Making the OWASP top ten in the vibe code era artwork

Making the OWASP top ten in the vibe code era

The Stack Overflow Podcast

June 5, 2026

Ryan welcomes back Tanya Janca, now part of the OWASP Top 10 team, to discuss what changed in the latest OWASP Top 10 release, how the list shifted from “outdated components” to a broader software supply chain focus, and why they added memory safety and vibe-coding as awareness items.
Speakers: Ryan Donovan, Tanya Janca
**Ryan Donovan** (0:07)
Hello, everyone, and welcome to The Stack Overflow Podcast, a place to talk all things software and technology. I am your host, Ryan Donovan, and today we are talking about the OWASP Top 10, or Top 13, as it may be.
And my guest for that is a returning customer, Tanya Janca. Hello.

**Tanya Janca** (0:26)
Hi, Ryan. Thank you so much for having me back.

**Ryan Donovan** (0:29)
It's always a pleasure. So last we talked, you were doing your security work, but now you are part of the OWASP's team. Can you tell us a little bit about how that came about?

**Tanya Janca** (0:39)
Yeah, absolutely. So I've run a chapter before, I've run a project before.
And basically OWASP was like, what are you going to do next for us? Because of course I'm going to do something. And there was a bunch of different projects that I met with to talk about joining which one. And then I don't know if you know Star Brown, but she is head of projects at OWASP. So she's a staff member and she's pretty great. And she said the Top 10 team kind of needs to be dragged across the finish line. And you are like a person that gets things done. And you love OWASP, they love OWASP. Like what if I made an intro? So I met with Andrew Vanderstalk, who's the executive director, but also is on the Top 10 team. And he's like, Tanya, all of us have 400 things going on and we're a bunch of wild cats and we need some herding. Do you feel like herding cats? I'm like, upset cats, that sounds great. And so we met and we had one meeting. And basically, I took notes, these are your action items, this is what we're doing. We'll ask you next week. And then the next week, Neil's like, can we just tell you how much we love you?
Why did you not join our group like 10 years ago? I'm like, I don't know. I guess I was doing some other silly project. We get along so great.

**Ryan Donovan** (1:48)
Silly projects like the Canadian election security, right?

**Tanya Janca** (1:51)
Yeah, silly projects like that. Like trying to make the first secure coding law in Canada that I'm currently working on.

**Ryan Donovan** (1:56)
The OWASP in general, when I found it, it's a amazing resource for what is considered vulnerabilities du jour, right? Every year you have the top 10 This year, what's different? What's shifted for the top 10?

**Tanya Janca** (2:10)
We actually only do the OWASP Top 10 every three years, which sucks. It's because it's so hard to get data.
Data aside, what changed? Two big things changed essentially.
One, we got to take some stuff off the list, which was great.
Cross-site scripting used to be its own item on the list. There were site request forgery, cross-site request forgery. Various individual vulnerabilities used to be on the list, and we did such a good job of promoting that it was an issue, that the industry responded and it fell off the list, which brings me great joy. But the two really big changes are we changed using outdated and vulnerable components to the entire software supply chain. Your IDE, your CI, your code repository, every single thing that you use to maintain or create a piece of software, all of that is part of your supply chain, and if it's being attacked, we're in trouble. So I was like, listen, I know we don't have the data to fully support this, so let's ask the community what they think. And across the board, 100 percent of them are like, this needs to be on the list. So we're like, we are correct if hundreds and hundreds of community members agree, then it's probably good. And then the other one is mishandling of exceptional conditions. So originally when we looked at it, poor code quality was, and I was like, no, poor code quality, that's all of them. That's everything. And I was like, let's be quite blunt. What is the remediation of poor code quality? What if you tried sucking less? Have you tried not sucking? That's completely unconstructive and totally unhelpful. So I was like, that is an unacceptable bucket. Now we're going to break things down further. What do we see? And so we had lack of application resilience. So your app does not know how to get back up or stay up versus mishandling of exceptional conditions, which means your error handling is not right. So something's happening and you are just doing a poor job of reacting and responding and or preventing it in the first place. And they tied. The numbers were almost exactly, I think it was off by two or something. It was so close when you have millions and millions of results. And I was like, listen, if we resolve mishandling of exceptional conditions, we solve almost all of application resiliency. But if we just do application resiliency, it does nothing for mishandling of exceptional conditions. And what we were only allowed to put 10 things on the top 10, I want to fight for the one that is going to solve two issues. And they're like, you know what? It's like a pretty reasonable answer.

28 more minutes of transcript below

Feed this to your agent

Try it now — copy, paste, done:

curl -H "x-api-key: pt_demo" \
  https://spoken.md/transcripts/1000651996090

Works with Claude, ChatGPT, Cursor, and any agent that makes HTTP calls.

From $0.10 per transcript. No subscription. Credits never expire.

Using your own key:

curl -H "x-api-key: YOUR_KEY" \
  https://spoken.md/transcripts/1000771263181