Position Paper

Developer Guide to the

2023 OWASP Top 10
for API Security
Table of Contents
Developer Guide to the 2023 OWASP Top 10 for API Security . . . . . . . . . . . . . . . . . . . . .1
API Security Cheat Sheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
API1:2023—Broken Object Level Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
API2:2023—Broken Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
API3:2023—Broken Object Property Level Authorization . . . . . . . . . . . . . . . . . . . . . . . . 6
API4:2023—Unrestricted Resource Consumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
API5:2023—Broken Function Level Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
API6:2023—Unrestricted Access to Sensitive Business Flows . . . . . . . . . . . . . . . . . . . . 11
API7:2023—Server Side Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
API8:2023—Security Misconfiguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
API9:2023—Improper Inventory Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
API10:2023—Unsafe Consumption of APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
The API Security Top-10 Is Not Sufficient! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Where to Go Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
 Developer Guide to the 2023 OWASP Top 10 for API Security

Developer Guide __________

1 . Arellano, Kelly . “The Top 50

to the 2023 OWASP

Most Popular APIs .” RapidAPI
Blog . RapidAPI . Web Page .
16 March 2023 . https://
rapidapi.com/blog/most-

Top 10 for API Security

popular-api/ .
2 . Tremante, Michael, et al .
“Application Security Report:
Q2 2023 .” Cloudflare Blog .
Cloudflare . Blog post . 21 Aug
As companies have adopted cloud-native infrastructure and DevOp-style methodologies, 2023 . https://blog.cloudflare.
com/application-security-
Web application programming interfaces, or APIs, have proliferated . Some of the most popular
report-q2-2023/ .
public APIs include those that allow developers to access Google Search, scrape data from 3 . Marks, Melinda . “Securing
TikTok, track vehicles, gather sports scores, and collect data on image downloads from popular the API Attack Surface .”
Enterprise Strategy Group .
sites .1 In 2023, API-related traffic accounts for 58% of all dynamic—defined as non-cacheable— Sponsored by Palo Alto
traffic, up from 54% at the end of 2021 .2 Networks . PDF Report,
p . 10 . 23 May 2023 .
www.paloaltonetworks.com/
APIs have become the way for enterprise applications to communicate and integrate with resources/research/api-
each other as well . Companies use about two-thirds of their APIs (64%) to connect their security-statistics-report .
applications to partners, while about half (51%) are access points to microservices . Overall, 4 . Benzell, Seth G ., et al .
“How APIs Create Growth
more than three-quarters of firms use an average of at least 25 APIs per application .3 by Inverting the Firm .” Social
Science Research Network .
Research Paper . Revised:
The adoption of API-based application infrastructure should come as no surprise:
30 Dec 2022 . https://papers.
Companies that adopt APIs to attract third-party developers and create ecosystems see ssrn.com/sol3/papers.
increased growth . These “inverted firms”—so called because they flip the traditional concepts cfm?abstract_id=3432591 .
5 . “Securing the API Attack
of creating barriers around technologies and allow open access to some capabilities and Surface .” Enterprise
data—grew by nearly 13% over two years, and 39% over 16 years, compared to firms who Strategy Group, p . 14 .
did not adopt APIs, according to a 2022 paper by researchers at Chapman University and 6 . Lemos, Robert . “API Security
Losses Total Billions, But It’s
Boston University .4 Complicated .” Dark Reading .
News Article . 30 June 2022 .
www.darkreading.com/
With the adoption of microservices, containerization, and APIs, however, comes a variety
application-security/api-
of risks, such as insecure software components, poor business logic, and flawed data security-losses-billions-
security . Nine-in-ten organizations (92%) have suffered at least one security incident related complicated .
7 . Marsh McLennan . “Quantifying
to insecure APIs .5 Large companies typically have thousands of APIs and attacks on those the Cost of API Insecurity .”
systems account for about 20% of security incidents, while smaller companies have hundreds Sponsored by Imperva .
of APIs whose smaller attack surface accounts for 5% of security incidents .6 Annual losses PDF Report . 22 June 2022 .
www.imperva.com/resources/
due to breaches caused by API vulnerabilities exceed $40 billion globally, according to an reports/Imperva-Marsh-
estimate by Marsh McLennan .7 McLennan-Report-2022.pdf .
8 . “New Cybersecurity Advisory
Warns About Web Application
The problem is so serious that the US National Security Agency teamed up with the Vulnerabilities .” National
Australian Cyber Security Centre (ACSC) and the U .S . Cybersecurity and Infrastructure Security Agency . Press
Release . 27 July 2023 . www.
Security Agency (CISA) to offer guidance on API security issues, especially the most common,
nsa.gov/Press-Room/Press-
known as insecure direct object reference (IDOR) vulnerabilities .8 Releases-Statements/Press-
Release-View/Article/
3473830/new-cybersecurity-
Unsurprisingly, against this backdrop of burgeoning security concerns, the Open Worldwide advisory-warns-about-web-
Application Security Project (OWASP) released an update to its API Security Top-10 list . application-vulnerabilities/ .

1
 Developer Guide to the 2023 OWASP Top 10 for API Security

Refreshing its inaugural 2019 list, the 2023 API Security Top-10 list highlights the ten most
common and serious security risks created when developing applications that expose or
use APIs . Issues such as Broken Object-Level Authorization, a superset that includes IDOR
vulnerabilities, remains the same from the prior list . Yet, new categories—or reorganized
categories—now highlight issues overlooked in the past, such as Server-Side Request
Forgery (API7:2023) and Unrestricted Access to Sensitive Business Flows (API6:2023) .

The 2023 API Security

“By nature, APIs expose application logic and sensitive data such as Personally Identifiable
Top-10 list highlights
Information (PII) and because of this, APIs have increasingly become a target for attackers,” the ten most common
the OWASP group stated in its announcement .9 “Without secure APIs, rapid innovation would and serious security
be impossible .” risks created when
developing applications
that expose or use APIs.

API Security Cheat Sheet

OWASP Top 10 Category Fortify/Cybersecurity Solution
1. Broken Object Level Authorization SAST
2. Broken Authentication SAST, DAST
3. Broken Object Property Level Authorization SAST, DAST
4. Unrestricted Resource Consumption SAST, DAST, Secure API Manager
5. Broken Function Level Authorization SAST
6. Unrestricted Access to Sensitive Business Flows DAST __________
7. Server Side Request Forgery DAST 9 . Open Worldwide Application
Security Project . “OWASP API
8. Security Misconfiguration SAST, DAST
Security Top 10: Forward .”
9. Improper Inventory Management Secure API Manager OWASP .org . Web Page . 3 July
2023 . https://owasp.org/
10. Unsafe Consumption of APIs SCA, SAST
API-Security/editions/2023/
en/0x02-foreword/ .

