OWASP API Security Top 10
This is not the first time we write about the OWASP API Security TOP 10 and it won’t be the last. On our “Hunting the OWASP API Security Top 10” article, we did a quick introduction to this OWASP project, explaining a bit our involvement and contributions to it. Because we find more and more vulnerable APIs and more companies reach out to us looking for API-specific penetration testing assessments, we decided to cover every and each of the ten most critical API security risks in a series of articles.
What is the OWASP API Security Top 10
The OWASP API Security Top 10 is an open-source document created by a group of Open Web Application Security Project (OWASP) volunteers and contributions from a vast number of individuals, that compiles the ten most critical API security risks. It was first published in late 2019 and it is expected to be updated every three or four years. The primary goal of this project is “to educate those involved in API development and maintenance”.
How does it work
For each risk in the TOP 10, the document provides a threat analysis table, common key aspects to help identifying whether an API is vulnerable, at least two attack scenarios based on real security incidents, major topics on how to prevent the underlying vulnerabilities, and a list of references for further reading. At the end of the document, there are two forward-looking sections one for developers, pointing them to other OWASP resources on topics such as educational content, security requirements, security architecture, standard security controls, and secure software development life cycle, and another section for DevSecOps, in this case covering topics such as threat modeling, software development life cycle (SDLC), testing strategies, achieving coverage and accuracy, and how to properly communicate findings.
How to use it
The best way to use this document inside an organization is by sharing it with the teams, promoting round tables to discuss each of the TOP 10 risks. Discussion can be done either on a high or technical level, according to the participants' role/profile. We, at Char49, believe that for technical people like developers, discussing the OWASP API Security Top 10 should be complemented with hands-on sessions to exploit the vulnerabilities. From our experience, this is what brings more security awareness while writing code. Running an internal Capture the Flag game or simply exploiting the vulnerabilities in a goat API should do it.
In the following weeks, you should expect new articles on API Security: we want to make them come periodically, maybe every two weeks. In each article we will discuss a single API risk from the OWASP API Security Top 10 2019, providing insights based on what we have recently found in the wild. Meanwhile, watching API (in)Security TOP 10: Guided tour to the Wild Wild World by our COO David Sopas and Paulo Silva should be a great sneak peek.