Jun 04, 2023
OWASP's 2023 API Security Top 10 Refines View of API Risks
OWASP’s ranking for the major API security risks in 2023 has been published. The
OWASP's ranking for the major API security risks in 2023 has been published. The list includes many parallels with the 2019 list, some reorganizations/redefinitions, and some new concepts.
By
OWASP's ranking for the major API security risks in 2023 has been published. The list includes many parallels with the 2019 list, some reorganizations/redefinitions, and some new concepts.
Here are the OWASP Top 10 API Security Risks of 2023 and a comparison to the 2019 version:
Neither threats nor risks change drastically over a few years; but they evolve, and our understanding of them equally evolves. This is demonstrated by the 2023 listing – not so much a new list but a refining of the existing list.
The OWASP lists are a collaborative effort. While nobody doubts their value, not everyone – not even those involved – agrees with all the details. Take the removal of excessive data exposure from API3.
"Does this mean we solved sensitive data exposure?" asks Cequence Security's Jason Kent. "No, Sensitive Data Exposure is a huge problem. In the 2023 version of API 3 we are seeing an example of someone taking sensitive data exposure to the next step and breaking through the property level authorization. It isn't a direct replacement because many of the items in the list depend on sensitive data exposure. Is this the right way to present it? I don't think so, it is an example of varying opinions."
At the same time, he praises the name change in API6 for what is fundamentally the same risk. The examples listed remain basically the same: both are for a ride share app and both exploit something in the backend. "There is something subtle about the naming that makes the 2023 one seem like something that needs to be fixed, rather than being nebulous and confusing. It also illustrates our findings on how API security that isn't functioning properly ends up with attack automation being utilized against it."
The main problem with creating an itemized and ordered risk list is the chain of risk. Breaches often start from an API the victim has forgotten (API9). This might provide sensitive user data (API1) prompting the attacker to create a bot to exploit the flaw as far and as fast as possible (touching on API6).
"The new API Top 10 may not be perfect," concludes Kent, "but it does show us exactly what we have known for several years now. The landscape of API security is changing, and organizations need to change with it. Whether it is knowing where your APIs are, testing them for flaws or mitigating bots attacking your unknown flows, API security needs to be a focus for everyone – and this new list is a great place to start."
Related: OWASP Top 10 Updated With Three New Categories
Related: Final Version of 2017 OWASP Top 10 Released
Related: OWASP Proposes New Vulnerabilities for 2017 Top 10
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
SecurityWeek's Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.
Securityweek's CISO Forum will address issues and challenges that are top of mind for today's security leaders and what the future looks like as chief defenders of the enterprise.
Staying the course and sticking to strategic goals allows security professionals to steadily and continually improve the security posture of their organization.(Joshua Goldfarb)
If we should face a Dead-End AI future, the cybersecurity industry will continue to rely heavily on traditional approaches, especially human-driven ones. It won't quite be business as usual though.(Oliver Rochford)
When teams have a way to break down enterprise silos and see and understand what is happening, they can improve protection across their increasingly dispersed and diverse environment.(Matt Wilson)
Regardless of the use case your security organization is focused on, you’ll likely waste time and resources and make poor decisions if you don't start with understanding your threat landscape.(Marc Solomon)
Industry standard frameworks and guidelines often lead organizations to believe that deploying more security solutions will result in greater protection against threats.(Torsten George)
Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.
PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.
GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.
Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.
A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.
While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...
Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...
Many developers and security people admit to having experienced a breach effected through compromised API credentials.
OWASP's ranking for the major API security risks in 2023 has been published. The list includes many parallels with the 2019 list, some reorganizations/redefinitions, and some new concepts. Related Related Related