The top 10 API security risks OWASP list for 2023

All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. And even when they do, there may be security flaws inherent in the requirements and designs. When it comes to software, developers are often set up to lose the security game. Shifting Security Left begins by making it easy for engineers to write secure code and difficult for them to make dangerous mistakes, wiring secure defaults into their templates and frameworks, and building in the proactive controls listed previously.

The Open Web Application Security Project (OWASP) offers the cybersecurity community a tremendous amount of valuable guidance, like its Application Security Verification Standard (ASVS). Now at Version 4, the ASVS addresses many of the coverage and repeatability concerns inherent in web application testing based on the popular OWASP Top 10 Proactive Controls list. If you’ve been using the OWASP Top 10 as application testing guidance, owasp proactive controls how best to transition to the much more comprehensive ASVS? What better way to answer these key questions than to ask the people who create the guidance? That’s why The Virtual CISO Podcast featured Daniel Cuthbert, ASVS project leader and co-author. Hosting this episode, as always, is Pivot Point Security’s CISO and Managing Partner, John Verry, who brings considerable OWASP Top 10 and ASVS usage experience to the table himself.

OWASP

In the first blog post of this series, I’ll show you how to set the stage by clearly defining the security requirements and standards of your application. You’ll learn about the OWASP ASVS project, which contains hundreds of already classified security requirements that will help you identify and set the security requirements for your own project. This approach is suitable for adoption by all developers, even those who are new to software security. The longer vulnerabilities are exposed, the more likely the system will be, or has already been, attacked.

• Etsy, a successful online crafts marketplace, is famous for its Continuous Deployment model, where engineers (and managers and even pets) push changes out 50 times or more every day.
• The source of this issue can vary, and it can be the result of a lack of proper documentation for APIs (which is very common amongst all API practitioners) as well as fast development cycles using CI/CD and similar methodologies.
• Entirely new vulnerability categories such as XS Leaks will probably never make it to these lists, but that doesn’t mean you shouldn’t care about them.
• This category appears across all business sectors, and each attack will be entirely unique for each environment and each business logic.
• One example of a failure involves using untrusted software in a build pipeline to generate a software release.
• In this post, you’ll learn more about the different types of access control and the main pitfalls to avoid.

We’re proud to see so much of the Salt input reflected in the verbiage, ranking, and examples in the current draft. We will keep you updated as the process moves forward, and we look forward to working through the industry’s broader comments and using them to strengthen this foundational security framework. Although not exclusive to this category, API-based supply-chain attacks serve as a good example of this category's danger.

OWASP Top 10 Proactive Controls 2018

A risky crypto algorithm may be one that was created years ago, and the speed of modern computing has caught up with the algorithm, making it possible to be broken using modern computing power. A hard-coded or default password is a single password, added to the source code, and deployed to wherever the application is executing. With a default password, if attackers learn of the password, they are able to access all running instances of the application.

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day. Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact. The speed at which DevOps moves can seem scary to infosec analysts and auditors. But security can take advantage of the speed of delivery to respond quickly to security threats and deal with vulnerabilities.

Unrestricted access to sensitive business flows

Securing APIs requires a holistic approach that covers everything from authentication and authorization to access control and resource management. By taking the necessary steps to ensure your API and adopting best security practices, you can protect your applications and data from potential attacks while benefiting from the advantages of a robust API-driven architecture. Unsafe consumption of APIs occurs when an application fails to validate, filter or sanitize the data it receives from external APIs.

• The input is interpreted as a command, processed, and performs an action at the attacker’s control.
• Incident logs are essential to forensic analysis and incident response investigations, but they’re also a useful way to identify bugs and potential abuse patterns.
• With a default password, if attackers learn of the password, they are able to access all running instances of the application.
• Access Control involves the process of granting or denying access request to the application, a user, program, or process.
• The Optus breach is a perfect example of this category, in which Optus, the second largest telecom company in Australia, exposed more than 11.2 million customer records with dozens of PIIs due to a “forgotten” API exposed to the public.
• This helps to build relationships, and builds visibility into design and early stage decisions—when security matters most.
• By taking the necessary steps to ensure your API and adopting best security practices, you can protect your applications and data from potential attacks while benefiting from the advantages of a robust API-driven architecture.

In this research, our Salt Lab researchers were able to gain access to the internal network resources of a giant Lego-owned website, thus potentially compromising the entire perimeter defense mechanisms supported by this famous web service. Security issues arise when authentication protocols are not strong enough or properly executed. Authentication weaknesses can manifest themselves in several ways, including but not limited to poor password creation best practices, compromised password storage systems and vulnerabilities within the token-based authentication framework.

Publications and resources

A new and very appropriate category that has been added to the 2023 API Top 10 list is Server Side Request Forgery (“SSRF”).SSRF happens when a user-controlled URL is passed over an API and is honored and processed by the back-end server. If the back-end server attempts to connect to the user-supplied URL, the door for SSRF is immediately open, and the risk for the environment becomes real. Some very common attack scenarios related to this category will be scenarios in which an attacker can find a “weak” endpoint or API and abuse it. Examples of weak endpoints include testing or development APIs that are mistakenly exposed to the public and might not include all the security measures incorporated into the production APIs. In authentication cases – as opposed to authorization cases – many more standard (and less standard) options exist to perform the function. Due to the sensitivity of the authentication flow, any minor issue in this process might have severe impacts in terms of security, and each authentication method introduces its own set of possible issues, making their protection a very complex task.