2
 Developer Guide to the 2023 OWASP Top 10 for API Security

Definitions
API Endpoint—The point of communication between two systems, typically a URL of a
container or server running a microservice . Using an URL, an application or developer
can request information from the server or execute an action on the API server or
microservice .

API-Related Traffic—Internet traffic that consists of an HTTP or HTTPS request and

has a response content of XML or JSON, indicating that data is being passed to an
application, usually through SOAP, WSDL, a REST API, or gRPC (see below) .

Dynamic Application Security Testing (DAST)—The process of analyzing an application

or API server by using the interface, whether the user interface for an application, a web
front end for a web application, or URLs for API endpoints . At type of black-box testing,
this approach evaluates an application from the “outside in” by attacking an application
in the same way as an attacker, usually without knowledge of internal processes .

Static Application Security Testing (SAST)—An approach to application security that

scans the source, binary or byte code for recognized patterns of errors or vulnerabilities .
Sometimes referred to as white-box testing, SAST uses an “inside-out” approach that
identifies potential vulnerabilities and errors that may, or may not, be exploitable by an
external attacker . Lightweight static tools can provide real-time feedback to developers
in their IDE .

SOAP/WSDL—An XML-based protocol for creating Web APIs . SOAP is the protocol
itself and WSDL (Web Service Definition Language) is the format used to formally
describe services . Due to the heavy overhead, this API style has become unpopular
for new developments .

REST—A Web API style that involves exchanging messages directly over HTTP, using the
semantics of HTTP URLs and verbs, without using an additional “envelope” . The content
is usually encoded as JSON, although in some cases it is XML .

GraphQL—A query language designed to be used in APIs (with requests and responses
in JSON), together with server-side runtimes to execute these queries . It allows clients
to define the structure of data they need and then receive this from the server in
that format .

gRPC—An API protocol that is more high performant than REST . It uses HTTP/2 and the
performance advantages that offers over HTTP/1 .1 . The format of the individual messages
is usually binary and based on ProtoBuf, again creating performance advantages over
REST and SOAP .

3
 Developer Guide to the 2023 OWASP Top 10 for API Security

2023 API Security Top 10 Analogous 2019 API Security Entry

API1:2023—Broken Object Level Authorization API1:2019—Broken Object Level Authorization
API2:2023—Broken Authentication API2:2019—Broken User Authentication
API3:2023—Broken Object Property Level Authorization API3:2019—Excessive Data Exposure,
API6:2019—Mass Assignment
API4:2023—Unrestricted Resource Consumption API4:2019—Lack of Resources & Rate Limiting
API5:2023—Broken Function Level Authorization API5:2019—Broken Function Level Authorization
Broken Object Level
API6:2023—Unrestricted Access to Sensitive Business Flows
Authorization is a
API7:2023—Server Side Request Forgery widespread and easy-
API8:2023—Security Misconfiguration API7:2019—Security Misconfiguration to-exploit issue in web
applications because
API9:2023—Improper Inventory Management API9:2019—Improper Assets Management
API calls carry state
API10:2023—Unsafe Consumption of APIs API8:2019—Injection,
information. Applications
API10:2019—Insufficient Logging & Monitoring
are vulnerable if they
Source: https://owasp.org/API-Security/editions/2023/en/0x11-t10/ allow a user to take
Source: https://owasp.org/API-Security/editions/2019/en/0x11-t10/ actions by specifying
an identifier in an
API without checking
API1:2023—Broken Object Level Authorization whether they have
authorization to take
those actions.
What Is It?
APIs allow access to services and data using standardized web requests . Companies expose
their infrastructure and data to insecure direct access when those assets are not well protected
or when the authorization controls are poorly implemented or absent . Broken Object Level
Authorization—also referred to as Insecure Direct Object Reference (IDOR)—can lead to a
variety of risks, from data disclosure to full account takeover .

What Makes an Application Vulnerable?

This is a widespread and easy-to-exploit issue in web applications . Applications are
vulnerable if they allow a user to take actions by specifying an identifier in an API without
checking whether they have authorization to take those actions .

In an example detailed by OWASP, a platform for online stores could allow access to shop
data using a simple call:
/shops/{shopName}/revenue_data.json

This is insecure because any user can replace the shopName with the name of another user’s
store, gaining access to data they should not have .

Attack Examples __________

In 2021, a security researcher found that the web-application and back-end servers that 10 . Masters, Jan . “Tour de
Peloton: Exposed user
provided data to Peloton exercise bikes had several API endpoints—such as https://api.
data .” Pen Test Partners
onepeloton.co.uk/stats/workouts/details—that allowed unauthenticated users to access Blog . Pen Test Partners .
private data . In February 2021, Peloton implemented a partial fix for the issue, limiting API Web Page . 5 May 2021 .
www.pentestpartners.
access to authenticated users, but still allowing those users to access any private data for com/security-blog/tour-de-
other members . A full fix came in May 2021 .10 peloton-exposed-user-data/ .

4
 Developer Guide to the 2023 OWASP Top 10 for API Security

How to Prevent It as a Developer?

Developers prevent insecure access to objects by enforcing strict controls, assigning
unpredictable user identifiers to dissuade enumeration of accounts, and checking object-
level authorization for every function that accesses a data source . Developers should
encapsulate such checks, especially if based on user input, to remove the possibility
that inadvertent errors could undermine security . Application-security and operations
professionals should require authorization checks for each request to backend data .
Developers and
application-security
How Can Fortify Help? teams also must properly
Fortify SAST and DAST by OpenText can detect a broad range of vulnerabilities in the implement capabilities
Insecure Direct Object Reference (IDOR) category . IDOR can include vulnerabilities such to check user identity
as Directory Traversal, File Upload, and File Inclusion . More generally, IDOR also includes through authentication.
classes of vulnerabilities where identifiers can be modified via URL, Body, or Header
manipulation . The system will alert developers to cases where the user can directly choose
the primary key in the API request for a database or storage container, a problem that
often leads to this class of vulnerabilities . The system will also warn when an expected
authorization check is missing .

