OWASP and the API Security Top 10 – A timeline
The OWASP is a non-profit, community-oriented foundation that’s committed to advancing software security. Embracing an open, collaborative methodology, OWASP promotes the integration of security at every phase of the software development process. Its resources, sought by small businesses to large corporations and government bodies, are freely available to all, embodying a vision where everyone has access to enhanced software security.
Recognizing APIs’ growing relevance and associated vulnerabilities, the OWASP API Security Top 10 was released in 2019. Unfortunately, APIs, which are critical in modern software development, expose backend data to third-party users, making them ideal targets for cyber-attacks. The OWASP API Security Top 10 highlights pressing API threats, facilitating a safer API environment.
The creation of this list is typically a multi-stage process. The process begins with a thorough risk evaluation based on the OWASP Risk Rating Methodology. This preliminary analysis is then critically assessed by experienced professionals. A draft is created by combining statistical data with professional views to highlight urgent API concerns.
The most recent version of this guide is the OWASP API Security Top 10 2023, which was published in June 2023; it’s a revamped version of its predecessor from 2019. While preserving numerous basic aspects from the previous version, the 2023 update reflects the continuously changing API security environment and includes newly discovered attack paths identified in previous years:
|
OWASP API TOP 10 (2019) |
OWASP API TOP 10 (2023) |
||
|
API 1 |
Broken Object Level Authorization |
API 1 |
Broken Object Level Authorization |
|
API 2 |
Broken User Authentication |
API 2 |
Broken Authentication |
|
API 3 |
Excessive Data Exposure |
API 3 |
Broken Object Property Level Authorization |
|
API 4 |
Lack of Resources and Rate Limiting |
API 4 |
Unrestricted Resource Consumption |
|
API 5 |
Broken Function Level Authorization |
API 5 |
Broken Function Level Authorization |
|
API 6 |
Mass Assignment |
API 6 |
Unrestricted Access to Sensitive Business Flows |
|
API 7 |
Security Misconfiguration |
API 7 |
Server Side Request Forgery |
|
API 8 |
Injection |
API 8 |
Security Misconfiguration |
|
API 9 |
Improper Assets Management |
API 9 |
Improper Inventory Management |
|
API 10 |
Insufficient Logging and Monitoring |
API 10 |
Unsafe Consumption of APIs |
Table 3.1 – The evolution of OWASP API Security Top 10 vulnerabilities (white: included in 2019 | red: removed | green: newly added)
As malicious actors increasingly target API business logic, where they engage in long-term nefarious operations that can last weeks or months, it is critical to understand the major threats plaguing today’s API ecosystems. This acknowledgment is a necessary first step in developing evolved and comprehensive API security plans. However, it’s important to note that the OWASP API Security Top 10 is a great guide, but it doesn’t cover everything.
In the next section of this chapter, we’ll discuss each vulnerability on the list, giving you a fuller picture of each one.
