OWASP Top Ten is a widely recognized list of the ten most pressing security issues in web applications worldwide. The list has first been published in 2003 and is based on data from hundreds of organizations. It describes each vulnerability and possible countermeasures in detail.
Over the years, OWASP has included vulnerabilities for APIs (Application Programming Interfaces), as they have become widely used in software development. Unlike ten years ago, the prevalent paradigm for developing web applications is to integrate APIs in single-page applications (SPA). The SPA is usually concerned with user interaction and client logic, while the APIs encapsulate separate aspects of business logic in a modular way. Often, these APIs are based on RESTful web services. Unfortunately, APIs tend to exhibit the same or similar vulnerabilities as traditional web applications, while being even closer to sensitive data. OWASP has addressed this trend by using the term "an application or API" instead of just "an application" in their vulnerability descriptions. Some vulnerabilities have also been dedicated to API-specific issues, such as "A4 - XML External Entities" in the 2017 edition.
OWASP now takes a further step and releases a separate list of Top Ten vulnerabilities for APIs, emphasizing the increasing importance of API security. Version 1 is scheduled to be available in Q4 2019. We at Airlock share OWASP's sense of urgency when it comes to API security and couldn't wait reading through the draft documents. Our comments on the upcoming OWASP API Security Top Ten list and recommendations on how to address the specific issues with Airlock API Gateway are attached to this blog. Please be aware that the final release of the new Top Ten list may differ from the commented draft version (July 2019). We'll stay tuned and post relevant updates in this blog.