Published: January 30, 2024 · Last reviewed: May 1, 2026
Updated December 29, 2025
The OWASP Top 10:2025 identifies the most critical application security risks and is highly relevant for medical devices that integrate with web applications, APIs, and cloud services. It helps MedTech teams prioritize security efforts to protect patient data and device integrity across the entire connected ecosystem. By addressing these risks, manufacturers can reduce common vulnerabilities and produce defensible cybersecurity evidence for regulatory bodies like the FDA.
If your medical device connects to anything-cloud services, APIs, a clinician portal, a mobile companion app, remote support tooling-your cybersecurity risk isn’t “just the device.” It’s the entire ecosystem.
That ecosystem is exactly where the OWASP Top 10:2025 shows up. Not as theory. As real findings: broken access control, cloud misconfigurations, weak authentication workflows, supply chain gaps, and “we didn’t expect that error condition” failures.
This guide translates the OWASP Top 10:2025 into a medical device cybersecurity reality, where the risks appear, what to test first, and how to turn the work into evidence that can actually be defended.
Key Takeaways
- OWASP Top 10 applies to connected medical device ecosystems.
- Focus on OWASP Top 10:2025 for apps and APIs, not just firmware.
- Prioritize A01, A02, A03, A07 for maximum impact.
- Integrate OWASP into a repeatable SDLC process.
- Defensible evidence links risks, requirements, and test results.
- Consider OWASP API Security Top 10 for API-heavy devices.
Table of Contents
- Key Takeaways
- Quick takeaways (if you only read one section)
- What the OWASP Top 10 is (and why MedTech teams should care)
- The OWASP Top 10:2025 list (in plain English)
- OWASP Top 10:2025 mapped to connected medical device ecosystems
- A practical way to use OWASP in a medical device SDLC (without slowing engineering)
- Don’t stop at web apps: OWASP + API Security for connected devices
- How to turn OWASP work into FDA-ready evidence (without writing a novel)
- Bottom line
- OWASP Top Ten FAQs
Why this matters
The FDA's Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions (Feb 3, 2026 final guidance) made cybersecurity documentation a gating criterion for clearance under Section 524B of the FD&C Act. Reviewers now apply this guidance to owasp top 10 the same way they apply software lifecycle expectations from IEC 62304 and security risk-management expectations from AAMI TIR57 and ANSI/AAMI SW96:2023.
Gaps in this area are the single most common driver of first-cycle cybersecurity Additional Information (AI) requests. The FDA's FY2024 CDRH performance reports show cybersecurity is among the top deficiency categories cited in 510(k) and PMA AI letters, behind only software documentation and clinical evidence. Treating it as a checklist exercise rather than a design-controlled engineering artifact is what creates the gap.
Quick takeaways (if you only read one section)
- OWASP is most valuable when it becomes a system: design rules + testing habits + release gates-not a once-a-year checklist.
- Connected device ecosystems are API-heavy. Pair OWASP Top 10 with the OWASP API Security Top 10 for better coverage.
- For MedTech teams, the win isn’t “no findings.” The win is repeatable controls + clean evidence across design, build, test, and postmarket response.
What the OWASP Top 10 is (and why MedTech teams should care)
The OWASP Top 10 is a widely used set of categories that describe the most common and impactful application security risks. It’s not a compliance standard-and it won’t replace device-specific security engineering-but it’s one of the fastest ways to reduce the exact vulnerability patterns attackers exploit in:
- clinician portals (web apps)
- patient mobile apps
- cloud backends and APIs
- update/provisioning services
- remote support paths
- identity and access management configurations
If you only test firmware but ignore the portal/API that controls workflows and data, you’re leaving a door wide open.
