Insights into the New OWASP API Security Top-10 for CISOs

ICYMI, we recently presented A CISOs Guide to the New 2023 OWASP API Security Update. In this first of two planned webinars, Stepan Ilyin and Tim Ebbers provided an overview of what’s in and what’s out in the planned update and had a lively discussion about how this impacts your API security plans for the foreseeable future.

You can watch the entire webinar on-demand to get the full story.

OWASP API Security Top-10 Comparison

To start with, here’s how the proposed update compares with the current version, which came out back in 2019.

But to paraphrase the immortal Miles Davis, sometimes “It’s not the risks you know, it’s the risks you don’t know.”

What’s Missing?

During the discussion, Stepan and Tim looked at the potential impact of dropping API8:2019 (Injections), which is now included in API10:2023 (Unsafe Consumption of APIs). Data from our 2022 Year-End API ThreatStats report shows that over 50% of all API vulnerabilities analyzed were traced to almost 30 Injection-related CWEs. In addition to the sheer quantity and variety of Injection vulnerabilities, there’s the severity: Injection-related CWEs cover four (4) of the top-5 CWE seen in 2022, accounting for almost one-quarter (25%) of all vulnerabilities analyzed. We feel this is a big miss.

[BTW, there’s a lively discussion on this in the Issues section which might interest some readers.]

Other areas that we feel need to be considered to fully protect your portfolio include:

API Leaks. Not only sensitive end user data like PII, but leaked API secrets such as API tokens, keys, credentials and so on – which can lead to complete and total pwnage.
Batching Attacks. A type of brute force attack that abuses the GraphQL batch query feature to perform many operations in a single request – which reduces overall attack complexity and time.
Reflection Attacks. A sort of modern, API-enabled version of advanced DDoS attacks of yore, where middleware (which is trusted, automated and blind) is leveraged to attack entities.
Technical Modes. Debug parameters such as ?debug=true and other technical flags are often used by API developers – which can lead to unintentional access and potentially malicious activity.

This is not to put down the hard work done by so many in coming up with a top-10 list – by necessity some items are not going to make the list, and folks are going to disagree about it. We just want to make sure you don’t lose sight of other issues which our data suggest are important to your API security.

Key Takeaways

So, what should CISOs (and indeed API builders, breakers, defenders, and DevSecOps practitioners) do now? We suggest you consider the following.

The OWASP API Security Top-10 list is a good starting point, but not the be-all and end-all of API security. After all, APIs are just a start of issues – you need to consider your infrastructure, configurations, and operating systems. Indeed, all your system components need to be considered – not just the software that makes up the API; or the database that the software is connecting too; or how the database is configured.
While the proposed API Security Top-10 list has changed a bit, we recommend you don't hastily overhaul your existing tools & processes. As we all know, security is a journey, not a destination – so rather than recklessly ripping and replacing, add to what you currently have. Build up your defenses based on your unique and evidence-based needs.
A holistic security approach from Dev testing (“shift left”) to real-time in-line protection (“shield right”) is needed. By bringing both sides together, you can identify which vulnerabilities can be eliminated via your SDLC tools and those that need additional run-time protections.

Next Up
Be sure to register for the 2^nd webinar in this series, A Practitioner’s Guide to the New 2023 OWASP API Security Update, for an in-depth look at how these changes will impact your API security plans and implementations.