The OWASP API Security Top Ten in a Nutshell
FireTail's Paul Mansour-Geoffrion will present a talk titled "The OWASP API Security Top Ten in a Nutshell" at Scale 20x in Los Angeles, California on March 11, 2023.
With the rise of APIs, API security has become a key topic for many developers to consider. And yet, a 4-year old loose standard is the state of the art for API security - the OWASP API Top 10 for 2019.
Paul will go over this top 10, which can seem hard to understand, given that the controls range from network to authentication / authorization, data management and more.
Attacks against APIs generally look like normal API traffic, but contain queries designed to evade security controls through exploitation of the application logic. WAFs are not designed to handle problems in applications or API logic. WAFs are designed to block specific IP addresses, ranges, functional endpoints on an API, or some combination thereof.
We’ll go over this in this presentation: the way APIs have been breached is through flaws in application logic, something a WAF cannot stop.
In 2019, the Open Web Application Security Project (OWASP), a leading authority on internet security, published a top ten list of API vulnerabilities. In this presentation, we’ll review all of them.
The OWASP API top 10 is getting updated - maybe
There is an update to the OWASP API Top 10 for 2023 currently (as of the writing date) in "release candidate" status.