OWASP, the defacto reference for web applications security standards, has published information about Top 10 Release Candidate for API Security. From the official project page:
"By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII) and because of this have increasingly become a target for attackers. Without secure APIs, rapid innovation would be impossible.API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs)."
The proposed domains are as follows:
A1: Broken Object Level Authorization
A2: Broken Authentication
A3: Excessive Data Exposure
A4: Lack of Resources & Rate Limiting
A5: Broken Function Level Authorization
A6: Mass Assignment
A7: Security Misconfiguration
A8: Injection
A9: Improper Assets Management
A10: Insufficient Logging & Monitoring
According to the project roadmap, the cheatsheet is expected to be published in 2019 Q4. These domains can be used to derive basic security requirements for API-based applications.
No comments:
Post a Comment