Hot Topics
Security Bloggers Network 
SBN

Thoughts on The New 2023 OWASP API Security Top 10 Release

by Brian Joe on June 7, 2023

The Open Web Application Security Project (OWASP) has released their updated API Top 10 for 2023. This is a list of the top 10 security risks that organizations face when developing and using APIs. The new list includes some significant changes from the 2019 edition, and it reflects the increasing importance of API security.

2023 OWASP API Top 10 Changes

There are a number of significant changes between the 2019 and 2023 editions of the OWASP API Top 10. Some of the most notable changes include:

  • Injection vulnerabilities have been removed: Injection vulnerabilities, such as SQL injection and XSS, were previously ranked 1st and 3rd in the 2019 edition. However, these vulnerabilities are now considered to be more of a general software development issue than a specific API security issue. Therefore, they have been removed from the top 10.
  • Insufficient logging and monitoring has been removed: Insufficient logging and monitoring was previously ranked 2nd in the 2019 edition. However, this vulnerability is now considered to be a broader issue that affects all types of software, not just APIs. Therefore, it has been removed from the top 10.
  • Unrestricted Access to Sensitive Business Flows has been added: This category is new to the 2023 edition and is ranked 9th. It covers vulnerabilities that arise from the way that APIs are designed and implemented. For example, if an API does not properly restrict access to sensitive business flows, attackers could exploit this vulnerability to gain unauthorized access to sensitive data or resources.

OWASP API Top 10 2023 vs 2019

OWASP API top 10 2023 vs 2019

My Thoughts on the OWASP API Top 10 2023 release

My take is that the 2023 edition represents an incremental improvement over its 2019 predecessor. While it may not introduce groundbreaking changes, it brings some crucial updates to the forefront. Notably, the new list introduces a fresh risk category known as “Insecure Design.” This addition emphasizes the significance of incorporating security considerations into the very design of APIs.

The top seven issues outlined in the new OWASP API Top 10 list, though they are the same as the 2019, remain highly relevant and should not be overlooked. Organizations that neglect these risks expose themselves to potential data breaches, financial losses, and various other negative consequences. It is vital for companies to address these risks head-on through comprehensive security measures and proactive risk mitigation strategies.

Industry Implications of the OWASP API Top 10 2023 release

The changes to the OWASP API Top 10 have a number of implications for the industry. First, they highlight the increasing importance of API security and the broader recognition of it’s importance as a standalone security category.

Second, the changes to the list reflect the fact that the API security market is maturing. This means that being able to detect OWASP API Top 10 issues isn’t good enough anymore – CISOs need to be able to detect this issues and turn those findings into tangible improvements in their security program either through quickly remediating vulnerabilities or mitigating attacks and breaches.

Solutions that provide visibility and alerts, but effectively solve problems for CISOs are going to fall by the wayside and be replaced by solutions that actually can check items off on the CISO “jobs to be done” list.

Executing an API Security Program

In the end, success in API security isn’t about being able to find the top 10 risks. It’s about being able to successfully implement an API security program that systematically and continuously improves your security posture.

Here are some ways to get started:

  1. Understand the risks. The first step is to understand the risks that APIs pose to your organization. The OWASP API Top 10 is a good resource for this.
  2. Assess your current security posture. Once you understand the risks, you need to assess your current security posture. This includes identifying the APIs that your organization uses, the sensitive data that is accessed by APIs, and the security controls that are in place to protect APIs.
  3. Develop a plan to address the risks. Once you have assessed your current security posture, you need to develop a plan to address the risks. This plan should include specific steps that will be taken to implement security controls, monitor APIs for suspicious activity, and respond to security incidents.
  4. Implement the plan. Once you have developed a plan, you need to implement it. This includes allocating resources, training employees, and making changes to your processes.
  5. Monitor and improve. Once you have implemented the plan, you need to monitor it to ensure that it is effective. You should also regularly review the plan and make changes as needed.

Conclusion

The OWASP API Top 10 for 2023 is a valuable resource for CISOs who are looking to secure their organizations’ APIs. The list provides a comprehensive overview of the most critical security risks that organizations face when developing and using APIs. By understanding these risks and implementing appropriate controls, CISOs can help to protect their organizations from attack.

*** This is a Security Bloggers Network syndicated blog from Impart Security authored by Brian Joe. Read the original post at: https://www.impart.security/post/2023-edition-of-owasp-api-top-10-is-out

Brian Joe