API2:2023—Broken Authentication
What Is It?
Authorization checks limit access to data based on specific roles or users, but those
limitations are not sufficient to protect systems, data, and services . Developers and
application-security teams also must properly implement capabilities to check user identity
through authentication . Despite the critical nature of authentication, the components
are often poorly implemented or improperly used—the root causes of Broken User
Authentication . Broken user authentication allows attackers the ability to assume other
user’s identities temporarily or permanently by exploiting insecure authentication tokens or
compromising implementation flaws .

What Makes an Application Vulnerable?

This common and easy-to-exploit issue occurs because authentication is a complex process
that can be confusing and is, by definition, exposed to the public . Developer mistakes and
application misconfigurations can result in a lack of necessary checks allowing attackers
to avoid authentication . Developers who fail to implement authentication for a particular
endpoint or allow weak authentication mechanism expose applications to a variety of attacks,
such as credential stuffing, token replay, or password sniffing . __________
11 . Toulas, Bill . “Retail chain
Attack Examples Hot Topic discloses wave
of credential-stuffing
Between February and June 2023, credential stuffing attacks targeted clothing retailer attacks .” BleepingComputer .
Hot Topic, who notified its customers that an unknown number of accounts had been News article . 1 Aug 2023 .
compromised . The attackers—using credentials harvested from unknown sources—were able to www.bleepingcomputer.com/
news/security/retail-chain-
access sensitive personal data, such as customers’ names, email addresses, order histories, hot-topic-discloses-wave-of-
phone numbers, and months and days of birth .11 credential-stuffing-attacks/ .

5
 Developer Guide to the 2023 OWASP Top 10 for API Security

In February 2022, a misconfigured cloud storage bucket left 1 GB of sensitive data from email
marketing service Beetle Eye without password protection or encryption . The data included
contact information and tourism-related information collected by various tourist agencies and
US states .12 Misconfigured authentication mechanisms are considered a variant of the Broken
User Authentication category .

How to Prevent It as a Developer?

Standardization is your
Standardization is your friend for authentication . DevSecOps teams should create one—
friend for authentication.
or a limited number—of authentication methods for applications and ensure that developers DevSecOps teams
uniformly implement the mechanisms across all microservices and APIs . Any authentication should create one—
implementation should be reviewed within the context of the OWASP Application Security or a limited number—
Verification Standard (ASVS), currently at version 413, to ensure the correctness of the of authentication methods
implementation and associated security controls . Any deviation from the standard— for applications and
ensure that developers
especially any intentional exposure of unauthenticated endpoints—should be evaluated
uniformly implement the
by the security team and only allowed to satisfy a strong business requirement . mechanisms across all
microservices and APIs.
How Can Fortify Help?
OAuth and JWT are two of the most common types of authentication used to implement
APIs, and Fortify WebInspect by OpenText has checks for weak implementations of both
standards in applications, as well as misconfigurations and vulnerable patterns, such as
CSRF and Session Fixation, that come up in custom authentication implementations .
Dynamic Application Security Tool (DAST) Scanning by OpenText is a great way to detect
authentication vulnerabilities, especially in an API .

Fortify SAST by OpenText allows a wide range of checks relating to poor authentication
as well . The static analysis tool includes detection for generic issues—such as credential
leakage—as well as highly API-specific problems like missing protection claims in JWT
tokens, or claims occurring in JWT headers .

API3:2023—Broken Object Property __________

Level Authorization 12 . Nair, Prajeet . “Data of 7

Million People Exposed Via
US Marketing Platform .”
Data Breach Today . ISMG
What Is It?
Network . 11 Feb 2022 .
Broken Object Property Level Authorization is a new category in the 2023 OWASP list www.databreachtoday.
that combines two categories from the previous list: Excessive Data Exposure (API3:2019) com/data-7-million-people-
exposed-via-us-marketing-
and Mass Assignment (API6:2019) . The issue is caused by the lack of validation of a platform-a-18502 .
user’s authorization—or the improper authorization of a user—at the object-property level . 13 . “OWASP Application Security
API endpoints should validate that each user has authorization for every property that they Verification Standard .” OWASP .
GitHub page . Last accessed:
are trying to access or change . Exploiting the issue can lead to information exposure or 17 November 2023 . https://
manipulation of data by unauthorized parties . github.com/OWASP/ASVS .

6
 Developer Guide to the 2023 OWASP Top 10 for API Security

What Makes an Application Vulnerable?

The common and easy-to-exploit issue occurs when a user may be authorized to access
some properties of a specific object, such as reserving a room in travel application, but not
others, such as the price of a room . When the user accesses an object’s properties through
an API, the application should check that the user:
• Should be able to gain access to the specific property of the object (violations were
previously known as Excessive Data Exposure), and/or Broken Object Property
• Is allowed to change the specific property of the object (some applications fail to check Level Authorization is
this because they use a framework to automatically map web request parameters to object a new category in the
2023 OWASP list that
fields, a problem known as Mass Assignment) .
combines two categories
In an OWASP example, an online video platform allows a user to change the description of a from the previous list:
video, even a blocked video, but should not allow the user to modify the ‘blocked’ property . Excessive Data Exposure
(API3:2019) and Mass
PUT /api/video/update_video
Assignment (API6:2019).
{
"description": "a funny video about cats",
"blocked": false
}

Attack Examples
In January 2022, a bug bounty program discovered a flaw in Twitter that allowed a user to Fortify SAST helps to
submit an email address or phone number to Twitter’s system, which would then return the prevent both excessive
account name to which the information belonged .14 An unknown attacker used the flaw to data exposure and mass
assignment through data
compile a list of millions of user accounts linked to phone numbers and email addresses .
flow analysis. The system
By allowing anyone to link two properties, Twitter inadvertently allowed pseudonymous will highlight many
users to be more specifically identified . sources of private data,
such as those based
How to Prevent It as a Developer? on variables names or
Developers should always implement proper controls on the ability to access or change particular API calls, and
identify objects that
specific object properties . Rather than return a general data structure with every property—
allow mass assignment.
which often happens with generic methods, such as to_json() and to_string()—programmers
should be very specific in what information they return . As an extra measure of security,
applications should implement schema-based response validation that enforces security
controls on all data returned by API methods . Access should follow least privilege principles,
only allowing access if absolutely necessary . __________
14 . “An incident impacting
How Can Fortify Help? some accounts and private
information on Twitter .”
Fortify SAST helps to prevent both excessive data exposure and mass assignment through
Twitter Privacy Center .
data flow analysis . The system will highlight many sources of private data, such as those based Twitter . Web Page . 5 Aug
on variables names or particular API calls, and identify objects that allow mass assignment . 2022 . https://privacy.
twitter.com/en/blog/2022/
Fortify users may define sources of their own as well, tracking data through the program, an-issue-affecting-some-
and if it ends up in an inappropriate place, alerting the developer or operator of the risk . anonymous-accounts .

