Explaining the OWASP API Security Top 10

Any company that employs APIs can tell you that they’re the glue that holds all things together, the hub that simplifies and scales digital growth. However, not all can tell you how to protect them. And that’s a problem.

Thankfully, the OWASP (Open Web Application Security Project) API Security Top 10 can. A list defining the ten most nefarious, most relevant cyber threats to APIs each year, it is something that needs to be understood and studied by (at least) the security departments of any company that uses APIs, from startups to multinationals. Here’s why.

Now, APIs are Everywhere

Since their widespread adoption as playmakers in the digital space, APIs have had some qualities that made them stand out to attackers.

An API, or application programming interface, is an intermediary bit of software that allows two applications to communicate with each other. Why is this important? Say you’re a startup wanting to develop a fitness all. You want to show your runners what the weather will be like on their jog, but you don’t want to spend the time developing a separate weather widget as well. So, you find a company that specializes in weather widgets and use an API to connect your two apps. Presto.

You can see why these became critical building blocks of rapid, agile digital advancement and are the bulk of the reason things get “spun up so fast” in the digital realm; in one week, Google Play released 9,191 new apps (and numbers were down). According to Slashdata, 90% of Developers use APIs. That should give you some idea of their ubiquity and the reason attackers are anxious to get their hands on them.

Why We Need an API Security Top 10

Despite – or perhaps, because – they were designed for convenience, APIs are notoriously easy to find and use. This increases their target value even more. Because they are engineered to make business processes smoother, they often have access to core company data, and the two combined – high accessibility and sensitive data – are a detrimental match. Then, there’s the problem of API documentation revealing business logic, which can reveal flaws within it and thereby methods of exploitation to attackers.

Not least of all is the sheer number of APIs in play and the amount of connections they juggle. One industry report reveals that 59% of companies have over 100 APIs, and 16% process more than 500 million requests per month. When each connection needs to be identified, secured, and access controlled, the job becomes a behemoth task with plenty of room for error. To cite just one use case, the financial sector experienced a 244% increase in API attacks in 2022. More broadly, a 400% increase in unique API attackers was reported during the six months leading up to March of last year.

This Year’s OWASP API Top 10

The OWASP API Security Top 10 was inaugurated in 2019 to clamp down on the rampancy of API attacks industry-wide. OWASP, an open-source community that regularly delivers its “Top 10” list for critical web application security risks, has recently updated its API list from its original publication in 2019. API security firm Salt notes that, “With 37% of companies updating their APIs once a week, it’s not realistic to expect development teams to spot every possible API vulnerability before deploying a new or updated API.” That’s why it’s so important to know the trouble spots that will need securing the most.

This year, the 2023 OWASP API Security Top 10 list includes three new additions:

1. Unrestricted Access to Sensitive Business Flows | This is a business logic compromise defined. An attacker gains access to an opening in the business logic and accesses critical business flows. They automate this access for regular compromise.
2. Server Side Request Forgery | This occurs when an API sends outbound traffic without verifying the URL of the user. In a worst-case scenario, malicious user input could result in sensitive send-backs from cloud providers that expose management and control channels over HTTP.
3. Unsafe Consumption of APIs, including injection | Security rules are looser when dealing with APIs than humans, at least for many developers. Therefore, a compromised supply-chain API could have an easier time launching a cross-site scripting attack due to lax data sanitization standards among internal APIs.

Along with four modified entries:

1. Broken Authentication
2. Broken Object Property Level Authentication
3. Unrestricted Resource Consumption
4. Improper Inventory Management

And three unchanged relics from the original version.

The one major trend behind many of these revisions was mentioned in the first new addition. Rather than break down the front door and sound alarm bells, like a malware or injection attack would do, attackers are seeking out flaws in an API’s business logic to do underhanded things that are technically allowable. This makes them exponentially stealthier and more difficult to detect. That’s why runtime protections need to be in place to catch API attacks (especially those “undetectable” ones) in the act, including behavioral anomalies such as brute forcing, scraping, or credential stuffing attempts, even if no “rule” is being broken.

This leads us to our final point. The OWASP API Security Top 10 is a great place to start. However, for it to be of any use, we need to implement the right API security solutions.