SheHacksPurple: November 2025

The new OWASP Top Ten

Tanya Janca
November 11, 2025

^{_{The SheHacksPurple Nerd-a-licious Newsletter}}

💜_{Hit ‘reply’ to send me a message! I read every response and love hearing from you.}💜

Hello Everyone!

I have a few announcements, and then I wanted to talk (in the ‘Article’ section below) about security of software dependencies because a very nice subscriber named Nate asked me about it (great question!) and also it’s a topic that’s on my mind lately. I’ve included the entire blog article in the newsletter, rather than just the start and a link to the rest. Please let me know if you like that format (or not).

OWASP Global AppSec was spectacular! We (Andrew van der Stock, Brian Glas, Neil Smithline, Torsten Gigler and me) managed to get the new OWASP Top Ten ready just in time for my presentation of it with Neil Smithline (he’s SO FUNNY, what a great presenter!) and also for Brian Glas who presented the next day about how we made the list and that’s a talk you need to see as well, sort of a ‘behind the scenes’. I also got to see wonderful friends, sign books, and received many hugs! Plus, I received very positive feedback on the API Security training I gave! Win, win, win!

I have tons of photos! On the top left is Vandana Verma and I, and in the middle is Neil Smithline and me! Sorry to the guy in-between us, I didn’t mean for you to be in the pic!

Announcements: The new Top Ten is out, and I hope to create some free content about it soon. My trip to the UK was cancelled and so was the local OWASP Victoria meeting. I was on Darknet Diaries and it was amazing. Lastly, I am very excited to announce that I am the keynote for the 2026 SnowFroc conference in April!!!!! Plus DevOpsDays Lima (Peru)! Next year is going to be amazing. ❤️

PS Note: my trip to the UK in December has been canceled. I apologize to anyone who this has inconvenienced. :-(

Neil told stories on stage, including having North Koreans in his network. He explained “It did not end well. For US, not the North Koreans.” Lol! I bet! And there’s me with Smithy founders Spyros and Pavlos (behind us)! We gave away books for an entire hour!

Secure Your AI Stack – From Code to Cloud

As generative AI systems become central to enterprises, so do the risks. Our new interactive page maps the OWASP Top 10 for LLMs to real threats, explains how AI attacks unfold, and shows how Cortex Cloud AI-SPM can protect every layer—from training data and models to plugins, endpoints, and agents. Explore how to defend your AI assets with full visibility, context, and control.

New Content!

I was on Darknet Diaries with Jack Rhysider! On YouTube or any podcast platform.
We released the NEW OWASP Top Ten 2025 last week at OWASP Global AppSec
Why we need to start giving significantly more specific security advice - a blog post I wrote
Podcast episode: Who is agile: Saying no with Tanya Janca
Self-propagating worm found in marketplaces for Visual Studio Code extensions - Article by Howard Solomon, but with lots of quotes from me!
Malicious packages in npm evade dependency detection through invisible URL links: Report - Article by Howard Solomon, but with several quotes from me!
Software Supply Chain: Bigger (and Scarier) Than We Realize - See below

Events!

Nov 12, 1:00 PM - 3:30 PM EST, DevSecOps Summit with Harness! Free and online. I’m doing a fireside chat to open the event with Adam Arellano about AI security in software development. Virtual
Nov 12, 8:30 to 9:30 am PST: Metrics, Models & Mindsets: The Future of Application Security, with myself, Spyros Gasteratos of Smithy and Aram Hovsepyan of Codific. Tune in for a ‘post OWASP Global AppSec’ panel about what we think the future of AppSec will be! Virtual
November 27, 2025, evening, in person OWASP Victoria Meetup! Event cancelled.
Note: my trip to the UK in December has been canceled. I apologize to anyone who this has inconvenienced. :-(
December 1-2, Training Session at NDC Manchester, AI & Security Secure Coding & API Hardening: Hands-On Secure Design, Development, and Threat Modelling - in person
December 3-4, NDC Manchester, AI & Security, Manchester, UK, I will be giving TWO talks! in person
December 5th - OWASP London, Virtual! Free! (Changed from in person to virtual appearance)
Feb 10-13, 2026 - Wild West Hackin’ Fest - Mile High, I will be giving training and also a talk! In person!
April 16 & 16 (note the date change), 2026 - SnowFroc in Denver, CO, USA, I’m the opening keynote so please don’t sleep in! In person
July 2026: Keynote for DevOpsDays Lima in Peru! That’s right folks, I’m going back to South America! In person