7
 Developer Guide to the 2023 OWASP Top 10 for API Security

In addition, Fortify SAST has knowledge of the most important JSON and XML serialization
and deserialization mechanisms . Using this, the tool can detect code that does not properly
deserialize the domain transfer objects (DTOs), which could allow mass assignment of its
attributes . Some cases of information exposure and mass assignment can also be detected
using Fortify WebInspect . Finally, some countermeasures can be implemented through
adding rules to the web application firewall (WAF) .

Applications that do
API4:2023—Unrestricted Resource Consumption not limit the resources
assigned to satisfy
a request can be
What Is It? vulnerable, including
APIs expose many useful business functions . To do so, they use computing resources those that fail to restrict
like database servers or may have access to a physical component through operational allocable memory,
technology . Because systems have a finite set of resources to respond to API calls, attackers number of files or
can specially craft requests to create scenarios that result in resource exhaustion, denial of processes accessed,
or the allowed rate
service, or increased business costs . In many cases, attackers can send API requests that tie
of requests, among
up significant resources, overwhelming the machine or bandwidth resources and resulting in other attributes.
a denial-of-service attack . By sending repeated requests from different IP addresses or cloud
instances, attackers can bypass defenses designed to detect suspicious spikes in usage .

What Makes an Application Vulnerable?

API requests trigger responses . Whether those responses involve accessing a database,
performing I/O, running calculations, or (increasingly) generating the output from a machine-
learning model, APIs use computing, network, and memory resources . An attacker can
send API requests to an endpoint as part of a denial-of-service (DoS) attack that, rather than
overwhelm bandwidth—the goal of a volumetric DoS attack—instead exhaust CPU, memory,
and cloud resources . Applications that do not limit the resources assigned to satisfy a request
can be vulnerable, including those that fail to restrict allocable memory, number of files or
processes accessed, or the allowed rate of requests, among other attributes .

The server processing APIs needs to have limits in place to prevent excessive allocation of
memory and workloads, excessive requests for API-triggered operations, or excessive charges
for a third-party service without spending limits .

A common attack is to modify the arguments passed to the API endpoint, such as increasing the
size of the response and requesting millions of database entries, rather than, say, the first ten:
/api/users?page=1&size=1000000

In addition, if the attacker can access a backend service that charges for usage, resource
consumption attacks can be used to run up charges for the application owner . Another
OWASP example points to a reset-password feature that uses an SMS text message to verify
identity and which could be called thousands of times to increase expenses for the victim .

8
 Developer Guide to the 2023 OWASP Top 10 for API Security

POST /sms/send_reset_pass_code

Host: willyo.net
{
"phone_number": "6501113434"
}

Filtering at the edge

Attack Examples
of the network using
Since resource-consumption attacks are often lumped in with performance and availability content delivery
issues, targeted companies tend to treat them as part of the cost of doing business, networks (CDNs)
rather than incidents that need to be reported, reducing visibility into the threat . In 2022, paired with web
application-layer distributed-denial-of-service (DDoS) attacks, a superset of API resource application firewalls
(WAFs) can reduce
consumption attacks, declined as a share of all attacks, but Q4 2022 still logged 79% more
traffic floods while
attacks than the same quarter the previous year .15 minimizing the impact
to individual users.
In one attack outlined in 2015, a developer detected an Android client that repeated contacted
their site’s Web API with randomly generated API keys, resulting in a denial-of-service attack .
The developer hypothesized that a malicious application installed on Android devices was
attempting to guess the 64-bit API key .16

How to Prevent It as a Developer?

By using rate limits and threshold, most resources consumption attacks can be blunted,
although legitimate traffic could also be affected by poorly constructed defenses . Specific limits
should be set on:
• Memory allocation
• Processes
• Cloud instances
• Uploaded file descriptors and file size
• Records returned
• Number of paid transactions to third-party services
• All incoming parameters (e .g ., string lengths, array lengths, etc .)
• Number of API interactions per client within a specific time window
__________
Filtering at the edge of the network using content delivery networks (CDNs) paired with web 15 . Yoachimik, Omer . “Cloudflare
application firewalls (WAFs) can reduce traffic floods while minimizing the impact to individual DDoS threat report for
users . Application delivery platforms allow easy filtering, including limits on memory, CPUs, 2022 Q4 .” Cloudflare Blog .
Web Page . 10 Jan 2023 .
and processes . https://blog.cloudflare.com/
ddos-threat-report-2022-q4/ .
16 . How to stop hack/DOS attack
How Can Fortify Help? on web API .” StackOverflow .
With Fortify SAST and Fortify WebInspect, DevSecOps teams can test their code and Web Page . 15 Sep 2015 .
infrastructure for resilience to resource exhaustion attacks . Fortify SAST can spot many https://stackoverflow.com/
questions/32575924/
areas where an attacker would be able to abuse the application logic to create extreme how-to-stop-hack-dos-
resource consumption . attack-on-web-api .

9
 Developer Guide to the 2023 OWASP Top 10 for API Security

Code-level security is not sufficient to address this problem in the application . Resource
exhaustion and rate limiting are specific sub-segments of denial-of-service attacks that
should be mitigated at runtime . Fortify WebInspect can test servers and API functions for
vulnerability to denial-of-service attack without impacting the service . In addition, the very act
of running a DAST scan can stress test an environment enough to show potential resource-
consumption weaknesses .

Fortify WebInspect can

API5:2023—Broken Function Level Authorization test servers and API
functions for vulnerability
to denial-of-service
What Is It? attack without impacting
The modern application has many different functions that access, create, manipulate, delete, the service. In addition,
and manage data . Not every application user needs access to every function or all the data, the very act of running
nor should it be allowed under the principle of least privilege . Every API endpoint has an a DAST scan can stress
intended audience which may include anonymous, regular non-privileged, and privileged test an environment
enough to show potential
users . Administrative and management functions should require privileged authorization,
resource-consumption
but are sometimes accessible through legitimate API calls from non-authorized user— weaknesses.
the origin of Broken Function Level Authorization . Because of the different hierarchies,
groups, and roles create complexity in access controls, applications functions may not
have approriate restrictions on who may call them .

What Makes an Application Vulnerable?

Applications that allow specific functions to conduct administrative tasks may not restrict
access to those functions in a secure way . APIs that directly map to such functions will expose
those weaknesses to exploitation . Functions that do not use the application’s authentication
and authorization mechanism should be considered potential security weaknesses .

In an example cited by OWASP, an attacker gains access to the API requests for adding an
invited user to a new mobile application, noting that the invite includes information on the
invitee’s role . Exploiting the weakness, the attacker sends a new invite:
POST /api/invites/new __________
{ 17 . Beeferman, Jason .
"email": "[email protected]", “Personal information of
1 .8 million Texans with
"role":"admin" Department of Insurance
} claims was exposed
for years, audit says .”
This allows them to gain administrative privileges on the system . The Texas Tribune . 17 May
2022 . www.texastribune.
org/2022/05/16/texas-
Attack Examples
insurance-data-breach/ .
In 2022, the Texas Department of Insurance notified the public that information of nearly 18 . Taylor, Josh . “Optus data
2 million Texans had been exposed through a part of the workers’ compensation application that breach: everything we know
so far about what happened .”
inadvertently allowed members of the public to access protected data .17 In a second incident The Guardian . 28 Sep 2022 .
in 2022, Australian telecommunications firm Optus acknowledged that personal and account www.theguardian.com/
information on as many as 10 million Australians had been exposed by an API that did not business/2022/sep/29/
optus-data-breach-
require any authentication or authorization . While Optus called the attack “sophisticated,” everything-we-know-so-
a security researcher familiar with the details of the attack described it as “trivial .”18 far-about-what-happened

10
 Developer Guide to the 2023 OWASP Top 10 for API Security

How to Prevent It as a Developer?

DevSecOps teams should design a standard approach to authentication and authorization
that prevents access to requests by default, enforcing a default of “deny all .” From this
default, always apply the principle of least privilege when determining access for roles/
groups/users . Developers should ensure that authentication and authorization are in place for
all relevant HTTP verbs/methods (e .g ., POST, GET, PUT, PATCH, DELETE) related to each API
endpoint . Irrelevant verbs should be disallowed . In addition, developers should implement a
DevSecOps teams
base class for administrative access and management, using class inheritance to ensure that
should design a standard
authorization controls check the user’s role before granting access . All critical administrative approach to authorization
functions should use the authorization mechanism to prevent privilege escalation . and authentication
that prevents access
How Can Fortify Help? to requests by default,
enforcing a default
By combining the static code and API analysis features of Fortify SAST with the runtime
of “deny all.”
checks of the Fortify WebInspect dynamic application security testing (DAST) suite,
DevSecOps teams can evaluate their application for broken function-level authorization
issues and continuously test production code for security weaknesses before deploying .
To detect Broken Object Function Authorization issues, Fortify SAST uses rules specifying
when an authorization check would be expected in certain programming languages and
frameworks, and the absence of such a check is reported .

API6:2023—Unrestricted Access to
Sensitive Business Flows
What Is It?
From sneakerbots to ticket bots, attacks on the inventory of online retailers through their
APIs has become a significant problem for e-commerce sites . By understanding the business
model and the application logic, an attacker can create a series of API calls that can
automatically reserve or purchase inventory, thus preventing other, legitimate consumers
from gaining access to the businesses’ products or services . Any API that allows access to
a business process can be used by an attacker to impact the business and falls under the
definition of Unrestricted Access to Sensitive Business Flows.

What Makes an Application Vulnerable?

Application control and logic flows are the heart of any online businesses, and as companies Application control and
move more of their operations to the cloud, those flows can be exposed and exploited . logic flows are the heart
of any online businesses,
This excessive access may harm the business, when attackers automate the purchase of
and as companies
products, create bots for leaving comments and reviews, or automate the reservation of move more of their
goods or services . operations to the cloud,
those flows can be
If an application offers an endpoint that has access to the company’s business flow without exposed and exploited.
limiting access to the business operations behind the endpoint, then the application will be This excessive access
may harm the business.
vulnerable . Protections include limiting the number of access attempts from a single device
through fingerprinting, detecting whether the activity originates from a human actor, and
detecting whether automation is involved .

11
 Developer Guide to the 2023 OWASP Top 10 for API Security

Attack Examples
When Taylor Swift tickets went on sale on Ticketmaster in November 2022, 1 .5 million
customers had pre-registered, but more than 14 million requests—including three times as
much bot traffic—swamped the purchasing links and APIs as soon as ticket sales opened .
The site crashed, preventing many customers from purchasing tickets .19

The onslaught of reseller bots resembled those that ruined the launch of the PlayStation 5
Preventing Unrestricted
in November 2020 . Supply-chain issues had already limited supply prior to the launch of the
Access to Sensitive
latest Sony gaming console, but the automated bots made finding available units even harder Business Flows is more
and led to astronomical resale prices . In one e-commerce site’s case, the number of “add to about a holistic approach
cart” transactions grew from an average of 15,000 requests per hour to more than 27 million, to application security
using the store’s API to directly request products by SKU number .20 and less about finding
a specific technology.

How to Prevent It as a Developer?

Developers should work with both the business-operation and engineering teams to address
issues of potential malicious access to business-flows . Business teams can identify which flows
are exposed through APIs and conduct threat analyses to determine how attackers could
abuse those endpoints . Meanwhile, developers should work with engineering operations
as part of a DevOps team to establish additional technical defensive measures, such as
using device fingerprinting to prevent automated browser instances from overwhelming
and identifying patterns in behavior that differentiate between human and machine actors .

Operations teams should also review any APIs designed to be used by other machines,
such as for B2B use cases, and ensure that some defenses are in place to prevent attackers
from exploiting machine-to-machine interactions .

How Can Fortify Help?

Catching vulnerable and sensitive business flows often relies on doing the basics . Companies
need to document and track all of their functioning APIs and determine which ones expose
sensitive processes and data to potential attackers . Application logic also needs to be
analyzed for logic flaws that could be exploited by attackers .
__________
Overall, preventing Unrestricted Access to Sensitive Business Flows is more about a holistic 19 . Steele, Billy . “Ticketmaster
approach to application security and less about finding a specific technology . knows it has a bot problem,
but it wants Congress to fix
it .” Engadget . News Article .

API7:2023—Server Side Request Forgery 24 Jan 2023 . www.engadget.

com/ticketmaster-live-
nation-senate-judiciary-
hearing-195504179.html .
What Is It?
20 . Muwandi, Tafara and
Backend servers handle requests made through API endpoints . Server-Side Request Warburton, David . “How Bots
Forgery (SSRF) is a vulnerability that allows an attacker to induce a server to send requests Ruined the PlayStation 5
Launch for Millions of
on their behalf and with the server’s level of privilege . Often the attack uses the server to Gamers .” F5 Labs Blog . F5 .
bridge the gap between the external attacker and the internal network . Basic SSRF attacks Web Page . 18 March 2023 .
result in a response returned to the attacker, a far easier scenario than Blind SSRF attacks, www.f5.com/labs/articles/
cisotociso/how-bots-ruined-
where no response is returned, leaving the attacker with no confirmation whether the attack the-playstation-5-launch-
was successful . for-millions-of-gamers .

12
 Developer Guide to the 2023 OWASP Top 10 for API Security

What Makes an Application Vulnerable?

Server-Side Request Forgery (SSRF) flaws essentially are a result of a lack of validation of
user-supplied input . Attackers are able to craft requests and include a URI that supplies
access to the targeted application .

Modern concepts in application development, such as webhooks and standardized application

frameworks, make SSRF more common and more dangerous, according to OWASP .
The most well-known
example of an SSRF
In an example cited by OWASP, a social network that allows users to upload profile pictures attack involved a
could be vulnerable to SSRF, if the server does not validate arguments sent to the application . former Amazon
Rather than a URL pointing to an image, such as: Web Services (AWS)
engineer who exploited
POST /api/profile/upload_picture
a misconfigured web
{ application firewall
"picture_url": "http://example.com/profile_pic.jpg" (WAF) to then use an
} SSRF flaw to gather data
from a server instance
belonging to financial
An attacker could send a URI that could determine whether a specific port is open using the
giant Capital One.
following API call:
{
"picture_url": "localhost:8080"
}
Even in a Blind SSRF case, an attacker could figure out whether the port is open by measuring
the time it take to get a response .
__________
Attack Examples
21 . “Information on the Capital
The most well-known example of an SSRF attack involved a former Amazon Web Services One cyber incident .” Capitol
(AWS) engineer who exploited a misconfigured web application firewall (WAF) to then use One Advisory . Web Page .
Updated 22 Apr 2022 .
an SSRF flaw to gather data from a server instance belonging to financial giant Capital One . www.capitalone.com/
The incident, which occurred in July 2019, resulted in data from approximately 100 million US digital/facts2019/ .
citizens and 6 million Canadian citizens being stolen .21 Amazon considers the misconfiguration 22 . Ng, Alfred . “Amazon tells
senators it isn’t to blame
to be the source of the compromise, rather than the SSRF flaw .22 for Capital One breach .
CNET News .com . News article .
In October 2022, a cloud security firm notified Microsoft of four SSRF vulnerabilities in the 21 Nov 2019 . www.cnet.com/
tech/services-and-software/
company’s flagship Azure cloud platform . Each vulnerability affected a different Azure service, use-cnet-shopping-to-seek-
including the Azure Machine Learning service and the Azure API Management service .23 out-the-best-deals/ .
23 . Shitrit, Lidor Ben . “How Orca
Found Server-Side Request
How to Prevent It as a Developer? Forgery (SSRF) Vulnerabilities
Developers should encapsulate the resource-fetching mechanisms in their code, isolating the in Four Different Azure
Services .” Orca Security
feature and layering addition protections to verify any requests . Because such features are
Blog . Web Page . 17 Jan
typically used to fetch remote resources and not internal ones, developers should configure 2023 . https://orca.security/
the encapsulated features to use a list of allowed remote resources and block attempts to resources/blog/ssrf-
vulnerabilities-in-four-azure-
access internal resources . HTTP redirection should be disabled for the resource-fetching services/ .www.upguard.
functions and any requests parsed for malicious code . com/breaches/power-apps .

13
 Developer Guide to the 2023 OWASP Top 10 for API Security

The risk of SSRF weaknesses cannot always be completely eliminated, so companies should
closely considered the risk of using calls to external resources .

How Can Fortify Help?

Fortify WebInspect allows DevSecOps teams to regularly test for server-side request forgery .
WebInspect’s DAST scans an application server in a configured environment so that all
components—application, server, and network—can be tested, giving the dynamic analysis
Security Misconfiguration
platform a comprehensive view of the impact of server requests .
includes setting up
applications with
Fortify SAST can detect many cases of SSRF through taint analysis—for example, if the vulnerable default
application uses unvalidated user input to construct a URL that will then be fetched . Fortify will configurations, allowing
flag the use of unrestricted user input . overly permissive access
to sensitive functions
and data, and publicly
API8:2023—Security Misconfiguration revealing application
information through
detailed error messages.
What Is It?
Developers often misconfigure their applications, failing to separate development assets
from production assets, exporting sensitive files—such configuration files—to their public
repositories, and failing to change default configurations . Security Misconfiguration includes
setting up applications with vulnerable default configurations, allowing overly permissive
access to sensitive functions and data, and publicly revealing application information through
detailed error messages .

What Makes an Application Vulnerable?

Default application configurations are often overly permissive, lacking security hardening,
and leaving cloud storage instances open to the public . Often, the web frameworks on which
applications are based include a host of application features that are not needed and whose
inclusion reduces security .

In an example detailed by OWASP, a social network that offers a direct-messaging feature

should protect users’ privacy, but offers an API request to retrieve a specific conversation
using the following example API request:
GET /dm/user_updates.json?conversation_id=1234567&cursor=GRlFp7LCUAAAA

The API endpoint does not restrict the data stored in the cache, resulting in private
conversations being cached by the web browser . Attackers could retrieve the information
from the browser, exposing the victim’s private messages .
__________

Attack Examples 24 . Upguard Research .

“By Design: How Default
In May 2021, a cloud security firm notified Microsoft that at least 47 different customers
Permissions on Microsoft
had failed to change the default configuration of their instances of Microsoft Power Apps . Power Apps Exposed
The affected organizations included companies, such as American Airlines and Microsoft, Millions .” Upgard Research
Blog . Web Page . 23 Aug 2021 .
and state government, such as those of Indiana and Maryland, and exposed 38 million www.upguard.com/
records to potential compromise across the Power Apps portals .24 breaches/power-apps .

14
 Developer Guide to the 2023 OWASP Top 10 for API Security

In 2022, a vulnerability management firm discovered that 12,000 cloud instances hosted on
Amazon Web Services and 10,500 hosted on Azure continued to expose Telnet, a remote
access protocol considered “inappropriate for any internet-based usage today,” according
to a 2022 report .25 The inclusion of unnecessary and insecure features undermines these
security of the APIs and applications .

