Skip to content

OWASP-API-Security-Top-10.md

Latest commit

 

History

History
56 lines (36 loc) · 2.8 KB

OWASP-API-Security-Top-10.md

File metadata and controls

56 lines (36 loc) · 2.8 KB

OWASP API Security Top 10

What is OWASP API Security Top 10?

  1. The Rapid Rise of APIs - business no longer needs to specialize in all aspects of creating software, instead, shared by other companies.
  2. A Major Gap in Security - techniques of the past were not effective at detecting API-related vulnerabilities.
  3. A New Leading Attack Vector - APIs often bypassed all of the security measures that had grown with businesses over the past decade.

Updates to the API Security Top 10

2023 Risk Scores

  • API1:2023 Broken Object Level Authorization - BOLA
  • API2:2023 Broken Authentication
  • API3:2023 Broken Object Property Level Authorization
  • API4:2023 Unrestricted Resource Consumption
  • API5:2023 Broken Function Level Authorization - BFLA
  • API6:2023 Unrestricted Access to Sensitive Business Flows
  • API7:2023 Server Side Request Forgery
  • API8:2023 Security Misconfiguration
  • API9:2023 Improper Inventory Management
  • API10:2023 Unsafe Consumption of APIs

Note, BOPLA is a combination of Excessive Data Exposure and Mass assignment.

Risk is likelihood multiplied by impact.
Risk score, the OWASP API Security project team has left the impact as a relative value to be determined by the business.
These scores that the likelihood of these scores is not taken into account (API Security Risks).

Values represent overall exploitability (complexity/exploitability, weakness prevalence, weakness detectability, and technical impact).

What are the primary factors that drove the creation of the OWASP API Security Top 10?

  • The rapid adoption of web APIs
  • A major gap in security and the prevalence of APIs as a leading attack vector
  • The ease with which an attacker can exploit a vulnerable API

In the absence of community data contribution, how was the 2023 OWASP API Security Top 10 list compiled?

  • Based on internal research using publicly available data such as bug bounty platforms and news

What is the purpose of mapping the OWASP API Security Top 10 risks to external sources like CWE and NIST?

  • To provide additional insight and depth into the identified risks

What is the significance of APIs in the modern business landscape?

  • APIs allow businesses to use the functionality of other applications without needing to specialize in all aspects of creating software

What is a leading challenge posed by APIs in terms of security?

  • Traditional network security monitoring, web application scanners, and vulnerability management programs were not designed to handle the unique challenges