Over the past several months, we've taken a journey through the new 2023 OWASP API Security Top-10 list. In the previous 12 weekly posts, we've delved into each category, discussed what it is, how it's exploited, why it matters, and suggested effective protections for each. Now, as we conclude this series, it's time to summarize and offer some practical guidance for security practitioners looking to bolster API security in their organizations.
Here is the long and the short of our series: brief summaries of the key “What Can You Do About It” takeaways for each vulnerability in the 2023 OWASP API Security Top-10 list. Rest assured there’s more in each one, so follow the links to get more details.
- API1:2023 (Broken Object Level Authorization): To address BOLA, detect vulnerabilities in both development and production, and consider using an inline API security tool to block attacks, especially when immediate code fixes are challenging. [Risk Rating = 6.0]
- API2:2023 (Broken Authentication): Start with detective controls to catch and block attacks, assess API vulnerabilities, prioritize high-risk ones, and work on fixes. If you don't control the app, collaborate with vendors with evidence and priorities. [Risk Rating = 8.0]
- API3:2023 (Broken Object Property Level Authorization): Identify vulnerable API endpoints, instruct developers to fix issues, and report third-party vulnerabilities. An inline API security tool can provide protection when quick fixes aren't feasible. [Risk Rating = 5.3]
- API4:2023 (Unrestricted Resource Consumption): Create a threat model for resource consumption, set external limits, and make risk mitigation decisions even without direct control over application code. [Risk Rating = 8.0]
- API5:2023 (Broken Function Level Authorization): Restrict function access in the code, maintain good API hygiene, and consider monitoring and blocking tools for better mitigation. [Risk Rating = 8.0]
- API6:2023 (Unrestricted Access to Sensitive Business Flows): Understand your business flows, use automated tools sparingly, employ blunt-force approaches, and maintain good API governance. [Risk Rating = 5.3]
- API7:2023 (Server Side Request Forgery): Ideally, restrict at the resource-fetching mechanism. If not, apply controls at the network or application layer, or use a dedicated tool to block SSRF attacks. [Risk Rating = 5.3]
- API8:2023 (Security Misconfiguration): Implement good security governance, create API specifications, and prioritize where to apply resources to eliminate misconfigurations. [Risk Rating = 9.0]
- API9:2023 (Improper Inventory Management): Begin with API discovery for better documentation, build API specifications into your development process, and request them from vendors to manage inventory properly. [Risk Rating = 5.3]
- API10:2023 (Unsafe Consumption of APIs): For APIs you control, implement best practices and evaluate against a checklist. For third-party APIs, validate their compliance with your checklist and establish a response plan for non-compliance. [Risk Rating = 7.0]
- Injection (formerly API8:2019): Injection attacks remain the most dangerous threat for APIs. Be especially aware of their risk and take proactive measures to prevent them. [Risk Rating = 9.0]
Some Additional Practical Considerations
The API threat landscape is rapidly evolving. API vulnerabilities and attacks are a significant and growing concern for organizations. Here are some thoughts on how to position your organization for long-term success in this hostile environment.
- Educate Your Team: Training and awareness are key. Invest in API security training for your development and operations teams. Ensure everyone understands their role in maintaining a secure API environment.
- Incident Response Plan: Make sure your incident response plan is API ready. Be prepared to react swiftly in the event of a security breach, minimizing potential damage.
- Third-party Dependencies: Assess and monitor third-party dependencies and integrations. Ensure that the APIs you rely on are secure and regularly updated. If for whatever reason this is not possible, ensure you have real-time API threat detection and response capabilities in place.
- Compliance and Regulations: Stay informed about relevant data protection regulations and industry standards. Ensure that your API security practices align with these requirements. And as noted in our recent NIST CSF 2.0 webinar, don’t let perfect be the enemy of getting started and making incremental progress.
- Continuous Improvement: API security is an ongoing process. Regularly review and update your security measures as new threats emerge and your API landscape evolves. Incorporate real-time attack and vulnerability data from your API security tools into your CI/CD pipeline.
The 2023 OWASP API Security Top-10 list provides a comprehensive framework for securing your APIs. By following the principles outlined in this series and implementing the practical considerations for improvement, you can significantly enhance your organization's API security posture. Remember, API security is not a one-time effort but an ongoing commitment to protecting your customer data, digital assets, and internal operations.
We invite you to download our 2023 OWASP API Security Top-10 Reference Guide to help you understand what’s changed from the 1st edition released in 2019, what’s stayed the same, and what’s missing. We also provide useful guideposts for you to assess how each will impact your situation, and some tools to help build up your API security program.
Thank you for joining us on this journey through the new OWASP APIsec Top-10 list. We encourage you to stay vigilant, adapt to evolving threats, and make API security a top priority in your organization – and of course, let us know how we can help you on your own journey to better API security.