), maximises the value of OWASP's publications to the greatest number of people and in the highest impact technology domain (since effective cryptography is the only technical mechanism by which data can be reliably and provably secured when it is outside one's physical possession) thereby satisfying utilitarian ethics and also satisfies virtue ethics because many (if not all of) the people people involved in researching, developing and implementing Open Source and royalty free PQC solutions (including ourselves and I am sure including all OWASP volunteers working in the cryptographic domain) are motivated primarily not by commercial considerations but by ensuring that people around the world continue to be able to communicate securely and trust software not to allow undetected interception of their private communications.

Trusting that these further arguments help better to explain why 2025 is not the year that Cryptographic Failures should be going down in the OWASP Top 10 rank order. Hopefully, if OWASP ranks them higher this year then by the time the next OWASP Top 10 is published in 2028/29/30 so much will have been achieved that Cryptographic Failures can then drop out of the Top 10 entirely!

[shehackspurple]

Hello all. @infosecdad might want to weigh in on this some more, but the data we received, and the feedback from the community, put Cryptographic failures at that spot. Without data (submitted to us) and without consistent community feedback that show that it needs to be higher, I can't see us changing it. I will let others comment though.