The OWASP Top 10:2025 list (in plain English)
Here are the OWASP Top 10:2025 categories, followed by a MedTech translation and what to test first:
- A01: Broken Access Control
- A02: Security Misconfiguration
- A03: Software Supply Chain Failures
- A04: Cryptographic Failures
- A05: Injection
- A06: Insecure Design
- A07: Authentication Failures
- A08: Software or Data Integrity Failures
- A09: Security Logging and Alerting Failures
- A10: Mishandling of Exceptional Conditions
OWASP Top 10:2025 mapped to connected medical device ecosystems
| OWASP 2025 category | Where it shows up in MedTech ecosystems | What to test first |
|---|---|---|
| A01 Broken Access Control | Portal roles, admin actions, support accounts, patient/clinician record access, API object access | Role/permission tests, object-level access (BOLA/IDOR), privilege escalation checks |
| A02 Security Misconfiguration | Cloud storage exposure, permissive CORS, debug settings, weak headers, open admin interfaces | Cloud posture review, hardening baselines, configuration scanning, least-privilege IAM review |
| A03 Software Supply Chain Failures | Dependencies, third-party SDKs, CI/CD pipeline, build artifacts, container images | SBOM/dependency review, artifact signing, pipeline access controls, provenance checks |
| A04 Cryptographic Failures | Tokens and secrets, TLS mistakes, sensitive exports, weak key handling | TLS validation, secret storage review, crypto misuse checks, key management review |
| A05 Injection | API parameters, portal forms, search/log fields, report exports | Input validation, parameterized queries, API fuzzing, output encoding checks |
| A06 Insecure Design | Unsafe workflows, “trusted network” assumptions, missing abuse cases, weak requirements | Threat modeling, abuse-case testing, security requirements + traceability review |
| A07 Authentication Failures | Weak password policy, broken sessions, insecure recovery, inconsistent MFA enforcement | Auth flow tests, MFA enforcement (especially privileged), session/recovery testing |
| A08 Software/Data Integrity Failures | Unsigned updates, tampered configs, untrusted data feeds, weak validation of “trusted” inputs | Signed updates, integrity checks, artifact verification, secure update workflow review |
| A09 Logging/Alerting Failures | Postmarket blind spots: no usable audit trail for admin actions or suspicious API behavior | Auth/admin event logging, alert tuning, retention checks, “can we investigate?” drills |
| A10 Mishandling of Exceptional Conditions | Fail-open logic, unsafe error handling, resource exhaustion, crashes in edge cases | Error-handling review, edge-case tests, resilience checks, safe failure validation |
A practical way to use OWASP in a medical device SDLC (without slowing engineering)
The fastest path to “kickass cybersecurity” is not a bigger checklist-it’s repeatability. Here’s a workflow that keeps OWASP from becoming shelfware:
1) Start with your real attack surfaces
Write down what matters (most teams forget half of it):
- Portal (web app)
- Mobile app
- APIs and cloud services
- Update/provisioning services
- Remote support path
- Identity provider + admin consoles
2) Pick “high-risk workflows” before you pick tools
Examples that tend to produce the biggest findings:
- Login + session handling + token refresh
- Role changes, admin actions, and support access
- Patient/clinician data lookup by ID (classic object-level authorization failures)
- Device pairing/onboarding
- Remote commands and configuration changes
- Update delivery and validation
3) Threat model those workflows (lightweight is fine)
You don’t need a 60-page diagram set. You need clarity on:
- Trust boundaries (where assumptions end)
- What happens when credentials are stolen
- How data flows and where it can leak
- How updates/artifacts are protected end-to-end
4) Test in layers (automate what’s cheap, focus manual effort where it matters)
- Automated: SAST, dependency scanning, IaC/config checks, baseline DAST
- Targeted manual testing: A01, A07, A02, A08 (these are where real-world pain lives)
- Release gates: “no criticals open,” and consistent rules for highs (fix or document time-bound rationale)
5) Fix root cause, not symptoms
If you only patch individual findings, they will come back in the next sprint. Instead, build “paved roads”:
- Reusable auth patterns and server-side authorization checks
- Secure defaults (no debug, no open storage, no permissive CORS)
- Standard secrets handling and token storage
- Artifact signing and verification are baked into CI/CD
Don’t stop at web apps: OWASP + API Security for connected devices
Most connected device ecosystems are API-first. Even if users only interact with a portal, the portal is usually calling APIs-just like your device and mobile app are.
Recommendation: keep OWASP Top 10 for web/portal work, and also apply the OWASP API Security Top 10 for device/mobile/cloud traffic. That’s where object-level authorization issues, token misuse, and API-specific failure modes are most evident.
How to turn OWASP work into FDA-ready evidence (without writing a novel)
In regulated environments, the question isn’t only “did you test?” It’s “can you demonstrate a repeatable process, and can you show what you did with the results?”
A clean, defensible evidence set often includes:
See also: GET vs POST for Medical Device APIs: Security Best Practices, The FHIR Medical Device Protocol, and Key Exchange in Medical Device Cybersecurity.
- Threat model (even lightweight) tied to your highest-risk workflows
- Security requirements tied to risks (especially A01/A07/A02/A08)
- Test plan + results (mapped to risks/categories)
- Remediation log: what changed, how it was verified, what was deferred (and why)
- Supply chain controls: SBOM + dependency policy + pipeline protections
- Postmarket process: how you monitor, triage, and respond to vulnerabilities
If you need assistance with packaging this information cleanly, Blue Goat Cyber supports MedTech teams with pre-market and post-market cybersecurity services, threat modeling, SBOM programs, and application/API penetration testing.
- FDA Premarket Cybersecurity Services
- FDA Postmarket Cybersecurity Services
- Medical Device Penetration Testing Services
- SBOM Services for MedTech
Bottom line
The OWASP Top 10:2025 is most potent when it becomes a repeatable system-not a checklist. For medical device teams, that means fewer recurring vulnerability patterns, fewer release surprises, and a stronger, more defensible cybersecurity story across the device ecosystem.
Want help applying OWASP to your specific device ecosystem (portal + APIs + cloud + app)? Blue Goat Cyber can help you prioritize the right tests, fix the right patterns, and package the evidence in a way that’s clear and defensible.
