OWASP Top 10 2023: What’s Changed in API Security

By Daniella Balaban
image December 12, 2023 image 6 MIN READ

If there’s one thing that hackers love to exploit, it’s weaknesses and flaws in a web application. Fortunately, we have the Open Web Application Security Project (OWASP) to provide resources that help organizations and individuals identify and mitigate security risks in web applications and APIs.

Keeping APIs secure is critical because they are the backbone of modern-day applications. However, 74% of global organizations have reported at least 3 API-related data breaches within the last two years. This shows how urgent it is for InfoSec teams to stay abreast of the latest vulnerabilities to maintain API security.

OWASP recently released its annual list of the top ten API security risks. Let’s look closer to see what’s changed in API security in 2023.

Understanding API Security

An Application Programming Interface (API) enables seamless connectivity between modern applications. APIs are bridges for data flow across multiple systems. As the most widely used communication method among modern systems, APIs have become prime targets for attackers seeking to exploit weaknesses and compromise connected systems, especially in SaaS applications.

API security has gained increased attention in recent years as the focus shifts towards securing and managing associated risks. Previously, developers prioritized functionality over security, resulting in deployed APIs with significant security flaws, such as Broken Authentication, allowing attackers to bypass controls and access sensitive data.

With average data breach costs increasing daily, architects have no other option but to prioritize security in API design to mitigate risks effectively.

What changed in the OWASP Top 10 2023?

The OWASP Top 10 API Security Risks 2023 details changes to address the evolving API threat landscape. The update includes newly introduced risk areas and updates to existing ones, highlighting vulnerabilities for InfoSec teams to mitigate.

Newly Introduced Risk Areas

Updated Risk Areas

What changed in the OWASP Top 10 2023?

OWASP Top 10 2023: Newly Introduced Risk Areas Breakdown

1. API6 Unrestricted Access to Sensitive Business Flows

This risk describes APIs that unwittingly expose critical business flows, leaving them susceptible to potentially disastrous consequences. Businesses can incur tremendous losses and reputational damage if these vulnerabilities are exploited within a sensitive business flow.

For example, consider a case where a business exposes an API with the ability to purchase products. During a new product launch where these products are in high demand, attackers can use this API to programmatically call the API to acquire all the products from the website—and later sell the stock for a much higher value.

To defend against such attacks, simple yet effective mitigation controls must be in place without compromising the API’s business functionality:

2. API7 Server-Side Request Forgery (SSRF)

SSRF is a vulnerability that allows attackers to force the server to make requests that are not intended. The main issue in this attack is the lack of validation for URLs.

Here are some simple tips to avoid SSRF attacks:

OWASP Top 10 2023: Newly Introduced Risk Areas Breakdown

3. API10 Unsafe Consumption of APIs

This risk is similar to a supply-chain attack where the attacker compromises third parties to reach the intended targets. In this case, the attackers go after third-party APIs that other APIs directly consume for business purposes and data sharing.

Your APIs may be vulnerable to this risk if:

Preventing and mitigating these risks can be done by following good cyber hygiene guidelines such as:

OWASP Top 10 2023: Updated Risk Areas Breakdown

1. API2 Broken Authentication

There have been minor updates to API2 from 2019 to 2023, where this risk was renamed from “Broken User Authentication” to “Broken Authentication.” This reflects the shift in the risk not only to user authentications but also to other authentications such as API keys and OAuth tokens.

It is important to note that the prevention mechanisms mentioned by OWASP are still the same between these two versions since the basic principles apply to most authentication mechanisms.

Prevention mechanisms to mitigate this risk include:

OWASP Top 10 2023: Updated Risk Areas Breakdown

2. API3 Broken Object Property Level Authorization

This risk was previously known as “Excessive Data Exposure”. It has been renamed “Broken Object Property Level Authorization” to account for the broadened scope, including unauthorized modification or deletion of data via APIs. This change reflects the risk of exposing data and controlling access to the data at an object level.

Try these methods to prevent this risk:

3. API4 Unrestricted Resource Consumption

This risk was previously known as “Lack of Resources and Rate Limiting” since it only focused on rate limiting. It is now called “Unrestricted Resource Consumption” since it includes other resource consumption issues, like excessive memory usage, CPU consumption, and network bandwidth.

To mitigate this risk:

OWASP Top 10 2023: Implications for Organizations in 2023 and Beyond

OWASP Top 10 2023: Implications for Organizations in 2023 and Beyond

Failing to keep up with new API security trends and methods can be a make-or-break situation for your organization. It’s not just about staying up-to-date; it’s about securing clients, avoiding data breaches that could cost millions, and preventing reputation damage that’s hard to recover from.

These changes in the OWASP API risks clearly show a shift in the security paradigm and how these risks evolve, what they mean to a business, and their impact. When adjusting how you develop and build things to match these new risks, think of it as changing the company culture. 

It’s critical to ensure that everyone in the organization sees the importance of cybersecurity. Employee cybersecurity awareness platforms like Cybeready can make this shift smoother, helping you create a company culture where cybersecurity is a top priority. With your staff becoming a strong first line of defense, your organization will be more secure from cyber threats.

Embracing Your Organization’s Cybersecurity

As we move along in our journey through cyberspace, the world we used to know is rapidly changing, and so is the API threat landscape. OWASP’s annual Top Ten API Security Risk list is an invaluable tool for cybersecurity professionals to stay current and make the necessary changes to protect their organization’s web applications.

Equipping your organization with the necessary skills and information about cybersecurity and cyber threats goes a long way toward stopping data breaches, phishing attacks, and other cyber attacks. CybeReady’s programs offer engaging, customizable training that’s proven effective, creating a workforce ready to take on any new threats. 

Contact CybeReady to book a demo and discover how our programs will bolster your organization’s cybersecurity.

4a34e52d-562b-4e1e-8b71-5c005a7559a9