A10 - Underprotected APIs


Built using well-known techniques and being able to leverage existing infrastructures, the popularity of APIs is on a constant rise. Still, being fundamentally different, APIs come with a completely new risk profile.

Not only do APIs increase the potential attack surface, they give attackers fine grained access inside an application. Unlike traditional applications, most modern applications involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.

Why

It is important to recognize that unprotected APIs bring new and unique threats that need to be addressed. Many application developers tend not to treat API development and API security implementation as two separate work items. As a result, the security is often done last and in many cases (due to short deadlines) not done at all, leaving APIs vulnerable to attack.

The OWASP Top 2017 introduces Underprotected APIs as a new Top 10 category, and this Working Session will present an opportunity to challenge or support its addition to the new Top 10.

What

  • Review data behind this new category
  • Review current description and text
  • What are the pros and cons of this category?
  • Is this category important enough to be added to the new Top 10?

Outcomes

This Working Session will decide whether the Underprotected APIs category will be added to the Top 10.

Who

The target audience for this Working Session is:

  • Security professionals
  • AppSec teams
  • Tool vendors
  • Application developers
  • Application architects

Working materials

Draft proposal whether or not to add Underprotected APIs category to the Top 10

Content

… Add content …

Related Working Session(s)



Back to list of all Working Sessions and Tracks

Edit this page here