Issue 34: OWASP launches API Security Top 10 project


This week, OWASP launched their Top 10 project for API Security. We also look at the changing landscape of OAuth 2.0 security, and the use of Postman and Burp for API penetration testing.

OWASP Top 10

The Open Web Application Security Project (OWASP) has long been popular for their Top 10 of web application security risks. Now they are extending their efforts to API Security.

See the project’s inaugural slide deck from Erez Yalon and Inon Shkedy.

The goal is to release version one of the document by the end of 2019. You can take part in the project on github.

Here’s what the Top 10 API Security Risks look like in the current draft:

  1. Broken Object Level Access Control
  2. Broken Authentication
  3. Improper Data Filtering
  4. Lack of Resources & Rate Limiting
  5. Missing Function/Resource Level Access Control
  6. Mass Assignment
  7. Security Misconfiguration
  8. Injection
  9. Improper Assets Management
  10. Insufficient Logging & Monitoring

OAuth 2.0 Security Reinforced

OAuth 2.0 and OpenID Connect have become one of the cornerstones of API Security. However, the technology and threat landscape has changed a lot since the adoption of RFC 6749 in 2012.

Torsten Lodderstedt has covered the key changes and new security best practices in his recent talk at EIC 2019. Please find his slide deck here: “OAuth 2.0 Security Reinforced”.

Tools

Mic Whitehorn-Gillam is doing a series of tutorials on API penetration testing with Postman & Burp:

Opinions

Alissa Knight from Aite Group has published a write-up on API Security:

  • API adoption has grown fast. REST APIs have taken the world by storm.
  • This led to the rise of API breaches. Legacy technology such as Web Application Firewalls (WAF) do not help.
  • Poor API key management and poor handling of API contracts are some of the major factors that companies need to mitigate.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy