ICYMI, we recently presented **A CISOs Guide to the New 2023 OWASP API Security Update**. In this first of two planned webinars, Stepan Ilyin and Tim Ebbers provided an overview of whatâs in and whatâs out in the planned update and had a lively discussion about how this impacts your API security plans for the foreseeable future.
You can watch the entire [**webinar on-demand**]() to get the full story.
**OWASP API Security Top-10 Comparison**
To start with, hereâs how the proposed update compares with the current version, which came out back in 2019.
![](https://i0.wp.com/lab.wallarm.com/wp-content/uploads/2023/03/OWASP-230316-API_security_top-10_compare_v2.png?resize=770%2C359&ssl=1)
But to paraphrase the immortal Miles Davis, sometimes âItâs not the risks you know, itâs the risks you donât know.â
**Whatâs Missing?**
During the discussion, Stepan and Tim looked at the potential impact of dropping [API8:2019]() (Injections), which is now included in [API10:2023]() (Unsafe Consumption of APIs). Data from our [2022 Year-End API ThreatStats report]() shows that over 50% of all API vulnerabilities analyzed were traced to almost 30 Injection-related CWEs. In addition to the sheer quantity and variety of Injection vulnerabilities, thereâs the severity: Injection-related CWEs cover four (4) of the top-5 CWE seen in 2022, accounting for almost one-quarter (25%) of all vulnerabilities analyzed. We feel this is a big miss.
[BTW, thereâs a lively discussion on this in the [Issues section]() which might interest some readers.]
Other areas that we feel need to be considered to fully protect your portfolio include:
* **API Leaks**. Not only sensitive end user data like PII, but [leaked API secrets]() such as API tokens, keys, credentials and so on â which can lead to complete and total pwnage.
* **Batching Attacks**. A [type of brute force]() attack that abuses the GraphQL batch query feature to perform many operations in a single request â which reduces overall attack complexity and time.
* **Reflection Attacks**. A sort of modern, API-enabled version of advanced DDoS attacks of yore, where [middleware (which is trusted, automated and blind) is leveraged]() to attack entities.
* **Technical Modes**. Debug parameters such as `?debug=true` and other technical flags are often used by API developers â which can lead to unintentional access and potentially malicious activity.
This is not to put down the hard work done by so many in coming up with a top-10 list â by necessity some items are not going to make the list, and folks are going to disagree about it. We just want to make sure you donât lose sight of other issues which our data suggest are important to your API security.
**Key Takeaways**
So, what should CISOs (and indeed API builders, breakers, defenders, and DevSecOps practitioners) do now? We suggest you consider the following.
1. The OWASP API Security Top-10 list is a good starting point, but not the be-all and end-all of API security. After all, APIs are just a start of issues â you need to consider your infrastructure, configurations, and operating systems. Indeed, all your system components need to be considered â not just the software that makes up the API; or the database that the software is connecting too; or how the database is configured.
2. While the proposed API Security Top-10 list has changed a bit, we recommend you don’t hastily overhaul your existing tools & processes. As we all know, security is a journey, not a destination â so rather than recklessly ripping and replacing, add to what you currently have. Build up your defenses based on your unique and evidence-based needs.
3. A holistic security approach from Dev testing (âshift leftâ) to real-time in-line protection (âshield rightâ) is needed. By bringing both sides together, you can identify which vulnerabilities can be eliminated via your SDLC tools and those that need additional run-time protections.
**Next Up**
Be sure to register for the 2nd webinar in this series, [A Practitionerâs Guide to the New 2023 OWASP API Security Update](), for an in-depth look at how these changes will impact your API security plans and implementations.
[![](https://i0.wp.com/lab.wallarm.com/wp-content/uploads/2023/02/text-1.png?resize=512%2C90&ssl=1)]()
The post [Insights into the New OWASP API Security Top-10 for CISOs]() appeared first on [Wallarm]().Read More
References
Back to Main