How to Prevent It as a Developer?

Security-as-code
DevSecOps teams need to understand the steps necessary to create secure configurations
can help, by making
for their applications and use an automated development pipeline to check configuration files configurations
before deployment, including regular unit tests and runtime checks to continuously check the repeatable and giving
software for configuration errors or security problems . Security-as-code can help, by making application-security
configurations repeatable and giving application-security teams the ability to set standard teams the ability to set
configuration sets for specific application components . standard configuration
sets for specific
application components.
As part of their secure development lifecycle, developers and operations teams should:
• Establish a hardening process that simplifies the repeatable creation and maintainance of a
secure application environment,
• Review and update all configurations across the API stack to incorporate the new standard
consistently, and
• Automate the assessment of the effectiveness of the configuration settings across all
environments .

How Can Fortify Help?

Fortify SAST can check configurations during the development process and spot many
types of weaknesses . Because Security Misconfigurations occur at both the application-
code level and at the infrastructure level, different Fortify products can be used to catch
misconfigurations .

Fortify SAST scans can check application code for misconfiguration issues . During the static
analysis check, Fortify SAST can evaluate configuration files for security errors, including
__________
those for Docker, Kubernetes, Ansible, Amazon Web Services, CloudFormation, Terraform,
and Azure Resource Manager templates . 25 . Beardsley, Todd . “2022
Cloud Misconfigurations
Report .” Rapid7 . PDF Report .
Configuration errors can also be caught during runtime . Fortify WebInspect allows p . 12 . 20 Apr 2022 .
Accessed through:
DevSecOps teams to regularly test for common security misconfigurations . One of the
www.rapid7.com/blog/
biggest strengths of DAST scanning is that it runs on the application server in a configured post/2022/04/20/2022-
environment, which means that the full environment—application, server, and network— cloud-misconfigurations-
report-a-quick-look-at-the-
are tested all at once, giving the dynamic analysis platform a comprehensive view of the latest-cloud-security-
production environment is configured . breaches-and-attack-trends/ .

15
 Developer Guide to the 2023 OWASP Top 10 for API Security

API9:2023—Improper Inventory Management

What Is It?
Like most software assets, APIs have a lifecycle, with older versions replaced by more secure
and efficient APIs or, increasingly, using API connected to third-party services . DevSecOps
teams who do not maintain their API versions and documentation can introduce vulnerabilities
when older, flawed API versions continue to be used—a weakness known as Improper A documentation
Inventory Management . Best practices for inventory management require the tracking of API blindspot is when the
versions, the regular assessment and inventorying of integrated services, and the regular details of the API’s
deprecation of legacy versions to prevent the propagation of security vulnerabilities . purpose, functioning,
and versioning are
unclear because of a
What Makes an Application Vulnerable? lack of documentation
Software architectures reliant on APIs—especially those using microservice architectures— detailing these
tend to expose more endpoints than traditional web applications . The plethora of API important attributes.
endpoints, along with the likelihood of multiple versions of an API existing at the same times,
requires additional management resources from the API provider to prevent an expanding
attack surface . OWASP identifies two major blindspots that DevSecOps teams may have
regarding their API infrastructure .

First, a documentation blindspot is when the details of the API’s purpose, functioning, and
versioning are unclear because of a lack of documentation detailing these important attributes .

Second, a data-flow blindspot happens when APIs are used in ways that lack clarity, resulting
in capabilities that should not necessarily be allowed without a strong business justification .
Sharing sensitive data with a third party without security guarantees, lacking visibility of the
end result of a data flow, and failing to map all data flows in chained APIs are all blindspots .

As an example, the OWASP report cites a fictional social network that allows integration with
third-party independent applications . While consent is required from the end user, the social
network does not maintain enough visibility into the data flow to prevent downstream parties
from accessing the data, such as monitoring the activity of not just the user, but their friends .

__________
Attack Examples
26 . Rosenberg, Matthew and
In 2013 and 2014, as many as 300,000 people took an online psychological quiz on the
Dance, Gabriel . “‘You Are
Facebook platform . The company behind the quiz, Cambridge Analytica, not only collected the Product’: Targeted by
information on those users, but their linked friends as well—a population that totaled as Cambridge Analytica on
Facebook .” The New
many as 87 million people, the vast majority of whom gave no permission to have their York Times . News article .
information collected . The company then used the information to tailor ads and messaging to 8 April 2018 . www.nytimes.
those people on behalf of their clients, including sending political ads supporting the Trump com/2018/04/08/us/
facebook-users-data-
campaign in the 2016 election .26 Facebook’s lack of visibility into how third parties used the harvested-cambridge-
information harvested from its platform is an example of improper inventory management . analytica.html .

16
 Developer Guide to the 2023 OWASP Top 10 for API Security

How to Prevent It as a Developer?

DevSecOps teams should document all API hosts and focus on maintaining visibility into
the data flows between APIs and third-party services . The primary way to prevent Improper
Inventory Management is the detailed documentation of the critical aspects of all API services
and hosts, including information on what data they handle, who has access to the hosts and
data, and the specific API versions of each host . Technical details that should be documented
include the authentication implementation, error handling, rate limiting defenses, the cross-
Organizations can
origin resource sharing (CORS) policy, and details of each endpoint .
manage, monitor, secure,
and document their API
The significant volume of documentation is difficult to manage manually, so generating usage using the NetIQ
documentation through the continuous integration process and using open standards is Secure API Manager by
recommended . Access to API documentation should also be limited to those developers who OpenText, which allows
application-security
are authorized to use the API .
teams to maintain an
up-to-date inventory
During the application building and testing phases, developers should avoid using production of API assets.
data on development or staged versions of the application to prevent data leaks . When new
versions of APIs are released, the DevSecOps team should do a risk analysis to determine
the best approach to upgrading applications to take advantage of increased security .

How Can Fortify Help?

Organizations can manage, monitor, secure, and document their API usage using the NetIQ
Secure API Manager by OpenText, which allows application-security teams to maintain an up-
to-date inventory of API assets . The Secure API Manager provides an authoritative repository
where your DevSecOps team can store and manage all of the APIs used by the organization,
allowing an easy-to-manage life cycle from API development to retirement . The software
helps improve compliance with regulations and licensing by allowing detailed analytics .

