A Comparison of OWASP’s Top 10 API Security Risks for 2019 and 2023 (The Evolution of API Security)

Threats to the digital environment change along with it as it continues to develop. Security for APIs is one area that has undergone tremendous improvement. With the publication of their Top 10 API Security Risks every four years, the Open Web Application Security Project (OWASP) has been at the forefront of identifying these dangers. We’ll examine the significant variations between the 2019 and 2023 editions in this blog article, emphasizing how API security threats are constantly changing.

Owasp top 10 API Security

The Unchanged Vulnerabilities

Broken Object Level Authorization (BOLA), Broken Function Level Authorization (BFLA), and Security Misconfigurations were the only three categories that didn’t change between the 2019 and 2023 lists. These flaws are still widely used, and BOLA continues to pose the greatest security risk for APIs. This is because development environments move quickly and object-level permission mechanisms are complicated.

The new additions in OWASP TOP 10 2023

Unrestricted Access to Sensitive Business Flows, Server-Side Request Forgery (SSRF), and Unsafe Consumption of APIs are three new categories that were added to the 2023 list. Unrestricted Access to Sensitive Business Flows, which concentrates on risks that can be lessened by putting rate-limiting controls in place, came in at number six. SSRF entered the list at number seven as a result of a large rise in attacks. The Unsafe Consumption of APIs was included as the ninth concern, highlighting the need to proactively raise awareness about the expanding risk.

The Refreshed Categories

The threat landscape has been updated for a number of categories. Broken User Authentication was changed to Broken Authentication to cover issues with authentication that go beyond the user level. Excessive Data Exposure and Mass Assignment from the 2019 list are combined into Broken Object Property Level Authorization, which underlines the importance of properly securing API endpoints. Unrestricted Resource Consumption was changed from Lack of Resources and Rate Limiting to emphasize the effects of inadequate rate limits and other resource consumption limitations.

The Discontinued Categories

Injections, monitoring, and logging insufficiently were taken off the 2023 list. Although these hazards are still present, they don’t have any special traits or attack vulnerabilities in APIs in a new way.

The OWASP API Top 10 list has changed from 2019 to 2023, highlighting how API security concerns are constantly changing. Understanding these threats and putting the right security measures in place are more vital than ever because APIs continue to be a key component of contemporary apps. Keep yourself informed and safe!

Entersoft’s Fintech use case focusing on the new additions.

Insufficient Authentication

This could happen in a Fintech SaaS application if the user tries to access their financial data or conduct transactions and the program incorrectly validates their identification. For instance, an attacker might impersonate a legitimate user and get unauthorized access to their financial data or carry out fraudulent transactions if the program does not implement multi-factor authentication or does not correctly check session tokens.

Broken Object Property Level Authorization

If a Fintech SaaS application fails to appropriately enforce access rules on particular attributes of data objects, this vulnerability may become apparent. An attacker might use this to alter sensitive properties like the account balance or transaction history, for instance, if an application permits a user to update their account information but does not properly verify whether the user has the authority to change all of the account object’s properties.

Unrestricted Resource Consumption

This could happen in a Fintech SaaS application if the program does not correctly restrict the number of requests a user or service can make in a certain period of time. For instance, if a program does not use rate limiting, a hacker may be able to send it a high number of requests, causing a denial of service (DoS) that prevents genuine users from using the program. In a financial setting, where users may need quick access to their data for trading or other financial choices, this could be very detrimental.

Your API facilitates your every customer interaction. It is critical to secure your back-end infrastructure and authentication with the strongest defence. Step up your API Security.