https://owasp.org/www-project-api-security/
| Impact | Description | Impact | ||
|---|---|---|---|---|
| Customer | The loss of customer sensitive data, including personal information. This can lead to identity theft, financial fraud, and significant harm to individuals' privacy and well-being. | Major | ||
| Operational | APIs can be exploited to launch Denial of Service (DoS) attacks, causing service outages and preventing legitimate users from accessing the services. This can lead to downtime and loss of productivity. | Moderate | ||
| Reputational | Security incidents involving APIs can damage the business's reputation. Customers and partners may lose confidence in the organization's ability to protect their data, leading to a loss of business. | Major | ||
| Financial Loss | Addressing security breaches and mitigating their impacts can be costly. This includes expenses related to incident response, legal fees, regulatory fines, and implementing additional security measures. | Moderate |
| Risk | Description | Type | Overall Risk | ||
|---|---|---|---|---|---|
| 1 | API1:2023: Broken Object Level Authorization (BOLA) - attackers can exploit vulnerabilities in object level authorization to access or manipulate data they are not authorized to. | Threat | Major | ||
| 2 | API2:2023: Broken Authentication - attackers can exploit weaknesses in authentication mechanisms to gain unauthorized access to systems and data. | Threat | Critical | ||
| 3 | API3:2023: Broken Object Property Level Authorization (BOPA) - attackers can exploit vulnerabilities in property level authorization to access or modify specific properties of an object they are not authorized to. | Threat | Major | ||
| 4 | API4:2023: Unrestricted Resource Consumption - attackers can exploit this vulnerability to consume excessive resources, leading to resource exhaustion, denial of service (DoS), and degraded performance. | Threat | Major | ||
| 5 | API5:2023: Broken Function Level Authorization - attackers can exploit vulnerabilities in function level authorization to access or execute functions they are not authorized to. | Threat | Major | ||
| 6 | API6:2023: Unrestricted Access to Sensitive Business Flows - attackers can exploit vulnerabilities in function level authorization to access or execute functions they are not authorized to. | Threat | Medium | ||
| 7 | API7:2023: Server-Side Request Forgery (SSRF) - attackers can exploit SSRF vulnerabilities to make unauthorized requests from the server, potentially accessing internal systems, sensitive data, and services. | Threat | Medium | ||
| 8 | API8:202: Security Misconfiguration - improper configuration of security settings can leave APIs vulnerable to attacks. | Threat | Major | ||
| 9 | API9:2023: Improper Inventory Management - failing to maintain an accurate inventory of APIs can lead to unmanaged and unsecured APIs being exposed. | Threat | Medium | ||
| 10 | API10:2023: Unsafe Consumption of APIs - consuming APIs without proper validation and security checks can expose applications to various threats, such as data breaches, injection attacks, and unauthorized access. | Threat | Major |
| Severe | |||||
| Major | 13458 | 2 | |||
| Moderate | 6 | 10 | |||
| Minor | 79 | ||||
| Insignificant | |||||
| Impact / Likelihood | Rare (0 - 5%) | Unlikely (5% - 15%) | Possible (15% - 40%) | Likely (40% - 90%) | Certain (>90%) |
| Threat: Enterprise | Internal | External | 3rd Party | Technological | Physical | |
|---|---|---|---|---|---|---|
| Reconnaissance - The adversary is trying to gather information they can use to plan future operations. | ||||||
| Impact - The adversary is trying to manipulate, interrupt, or destroy your systems and data. | ||||||
| Exfiltration - The adversary is trying to steal data. | ||||||
| Controls | Effectiveness | |||
|---|---|---|---|---|
| API.01 | Secure Baseline - Alignment to Secure API Baseline standard. | |||
| API.02 | Infrastructure - Ensure all APIs are deployed on strategic infrastructure ensuring best of breed infrastructure, monitoring & security for APIs exposed externally. | |||
| API.03 | Security Testing - Must integrate SCA, SAST, and DAST into the development pipeline to continuously scan for vulnerabilities. | |||
| API.04 | Penetration Tests - Perform Penetration Tests on all new and/or modified public facing APIs. Ensure test covers a wide range of threats, including the OWASP Top 10 and other relevant threat models. | |||
| API.07 | Authorisation - Ensure Authorisation checks are implemented when accessing an API to authorise the authenticated user has the required permissions to access the endpoint. | |||
| API.08 | Authorisation - Ensure authorization checks are performed when completing specific tasks within an API endpoint. For example: The authenticated User is updating account details for a policy they own or have permissions for. | |||
| API.09 | Consent - Ensure Consent has been provided to access and\or share data on behalf of a customer. For example: Consent has been provided for the authenticated User to access Claims history for another member on the same policy, consent is provided for a 3rd party to consume a customers data. | |||
| API.10 | Parameters Sanitized - Ensure input\output parameters are sanitized and\or validated before being consumed to prevent attacks (e.g. SQL injection, cross-site scripting, buffer overflow). | |||
| API.11 | Secrets - Ensure no Secrets / Accounts / Passwords are embedded into source code. | |||
| Data.05 | Encryption In Transit - Data must be encrypted throughout its journey across the network from the source device to the destination device. These measures often include encryption and the use of secure connections (HTTPS, SSL, TLS, FTPS, VPN, etc) to protect the contents of data in transit. | |||