APIs, or application programming interfaces, allow different platforms, apps, and systems to connect and share data with each other. They are used by IoT devices, mobile applications, traditional web applications, and almost every website that communicates directly with other applications. As a result, it is no surprise that the use of APIs has grown immensely over the past decade, and according to the Akamai State of the Internet Report, API calls now make up 83% of all Internet traffic. It is no surprise then that attackers are increasingly targeting APIs. Over the last few years, API weaknesses have led to security breaches including T-Mobile, Instagram, McDonalds, Venmo, and Salesforce, to name a few. And this number of breaches is only expected to rise. According to a Gartner report, API abuses will become the most frequent attack vector by 2022. As a result, the Open Web Application Security Project (OWASP) is attempting to focus the security community on this issue. Enter the OWASP API Security Top 10.
On September 30th, 2019, the first release candidate for the OWASP API Security Top 10 was published. This is very similar to the widely used OWASP Top 10 that we use as the baseline for our Web Application Penetration Test Methodology. This list provided by OWASP will likely be the de facto security standard for identifying the most common vulnerabilities in APIs going forward. Similar to the top 10 list for web applications, the goal of this list is to educate developers, architects, managers, organizations, and designers about the most common and most severe API-related vulnerabilities. Additionally, this list helps ensure that security companies are aligning their methodologies to a common framework and industry standard, checking for the most common issues at a minimum. Finally, API Top 10 allows the security community to categorize findings and speak with the same terminology.
In summary, we highly recommend organizations start using the OWASP API Security Top 10 to ensure their API security testing efforts are addressing the most commonly seen API vulnerabilities. Additionally, at Triaxiom, we are incorporating this list into our API Penetration Testing Methodology. Collectively, by adopting this standard, we can work to secure APIs and avoid the most common weaknesses observed today.