Article

Software Supply Chain: Bigger (and Scarier) Than We Realize

When we talk about the software supply chain security, most people think only of dependencies (open-source libraries and frameworks). But the supply chain is so much more than just that. It’s everything we use to build, test, and release our software: our IDE (and all those wonderful extensions), our CI/CD pipelines (including every script, config, and build step), our source repositories, our frameworks, and even our package registries. And every single part of it needs to be hardened, monitored, access-controlled, and all the other things we need to do to keep it safe. Right now, I see many of us only concerned with the 3rd party dependencies, forgetting the rest of this extremely powerful and far-reaching chain.

I do wonder… if I built a course on securing the entire software supply chain, from IDE to release pipeline, would anyone sign up? Because I think maybe we’re going to need it. 😉

I’ve seen this one, with different images, over and over. It’s always correct.

The Threats to Dependencies Are Changing

Not long ago, dependency management was fairly simple: a library was either outdated or vulnerable, and tools told you so. That was helpful. But it was also full of false positives. I used to look at reports and think, “Sure, there’s a CVE in here, but if it’s never called in my code, do I need to do anything about it?” Many a developer and I have had this conversation, and it’s hard to press for big changes when we’re not even sure if it’s actually dangerous or not…

Some good news: modern SCA tools are getting smarter. Some can now tell whether a vulnerable function is reachable (your code calls the function that has the vulnerability in it), or even exploitable (not only can an attacker reach it through your app, but there is a proven way that it can be exploited). I haven’t tested any of the products claiming exploitability yet, but if it works… That would be huge! Then we could finally prioritize what matters instead of adding to the constantly expanding backlog that no one wants to talk about.

The New Threats

Unfortunately…While tools were improving, the attackers have been hard at work as well. :-/ New attacks include:

Malicious actors joining open-source projects to sneak bad code into legit libraries.
Look-alike packages published under almost the same name as trusted ones.
AI tools generating imaginary dependencies and then attackers registering those names… With malicious code inside.
Even the maintainers themselves are being compromised, leading to malicious “official” updates.

It’s a total mess! Especially since the current industry toolset can only spot known vulnerabilities (ones already reported). Everything else has the potential to slip through the cracks.

So… What Do We Do About It?

Here are some ideas for you. At the end I’m going to ask for your ideas. Hit reply and email them to me!

1. Harden your entire supply chain.
Create a lightweight but consistent process for hardening your dev environment (from IDE to CI/CD). And try to create a change-management process that’s not too painful. Then teach your devs why it matters, so they’re less tempted to bypass it. Because they can do anything they want, let’s not kid ourselves. Make it matter to them, so they do the right thing.

2. Get an SCA tool that can prove reachability or exploitability.
Ask peers which ones work well (I don’t recommend specific products publicly, generally), and refuse to settle for ones that just shout every CVE they find as though that is helpful. Devs don’t have time for hundreds of false positives, they have work to do. Then fix the ones that introduce real business risk.

3, Push for industry-level change.
We need an official framework for managing open-source dependencies. Something that maintainers, companies, and governments can all work with and within. Imagine if we had:

A shared set of release/security standards, that we all followed
Government support for secure maintenance, that was enforced with legislation
Private industry funding open-source security (financial donations or dev time), because they are using it and it has value. We pay for things that have value, and this applies to software!

What do you think? If you have ideas, email me. I’d love to gather your thoughts and maybe turn them into a follow-up blog post or add to this one on my blog. We need to figure this out together… Before the bad guys do. 💜

Maybe this is just a dream right now… but maybe it’s one worth dreaming together?

We end with a meme.

I couldn’t decide between memes so you get two this month!