OWASP Top Ten FAQs
Does OWASP Top 10 apply to SaMD?
Yes. SaMD often is the app, API, or cloud service. OWASP is a strong baseline for prioritizing secure design and testing.
Why is the OWASP Top 10 important for medical device cybersecurity?
Medical devices often include web applications or APIs as part of their ecosystem. Understanding and mitigating the OWASP Top 10 risks helps manufacturers protect sensitive patient data, ensure device integrity, and meet regulatory cybersecurity expectations.
Which OWASP categories matter most for connected medical devices?
In practice, the biggest recurring issues are Broken Access Control (A01), Security Misconfiguration (A02), Supply Chain Failures (A03), and Authentication Failures (A07)-because connected ecosystems lean heavily on cloud, APIs, and identities.
What’s the most common OWASP mistake you see?
Treating OWASP as a one-time pen test instead of building repeatable guardrails into design, development, CI/CD, and release gates.
How do we show OWASP coverage without claiming “OWASP compliance”?
Don’t claim compliance. Show traceability: risk → requirement → test → fix → verification. That story holds up far better than a buzzword.
Is compliance with the OWASP Top 10 required by regulations?
While not a formal regulation, many cybersecurity frameworks and regulatory bodies (including the FDA, ISO standards, and GDPR) reference OWASP Top 10 concepts. Demonstrating alignment can help meet cybersecurity due diligence expectations.
How does the OWASP Top 10 relate to DevSecOps practices?
The OWASP Top 10 fits seamlessly into DevSecOps by providing clear targets for automated scanning, manual code reviews, secure architecture design, and ongoing vulnerability management throughout the software development lifecycle.
Are APIs and mobile apps covered by the OWASP Top 10?
The main OWASP Top 10 focuses on web applications, but OWASP also maintains separate Top 10 lists for API Security and Mobile Security. These complementary guides are critical for connected medical devices and healthcare apps.
How often is the OWASP Top 10 updated?
Typically, the OWASP Top 10 is updated every three to four years to reflect the evolving threat landscape, real-world breach data, and changes in application development practices.
What is the most common mistake organizations make regarding the OWASP Top 10?
Many organizations treat it as a checklist rather than integrating its principles into broader risk management and secure development practices. Real security comes from building a culture of cybersecurity, not just checking boxes.
Do we really need API-specific testing?
If your device/mobile app/portal talks to APIs (it does), then yes. APIs are where object-level authorization failures and data exposure issues love to hide.
How Blue Goat approaches this
Blue Goat Cyber's medical device practice is led by engineers with CISSP, OSCP, and prior military red-team backgrounds. We treat cybersecurity documentation as design-controlled engineering output, not a submission template, every artifact (threat model, SBOM, security risk assessment, penetration test, labeling) traces back to a controlled requirement and a verified result.
Our engagements deliver the full Feb 3, 2026 guidance documentation set scoped to the device's risk profile, integrated with the existing IEC 62304 software lifecycle and ISO 14971 risk file. See our medical device cybersecurity services for the full scope. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost.
FAQ
Does the OWASP Top 10 apply to SaMD?
Yes. SaMD often is the app, API, or cloud service. OWASP is a strong baseline for prioritizing secure design and testing.
Why is the OWASP Top 10 important for medical device cybersecurity?
Medical devices often include web applications or APIs as part of their ecosystem. Understanding and mitigating the OWASP Top 10 risks helps manufacturers protect sensitive patient data, ensure device integrity, and meet regulatory cybersecurity expectations.
Which OWASP categories matter most for connected medical devices?
In practice, the biggest recurring issues are Broken Access Control (A01), Security Misconfiguration (A02), Software Supply Chain Failures (A03), and Authentication Failures (A07) because connected ecosystems lean heavily on cloud, APIs, and identities.
How do we show OWASP coverage without claiming "OWASP compliance"?
Do not claim compliance. Show traceability: risk -> requirement -> test -> fix -> verification. That story holds up far better than a buzzword.
Is compliance with the OWASP Top 10 required by regulations?
While not a formal regulation, many cybersecurity frameworks and regulatory bodies (including the FDA, ISO standards, and GDPR) reference OWASP Top 10 concepts. Demonstrating alignment can help meet cybersecurity due diligence expectations.
Are APIs and mobile apps covered by the OWASP Top 10?
The main OWASP Top 10 focuses on web applications, but OWASP also maintains separate Top 10 lists for API Security and Mobile Security. These complementary guides are critical for connected medical devices and healthcare apps.
About the author
Christian Espinosa, CISSP, Founder, Blue Goat Cyber. Christian leads a team focused exclusively on medical device cybersecurity for FDA premarket submissions and postmarket compliance. Read more about Christian.
Sources & references
Primary sources cited in this article. Links open in a new tab.
- OWASP API Security Top 10- OWASP