Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: Secure By Design
Topic: Security

OWASP‘s Top 10 lists aren’t static documents. They evolve as attack patterns shift, new technologies emerge, and practitioners refine threat categories. For security leaders who treat OWASP lists as one-time compliance checklists, this creates a dangerous gap: your defenses are calibrated to last year’s threats while adversaries exploit this year’s attack surface.

Steve Winterfeld, Advisory CISO at Akamai, has tracked OWASP evolution across web applications, large language models, mobile, and APIs. In a recent conversation with TFiR, he outlined the critical changes security teams need to understand—and why the newest list, Agentic AI Top 10, signals a fundamental shift in how enterprises must approach autonomous system security.

Web Application Top 10: Two New Threats Enter

The most widely adopted OWASP list—Web Application Top 10—changed twice in two years after remaining stable for four years. This year’s update introduced two new critical vulnerabilities: software supply chain issues and mishandling of exceptional conditions.

“You want to make sure that you’re now adding those two to the ones you focus on fixing,” Winterfeld explains. “I wouldn’t drop the two that fell off because they’re now 11 and 12, probably, but I would make sure that I had updated my security processes and strategy.”

The inclusion of software supply chain vulnerabilities reflects the post-SolarWinds reality: enterprises don’t just secure code they write—they secure dependencies, libraries, and third-party components that attackers increasingly target. Mishandled exceptional conditions, meanwhile, addresses edge cases where applications fail insecurely—exposing sensitive data or creating exploitable states.

Notably, DDoS dropped off the top 10. “It’s still a threat. It’s still something we need to pay attention to, but they didn’t consider it to be critical enough to be in the top 10,” Winterfeld notes. OWASP lists prioritize return on investment—the vulnerabilities most likely to be exploited and cause material damage.

Large Language Model Top 10: Rapid Evolution

The LLM Top 10 launched in 2023 and updated just one year later—a reflection of how quickly AI attack patterns are maturing. The update included four new threats and renamed or recategorized three existing ones.

“What we see is an evolution in two things. One, practitioners say we didn’t get that right. People are confused. Let’s rename it. Let’s get a more crisp, better name around that,” Winterfeld says.

This rapid iteration mirrors the pace of LLM adoption itself. As enterprises deployed GPT-4, Claude, and proprietary models into production, attackers developed prompt injection techniques, model extraction methods, and training data poisoning attacks faster than standards bodies could document them. OWASP’s willingness to update the list annually—rather than waiting for multi-year stability—signals that AI security is still in active discovery mode.

Mobile and API Updates: Maturing Attack Surfaces

The Mobile Top 10, which had been stable for eight years, received a major update last year—primarily restructuring threat categories rather than introducing fundamentally new risks. For APIs, the list is relatively recent, reflecting the explosion of API-first architectures and the corresponding surge in API abuse, broken authentication, and excessive data exposure.

Winterfeld’s key insight: different attack surfaces require different tooling. “I’m protecting my web apps with tool A, I’m protecting APIs with tool B, my large language model with tool C,” he explains. Security programs can’t rely on a single platform—each OWASP list implies a distinct technology stack and operational process.

Agentic AI Top 10: The New Frontier

The most significant development is the brand new Agentic AI Top 10—a list that didn’t exist six months ago. Unlike traditional LLMs that respond to prompts, agentic AI systems are autonomous: they plan multi-step workflows, interface directly with customers, and make consequential decisions like loan approvals or medical diagnoses.

“These are fairly powerful. They go across multiple environments and now I’m trying to abuse the business logic. I’m trying to get it to make bad decisions,” Winterfeld says.

Attackers aren’t just exploiting individual prompts—they’re manipulating chain reactions, amplifying failures across interconnected systems, and exploiting the autonomy that makes these agents valuable in the first place. “These hackers are going in and changing chain reactions. They’re amplifying failures beyond a single prompt,” Winterfeld warns.

The challenge for security teams is that agentic AI security isn’t well-defined yet. “This one is going to be interesting to see if it’s more of a tool or more processes,” Winterfeld notes. Traditional application security tools won’t catch business logic abuse or multi-step manipulation. Enterprises need visibility into agent decision-making, audit trails for autonomous actions, and remediation processes that can intervene before cascading failures occur.

The Strategic Imperative: Update Your Defenses, Not Just Your Checklists

Winterfeld’s message is clear: OWASP lists are living documents. When the Web Application Top 10 changes, your scanning tools, secure coding training, and vulnerability prioritization need to change too. When a new list like Agentic AI launches, it’s a signal that your existing security stack has a blind spot.

For CISOs facing board-level AI adoption mandates, the Agentic AI Top 10 is especially urgent. Autonomous systems are already in production—approving loans, diagnosing patients, managing supply chains. If your security program doesn’t have visibility into how those agents make decisions or how attackers might manipulate them, you’re securing yesterday’s architecture while deploying tomorrow’s risks.