Security pitfalls to avoid when programming using an API
OWASP’s API Security Project has released the first edition of its top 10 list of API security risks.
The most common and perilous API security risks
API abuse is an ongoing problem and is expected to escalate in the coming years, as the number of API implementations continues to grow.
The OWASP API Security Project aims to provide software developers and code auditors with information about the risks brought on by insecure APIs.
Earlier this month, they’ve published the official OWASP API Security Top 10 list, which looks like this:
1. Broken Object Level Authorization
2. Broken User Authentication
3. Excessive Data Exposure
4. Lack of Resources & Rate Limiting
5. Broken Function Level Authorization
6. Mass Assignment
7. Security Misconfiguration
8. Injection
9. Improper Assets Management
10. Insufficient Logging & Monitoring
Each of the risks comes with an explanation, example attack scenarios and advice on how to mitigate it it. It also includes links to helpful free resources (education material, guides, cheat sheets, etc.) for developers and DevSecOps practitioners.
The document can be downloaded from GitHub.
“There are issues that look simple, but are critical, like good housekeeping and documenting APIs. There are also complex issues of access control that might require some attention from the design phase,” Erez Yalon, director of security research at Checkmarx and co-lead on the OWASP API Security Project, told Help Net Security.
“To put it simply, follow this list closely – OWASP has done the groundwork for development teams and security professionals to improve their knowledge around security risks to look out for when implementing APIs. Understanding the vulnerabilities outlined within will help teams to mitigate against API security risks and to put systems into place moving forward.”
Future plans
This first version of the list has been based on publicly available data about API security incidents, security experts’ contributions, and discussion with security practitioners.
“We are planning another version of the OWASP API Security Top 10 in 2020,” he noted.
“This time, in addition to using the knowledge of the AppSec community, we will also use a public call for data that will enable us to fine-tune the list. Additionally, we will be working on a cheat sheet that will be a more practical guide for developers, pen-testers, and auditors.”
As adversaries set their sights on this emerging target, awareness and education around the security pitfalls outlined in the OWASP API Security Top 10 list will be key to the development of secure applications in the future, he concluded.