{"id":16860,"date":"2023-08-08T10:20:44","date_gmt":"2023-08-08T09:20:44","guid":{"rendered":"https:\/\/staging2022.42crunch.com\/?p=16860"},"modified":"2023-08-10T17:10:16","modified_gmt":"2023-08-10T16:10:16","slug":"the-owasp-api-security-top-10-has-been-updated-how-are-companies-reacting","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/the-owasp-api-security-top-10-has-been-updated-how-are-companies-reacting\/","title":{"rendered":"The OWASP API Security Top 10 Has Been Updated \u2013 How Are Companies Reacting?"},"content":{"rendered":"

The OWASP API Security Project<\/a> released an updated version of the OWASP Top 10 for APIs last month. In the intervening years since the first edition was published in 2019 API security has risen to become arguably the most pressing area of focus for CISOs and Heads of Application Security today. Certainly, at 42Crunch we have seen increased customer demand across all industry verticals and indeed the rate of uptake of our developer-friendly API security tools continues to increase with over 850,000 downloads to date.<\/p>\n

In last week\u2019s webinar on the new 2023 list of API Security vulnerabilities<\/a>, Colin Domoney examined the changes made to the latest list of API Security vulnerabilities, discussed what the implications of these developments might be for enterprises and explored specifically how 42Crunch can help remediate these threats.<\/p>\n

He also posed several questions to the audience of cybersecurity architects, API developers and DevSecOps folks, the results of which are presented below and undoubtedly will help to further focus security practitioners\u2019 minds on the issues that matter most.<\/p>\n

Something Old, Something New<\/strong><\/h4>\n

There has been some movement in and out of the Top 10 listing this year with authentication and authorization remaining at the top, new items to address scalping and fake account creation and server-side request forgery being added and some more general, non-API specific threats moving out.<\/p>\n

A new item called \u201cUnrestricted Access to Sensitive Business Flows\u201d has been added to manage the prevalence of bots accessing APIs. It is essential to identify sensitive business flows in order to shield them against bot-based attacks. This reinforces the need to highlight \u2013 if it were needed – the importance of not only secure coding but also secure planning and design when building a new application.<\/p>\n

Earlier this year we hosted a webinar with Jim Manico investigating Server-Side Request Forgery (SSRF)<\/a> as we had identified a trend of more SSRF driven attacks on API-based applications. The OWASP Foundation was obviously on the same wavelength as it comes straight in at No. 7 this year<\/p>\n

Whilst Injection and insufficient logging and monitoring have dropped out of this year\u2019s Top 10 listing it does not mean they have disappeared as legitimate threats. Rather they belong to categories that apply broadly across the security spectrum and are not just API-specific. The rationale underlying this year\u2019s additions is that the vulnerability should have a more API-centric focus.<\/p>\n

 <\/p>\n

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

No. 1 Concern<\/strong><\/h4>\n

API-based applications are increasingly complex with thousands of endpoints and user hierarchies. Consequently, authentication and authorization are now arguably the biggest challenge for API security, and it\u2019s no surprise that 4 out of the top 5 items are related to these areas. The polling question we put to our audience reinforces this observation. Our poll showed that Broken Authentication is the number one concern for enterprises today.<\/p>\n

\"\"<\/p>\n

 <\/p>\n

Upstream Provider Visibility<\/strong><\/h4>\n

We also surveyed the audience on their oversight of their upstream API providers\u2019 security postures. \u00a0 Nearly 50% of firms admitted to having \u201cno idea\u201d as to the security stance of their providers which should set alarm bells ringing amongst all security teams. As companies seek to protect their own internal and externally exposed APIs, they also need to be confident that their partner providers are applying the same level of diligence to services they expose for third-party consumption.<\/p>\n

\"\"<\/strong><\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n

<\/h4>\n

 <\/p>\n

Conclusion<\/strong><\/h4>\n

It would seem that companies are increasingly sensitive of the need to strengthen their API security defenses and that the OWASP API Top 10 listing helps advance the industry\u2019s understanding of those challenges. However, as evidenced by the results of the question we posed to the audience, there is still room for improvement. Much done, much to do!<\/p>\n

 <\/p>\n

Something Old, Something New \u2013 OWASP API Security Top 10 in 2023<\/a><\/p>\n

\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

The OWASP API Security Project released an updated version of the OWASP Top 10 for APIs last month. In the intervening years since the first edition was published in 2019 API security has risen to become arguably the most pressing area of focus for CISOs and Heads of Application Security today. Certainly, at 42Crunch we […]<\/p>\n","protected":false},"author":6,"featured_media":16879,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"The OWASP API Security Top 10 Has Been Updated \u2013 How Are Companies Reacting?","_seopress_titles_desc":"","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[17],"class_list":["post-16860","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-owasp-api-security-top-10"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/16860"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=16860"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/16860\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/16879"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=16860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=16860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=16860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}