Meet the Expert: Updates to OWASP API Security Top 10

Michael Kan-Tor from Upstream Research covers the recent updates to the OWASP API Security Top Ten risks. Reviewing all ten risks, the new and the old as well as providing examples of how these risks can be leveraged in a cybersecurity attack using an API vulnerability to either disrupt business operations or access sensitive data. This much-awaited update to the list, whose last version was released in 2019, provides additional clarity on the API security threats that organizations relying on APIs must safeguard against.


Script

API 1: Broken Object Level Authorization
Maintained from 2019 edition, this refers to cases where APIs expose objects to potential attackers that they are not authorized to access.

API 2: Broken Authentication
Same as 2019. It involves cases where a broken authentication mechanism allows potential attackers to bypass that mechanism and gain unwarranted authentication to the core API service.

API 3: Broken Object Property Level Authorization
A new category combining excessive data exposure and mass assignment categories from the old list. It relates to instances where APIs expose specific properties of objects to unauthorized consumers.

API 4: Unrestricted Resource Consumption
Unchanged from the 2019 list, this refers to cases where APIs allow consumers to consume excessive resources, potentially causing denial of service and high loads on the API.

API 5: Broken Function Level Authorization
A repeat category from the 2019 list. This category refers to instances where specific functionality in the API is vulnerable to potential attackers who can access it without proper authorization.

API 6: Unrestricted Access to Sensitive Business Flows
A new category, it relates to situations where a business flow is vulnerable to attacks.

API 7: Server Side Request Forgery (SSRF)
Previously part of the injection category, SSRF is now its own category and it’s a well-documented attack vector.

API 8: Security Misconfiguration
Retained from the 2019 edition, it covers instances where misconfigurations in the server can cause security vulnerabilities.

API 9: Improper Inventory Management
This category refers to cases where different versions of APIs or API assets are incorrectly managed, allowing potential attackers to exploit outdated API versions.

API 10: Unsafe Consumption of APIs
This category relates to instances where an API consumes other unsafe APIs, potentially compromising the core API.

Newsletter Icon

Subscribe
to our newsletter

Stay up-to-date on the latest trends, emerging risks, and updates

프랑스어 요약 – 모빌리티와 IoT의 미래 보안 및 강화

업스트림은 커넥티드 카, IoT, 스마트 모빌리티 데이터의 잠재력을 극대화합니다. 업스트림의 데이터 관리 플랫폼은 진화하는 사이버 위험으로부터 모�

More Details

모빌리티 분야의 사이버 위협에 대한 정보

실행 가능한 수정 권장 사항에 뒷받침된 실행 가능한 장치별 분석을 통해 모빌리티 위협 환경에 대한 탁월한 가시성을 확보하세요.

More Details

Economies of People – Democratizing After-Sales Quality with AI

The automotive industry is undergoing its fastest transformation in history, driven by software-defined vehicles, electrification, and rising customer expectations.

More Details

Sécuriser et renforcer l’avenir de la mobilité et de l’IoT

Upstream libère le potentiel des véhicules connectés, de l’IoT et des données de la mobilité intelligente. 
 Sa plateforme de gestion des données est spécialement…

More Details

Études de cas : Comment l’IA permet de détecter plus tôt les problèmes de qualité véhicule

La détection proactive de la qualité (PQD) d’Upstream en action, accélérant l’analyse des causes premières (RCA), l’évaluation de la gravité et la priorisation des problèmes…

More Details

Beyond the Cyber Resilience Act: Building
Cyber Resilience for the EV Charging Ecosystem

The CRA places broad obligations on manufacturers, including those who design, develop, or brand charge points, backend systems, and embedded communication software used throughout the…

More Details
Skip to content