Foreword
A foundational element of innovation in today’s app-driven world is the Application Programming Interface (API). From banks, retail, and transportation to IoT, autonomous vehicles, and smart cities, APIs are a critical part of modern mobile, SaaS, and web applications and can be found in customer-facing, partner-facing, and internal applications.
By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII)
and because of this, APIs have increasingly become a target for attackers. Without secure APIs, rapid
innovation would be impossible.
Although a broader web application security risks Top 10 still makes sense, due to their particular nature, an API specific security risks list is required. API security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks associated with APIs.
If you’re familiar with the OWASP Top 10 Project, then you’ll notice the similarities between both documents: they are intended for readability and adoption. If you’re new to the OWASP Top 10 series, you may be better off reading the API Security Risks and Methodology and Data sections before jumping into the Top 10 list.
You can contribute to OWASP API Security Top 10 with your questions, comments, and ideas at our itHub
project repository:
• https://github.com/OWASP/API-Security/issues
• https://github.com/OWASP/API-Security/blob/master/CONTRIBUTING.md
You can find the OWASP API Security Top 10 here:
• https://www.owasp.org/index.php/OWASP_API_Security_Project
• https://github.com/OWASP/API-Security
We wish to thank all the contributors who made this project possible with their effort and contributions. They are all listed in the Acknowledgments section. Thank you!
Introduction
Welcome to the OWASP API Security Top 10 – 2019!
Welcome to the first edition of the OWASP API Security Top 10. If you’re familiar with the OWASP Top 10
series, you’ll notice the similarities: they are intended for readability and adoption. Otherwise, consider visiting the OWASP API Security Project wiki page, before digging deeper into the most critical API security risks. APIs play a very important role in modern applications’ architecture. Since creating security awareness and innovation have different paces, it’s important to focus on common API security weaknesses.
The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and
maintenance, for example, developers, designers, architects, managers, or organizations.
In the Methodology and Data section, you can read more about how this first edition was created. In future versions, we want to involve the security industry, with a public call for data. For now, we encourage everyone to contribute with questions, comments and ideas at our GitHub repository or Mailing list.