API10:2023—Unsafe Consumption of APIs

What Is It?
With the increasing use of native cloud infrastructure to create applications, APIs have
become the point of integration between application components . However, the security
posture of third-party services accessed through APIs is rarely clear, allowing attackers to
determine on which services an application relies and whether any of those services have
security weaknesses . Developers tend to trust the endpoints that their application interacts
without verifying the external or third-party APIs . This Unsafe Consumption of APIs often
leads to the application’s reliance on services that have weaker security requirements or lack
fundamental security hardening, such as input validation .

What Makes an Application Vulnerable?

Developers tend to trust data received from third-party APIs more than user input, although
the two sources are essentially equivalent for a motivated attacker . Because of this misplaced
trust, developers essentially end up relying on weaker security standards due to a lack of
input validation and sanitization .

17
 Developer Guide to the 2023 OWASP Top 10 for API Security

Unsafe consumption of APIs may occur if the application:

• Uses or consumes other APIs using unencrypted communications,
• Fails to validate and sanitize data from other APIs or services,
• Allows redirection without any security checks, or
• Fails to limit resource consumption using thresholds and timeouts .
In an example from the OWASP report, an API that integrates with a third-party service
If the developer does
provider to store sensitive user medical information might send private data through an API not code security checks
endpoint . Attackers could compromise the third-party API host to respond to future requests into their application to
with a 308 Permanent Redirect: verify any data returned
by the API endpoint,
HTTP/1 .1 308 Permanent Redirect
their application will
Location: https://attacker.com/ follow the redirect
and send sensitive
If the developer does not code security checks into their application to verify any data medical information
returned by the API endpoint, their application will follow the redirect and send sensitive to the attacker.
medical information to the attacker .

Attack Examples
In December 2021, a set of vulnerabilities in a commonly used open-source software
component, Log4J, allowed an attacker to provide unsanitized input, such as an encoded
script, and use vulnerable versions of Log4J to execute the script on the server . The issue
behind the Log4J vulnerability originated in a lack of input validation, specifically the failure to
conduct security checks on deserialized user-supplied data . By sending serialized malicious
code, attackers could exploit the vulnerability and execute an attack on a server with the
vulnerability . Developers should check all input provided by third-party APIs and other
external sources .27

How to Prevent It as a Developer?

Developers should conduct due diligence when evaluating service providers, assessing their
API security posture and implementing strict security controls . In addition, developers should
confirm that all communications to third-party APIs and from third parties to the organization’s
APIs use a secure communication channel to prevent snooping and replay attacks .

When receiving data from external users and machines, the inputs should always be sanitized
to prevent the inadvertent execution of code . Finally, for cloud services integrated through __________
APIs, allow lists should be used to lock the address of the integrated solution, rather than 27 . Microsoft Threat Intelligence .
blindly allowing any IP address to call the application’s API . “Guidance for preventing,
detecting, and hunting for
exploitation of the Log4j 2
How Can Fortify Help? vulnerability .” Microsoft . Web
page . Updated: 10 January
By combining the static code and API analysis features of Fortify SAST with the runtime
2022 . www.microsoft.com/
checks of the Fortify WebInspect dynamic application security testing (DAST) suite, en-us/security/blog/
DevSecOps teams can check their application’s use of third-party APIs and test common 2021/12/11/guidance-for-
preventing-detecting-
attack types . To find unsafe APIs, Fortify’s Secure API Manager can build a repository of all APIs and-hunting-for-cve-2021-
called by the system as well as which external applications can use your application’s APIs . 44228-log4j-2-exploitation/ .

18
 Developer Guide to the 2023 OWASP Top 10 for API Security

The API Security Top-10 Is Not Sufficient!

For cloud-native developers specifically focused on creating APIs to offer services to
other parts of an application, internal users, or for global consumption, the OWASP API
Security Top 10 list is an important document to read and understand .
The OWASP API Security
However, the OWASP API Security Top 10 is not a standalone document . Developers Top-10 is crucial for
also need to make sure that they utilize other sources of best practices, such as the cloud-native developers
OWASP Top 10, that are relevant to their current application and architecture . Common building APIs. Yet,
application vulnerabilities -SQL injection, data exposure, and security misconfiguration- addressing common
application vulnerabilities
continue to be common ways that cyber threat groups can compromise corporate
like SQL injection, data
infrastructure and should be remediated quickly . In addition, some API-based applications, exposure, and security
such as mobile apps, require different appsec hardening steps than a stand-alone misconfiguration should
web-app, and different from what may be required for connect and IoT devices . Overall, take priority, as they are
the API Security Top 10 list is important, but it remains only a facet of the overall secure frequently exploited by
software development lifecycle . The list, and the OWASP Top 10 list, should be used in cyber threats. The API
Security Top-10 is an
conjunction with any other relevant standards and best practices that are required for
essential part of secure
the solution under analysis . software development
but should be secondary
to addressing general
application vulnerabilities.
Conclusion
As applications increasingly rely on cloud infrastructure, web application programming
interfaces (APIs) have become the foundation of the Internet . Companies typically have
hundreds, if not thousands, of API endpoints in their environment, dramatically increasing
their attack surface and exposing applications to a variety of weaknesses .

The release of the 2023 OWASP API Security Top 10 list is a good starting point for
companies and developers to educate themselves on the risks of API-based infrastructure
and to assess their own applications . Along with the more well-known Application Security
Top-10 list, the pair of rankings can help DevSecOps teams toward developing a holistic
approach to the overall security of their applications .

DevSecOps teams need to be aware of the security implications of APIs, how to reduce
an implementation’s vulnerabilities and security weaknesses, and how to harden their
development pipeline and the resulting API server to make it more difficult for attackers to
compromise an application through its APIs .

19
 Developer Guide to the 2023 OWASP Top 10 for API Security

Where to Go Next
Here are the products mentioned in this document:
• Fortify API Security
• Fortify Static Code Analyzer (SAST)
• Fortify WebInspect (DAST)
• NetIQ Secure API Manager

Additional Resources
• OWASP Top 10 API Security Risks—2023
• Gartner Magic Quadrant fo Application Security Testing
• Fortify Code Security Webinar Series
• Fortify Application Security

20
Connect with Us
www .opentext .com

OpenText Cybersecurity provides comprehensive security solutions for companies and partners of all sizes . From prevention, detection and response to recovery, investigation and compliance,
our unified end-to-end platform helps customers build cyber resilience via a holistic security portfolio . Powered by actionable insights from our real-time and contextual threat intelligence,
OpenText Cybersecurity customers benefit from high efficacy products, a compliant experience and simplified security to help manage business risk .

762-000081-004 | O | 11/23 | © 2023 Open Text