BLOG

The OWASP API Security Top 10 Has Been Updated – How Are Companies Reacting?

The OWASP API Security Project released an updated version of the OWASP Top 10 for APIs last month. In the intervening years since the first edition was published in 2019 API security has risen to become arguably the most pressing area of focus for CISOs and Heads of Application Security today. Certainly, at 42Crunch we have seen increased customer demand across all industry verticals and indeed the rate of uptake of our developer-friendly API security tools continues to increase with over 850,000 downloads to date.

In last week’s webinar on the new 2023 list of API Security vulnerabilities, Colin Domoney examined the changes made to the latest list of API Security vulnerabilities, discussed what the implications of these developments might be for enterprises and explored specifically how 42Crunch can help remediate these threats.

He also posed several questions to the audience of cybersecurity architects, API developers and DevSecOps folks, the results of which are presented below and undoubtedly will help to further focus security practitioners’ minds on the issues that matter most.

Something Old, Something New

There has been some movement in and out of the Top 10 listing this year with authentication and authorization remaining at the top, new items to address scalping and fake account creation and server-side request forgery being added and some more general, non-API specific threats moving out.

A new item called “Unrestricted Access to Sensitive Business Flows” has been added to manage the prevalence of bots accessing APIs. It is essential to identify sensitive business flows in order to shield them against bot-based attacks. This reinforces the need to highlight – if it were needed – the importance of not only secure coding but also secure planning and design when building a new application.

Earlier this year we hosted a webinar with Jim Manico investigating Server-Side Request Forgery (SSRF) as we had identified a trend of more SSRF driven attacks on API-based applications. The OWASP Foundation was obviously on the same wavelength as it comes straight in at No. 7 this year

Whilst Injection and insufficient logging and monitoring have dropped out of this year’s Top 10 listing it does not mean they have disappeared as legitimate threats. Rather they belong to categories that apply broadly across the security spectrum and are not just API-specific. The rationale underlying this year’s additions is that the vulnerability should have a more API-centric focus.

 

 

 

 

 

 

 

 

 

 

 

No. 1 Concern

API-based applications are increasingly complex with thousands of endpoints and user hierarchies. Consequently, authentication and authorization are now arguably the biggest challenge for API security, and it’s no surprise that 4 out of the top 5 items are related to these areas. The polling question we put to our audience reinforces this observation. Our poll showed that Broken Authentication is the number one concern for enterprises today.

 

Upstream Provider Visibility

We also surveyed the audience on their oversight of their upstream API providers’ security postures.   Nearly 50% of firms admitted to having “no idea” as to the security stance of their providers which should set alarm bells ringing amongst all security teams. As companies seek to protect their own internal and externally exposed APIs, they also need to be confident that their partner providers are applying the same level of diligence to services they expose for third-party consumption.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Conclusion

It would seem that companies are increasingly sensitive of the need to strengthen their API security defenses and that the OWASP API Top 10 listing helps advance the industry’s understanding of those challenges. However, as evidenced by the results of the question we posed to the audience, there is still room for improvement. Much done, much to do!

 

Something Old, Something New – OWASP API Security Top 10 in 2023

Latest Resources

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

WEBINAR

Mitigate OWASP API risks through security-by-design

Learn best practices and mitigation steps for some of the OWASP API vulnerabilities through this 42Crunch API security best practice webinar

NEWS

VicOne Partners with 42Crunch to Deliver Uniquely Comprehensive Security Across SDV and Connected-Vehicle Ecosystem

By Newsdesk | May 29, 2024

Collaboration pairs leaders in API and automotive cybersecurity to enable broad protection as attacks on automotive APIs climb within and among vehicle, cloud and mobile  DALLAS and TOKYO, May 29, 2024—VicOne, an automotive cybersecurity solutions leader, today announced a partnership with 42Crunch  to enhance the security of application programming […]

DataSheet

Datasheet Cover Images P1-02

Product Datasheet Addressing API Security Challenges

APIs are the core building block of every enterprise’s digital strategy, yet they are also the number one attack surface for hackers. 42Crunch makes developers’ and security practitioners' lives easier by protecting APIs, with a platform that automates security into the API development pipeline and gives full oversight of security policy enforcement at every stage of the API lifecycle.

Ready to Learn More?

Developer-first solution for delivering API security as code.