OWASP set to address API security risks

OWASP has started a new project and is set to publish a new guide on security risks. The issue they aim to tackle this time is API security.

The new OWASP API Security Project has been introduced at the recently concluded NolaCon, by project leader David Shaw and colleague Leif Dreizler (presentation recorded by Adrian Crenshaw):

The goal of the project is to provide software developers and security assessors with information about the risks brought on by insecure APIs (both public and private), and advice on how they can be mitigated.

The tentative API Security Top Ten Risks lists has been compiled based on aggregate data from Bugcrowd (Dreizler is a Senior Security Engineer at the company), feedback from industry surveys, as well as high-profile breaches in the media, and currently looks like this:

1. Improper Data Sanitization
2. Insufficient Access Control
3. Insecure Direct Object Reference
4. Insufficient Transport Layer Security
5. Sensitive Data Exposure
6. Weak Server-Side Security
7. Improper Key Handling
8. Inconsistent API Functionality
9. Security Misconfiguration

As you might have noticed, there is no number 10. Let’s chalk it up to the fact that the list is just a first, tentative version, and the project is still in the alpha phase.

Shaw invited security researchers to add their two cents and critique the work they have already done, so that glitch will surely be solved.

But whether the list is actually a top 10 or 9 one is not important – the project’s most important work will be that of creating a documentation portal on secure API development that developers and code auditors will be able to use.