Last week, a new OWASP project was launched at the Global AppSec conference in Tel Aviv: the API Security Top10 list. The project information and initial Top10 list were presented by Erez Yalon (Checkmarx) and Inon Shkedy and you can find the presentation PDF here.
We have also created an OWASP API Security Top 10 Cheat Sheet that you may download here.
The initial list is:
- A1: Broken Object Level Access Control
- A2: Broken Authentication
- A3: Improper Data Filtering
- A4: Lack of Resources & Rate Limiting
- A5: Missing Function/Resource Level Access Control
- A6: Mass Assignment
- A7: Security Misconfiguration
- A8: Injection
- A9: Improper Assets Management
- A10: Insufficient Logging & Monitoring
Back in 2017, the standard OWASP Top10 list was updated and references to APIs were added to all but one entry. This new project recognizes two things:
- The crucial role APIs play in application architecture today, and therefore application security
- The emergence of API-specific issues that need to be on the security radar.
We are certainly aware of the role of APIs have played in attacks in the last 18 months: since we launched the apisecurity.io community site last October, we have pushed more than 150 news related to breaches via APIs!
We are looking forward to our continued participation in this project and helping developers and companies become more aware of security issues brought by APIs.
Below you can view the latest OWASP API Security Top 10 webinar presented by 42Crunch.