
Notice: Function _load_textdomain_just_in_time was called <strong>incorrectly</strong>. Translation loading for the <code>astra</code> domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the <code>init</code> action or later. Please see <a href="https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/">Debugging in WordPress</a> for more information. (This message was added in version 6.7.0.) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php on line 6114

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893

Warning: Cannot modify header information - headers already sent by (output started at /customers/2/e/5/cware.eu/httpd.www/wp-includes/functions.php:6114) in /customers/2/e/5/cware.eu/httpd.www/wp-includes/rest-api/class-wp-rest-server.php on line 1893
{"id":3458,"date":"2022-06-30T18:17:01","date_gmt":"2022-06-30T16:17:01","guid":{"rendered":"https:\/\/www.cware.eu\/?p=3458"},"modified":"2023-09-22T14:27:44","modified_gmt":"2023-09-22T12:27:44","slug":"the-top-10-api-security-risks-owasp-list-for-2023","status":"publish","type":"post","link":"https:\/\/www.cware.eu\/the-top-10-api-security-risks-owasp-list-for-2023\/","title":{"rendered":"The top 10 API security risks OWASP list for 2023"},"content":{"rendered":"<div id=\"toc\" style=\"background: #f9f9f9;border: 1px solid #aaa;margin-bottom: 1em;padding: 1em;width: 350px\">\n<p class=\"toctitle\" style=\"font-weight: 700;text-align: center\">Content<\/p>\n<ul class=\"toc_list\">\n<li><a href=\"#toc-0\">Proactive Controls<\/a><\/li>\n<li><a href=\"#toc-1\">Aim &amp; Objective<\/a><\/li>\n<li><a href=\"#toc-2\">Validate all the things: improve your security with input validation!<\/a><\/li>\n<li><a href=\"#toc-3\">Security misconfiguration<\/a><\/li>\n<li><a href=\"#toc-4\">Unrestricted resource consumption<\/a><\/li>\n<li><a href=\"#toc-5\">Write more secure code with the OWASP Top 10 Proactive Controls<\/a><\/li>\n<\/ul>\n<\/div>\n<p>Security issues arise when authentication protocols are not strong enough or properly executed. Authentication weaknesses can manifest themselves in several ways, including but not limited to poor password creation best practices, compromised password storage systems and vulnerabilities within the token-based authentication framework. A broken function-level authorization essentially refers to a situation in which a regular user can perform tasks that should be reserved for administrators due to an  Insecure Direct Object Reference (IDOR) issue. This occurs when the user\u2019s hierarchical permission system is incomplete or malfunctioning. Security misconfiguration occurs when an API is not securely configured, exposing it to various security risks. Examples of security misconfigurations include using default credentials, failing to turn off unnecessary features or neglecting to apply security patches promptly.<\/p>\n<p>It produces a risk assessment framework, industry standards, best practices, tools, and more, and anyone in its community can contribute, so it has a vast pool of expertise on tap. One of the  main goals of this document is to provide concrete practical guidance that helps developers build secure software. These techniques should be applied proactively at the early stages of software development to ensure maximum effectiveness.<\/p>\n<h2 id=\"toc-0\">Proactive Controls<\/h2>\n<p>Example<br \/>\nAn attacker compromises a third-party API, causing it to respond with a redirect to a malicious site, after which the client blindly follows the redirect without validation. Sign <a href=\"https:\/\/remotemode.net\/become-a-net-razor-developer\/owasp-proactive-controls\/\">owasp proactive controls<\/a> up for a free GitHub account to open an issue and contact its maintainers and the community. Use the extensive project presentation that expands on the information in the document.<\/p>\n<ul>\n<li>The goal of the OWASP Top 10 Proactive Controls project (OPC) is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of.<\/li>\n<li>To mitigate vulnerabilities, record all login attempts (including failures), maintain copies of logs, use anti-tamper mechanisms, and test monitoring systems regularly.<\/li>\n<li>Sign up for a free GitHub account to open an issue and contact its maintainers and the community.<\/li>\n<li>This document will also provide a good foundation of topics to help drive introductory software security developer training.<\/li>\n<li>The OWASP Top 10 Proactive Controls is similar to the OWASP Top 10 but is focused on defensive techniques and controls as opposed to risks.<\/li>\n<\/ul>\n<p>&#8220;APIs facilitate a decentralized and distributed architecture with endless opportunities for third-party integration that fundamentally changes the calculus for security and risk teams,&#8221; the eBook read. F5&#8217;s security guidance includes continuously monitoring and <a href=\"https:\/\/remotemode.net\/\">https:\/\/remotemode.net\/<\/a> protecting API endpoints as well as reacting to a changing application lifecycle. A recent report from Traceable AI revealed that 60% of organizations have faced an API-related breach in the last two years, with 74% of these enduring three or more incidents.<\/p>\n<h2 id=\"toc-1\">Aim &amp; Objective<\/h2>\n<p>We\u2019ll explore what has changed and what has stayed the same and take a look at how API security has evolved over the past years. Login attempts and failures need to be logged, and logs need to be backed up in case of server failure. Logs need to be accurate so that monitoring systems can detect suspicious activities or raise timely alerts, and they also need to be protected against tampering.<\/p>\n<div style='text-align:center'><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Content Proactive Controls Aim &amp; Objective Validate all the things: improve your security with input validation! Security misconfiguration Unrestricted resource consumption Write more secure code with the OWASP Top 10 Proactive Controls Security issues arise when authentication protocols are not strong enough or properly executed. Authentication weaknesses can manifest themselves in several ways, including but [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_oct_exclude_from_cache":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3458","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/posts\/3458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/comments?post=3458"}],"version-history":[{"count":1,"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/posts\/3458\/revisions"}],"predecessor-version":[{"id":3459,"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/posts\/3458\/revisions\/3459"}],"wp:attachment":[{"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/media?parent=3458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/categories?post=3458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cware.eu\/wp-json\/wp\/v2\/tags?post=3458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}