Issue 58: Broken Object Level Authorization explained, plus practical tips on API security

This week, we continue to look at the upcoming OWASP API Security Top 10, discuss organizational changes that can make organizations more cybersecure, check out another security checklist, and upcoming API security conferences.

API vulnerability explained: Broken Object Level Authorization

Broken Object Level Authorization (BOLA, aka IDOR) holds the #1 spot in theย  OWASP API Security Top 10 as the most common and most severe API vulnerability.

Inon Shkedy has written a brilliant post explaining what BOLA is, how attackers can locate and exploit it, and how to prevent it from hitting your APIs. For added convenience, the article is split into sections geared towards different user roles: managers, engineers, builders, and breakers – so you can home in the things that are close to your heart. Highly recommended to take a closer look.

By the way, if you have not yet registered for the live OWASP API Security Top 10 webinar later today, you still have a few hours to do so! Click here to find more information and to register.

Organizations: Structuring your team for security

The German direct bank N26 has published a story on how they have changed their organization, their work culture, and their tools after an API vulnerability in 2016.

They offer insights on concrete acts on roles, teams, processes, and tools to improve security.

Organizational challenges to cybersecurity:

  • Security culture
    • Security champions
    • Threat modeling
    • Work with the community
  • Building security into products
    • Web security
    • Backend security
    • Security engineering
  • Scaling security with organizational growth
    • Product security
    • Infrastructure security
    • Security risk management
    • Trust and safety

This is a high level article. However, it can be very useful for anyone struggling to build security culture in your own organization or how to go about it.

Tools: Security checklist for web developers

Ameya Darshan has compiled a Security Checklist for Web Developers that is very applicable for API security as well.

The list provides lots of great advice on input validation, authentication, transport, headers, and so forth.

Definitely worth checking out and keeping at hand when working on APIs.

Events: API security conference calendar now has an events section:ย  a calendar of upcoming conferences related to API security world wide.

API Security Conference Calendar

If you find that we have missed any events missing, do let us know.

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy