OWASP API Security Top 10 Dasboards¶

The OWASP API Security Top 10 is a gold standard for the evaluation of security risk in APIs. To help you measure your API's security posture against these API threats, Wallarm offers the dashboards that provide clear visibility and metrics for threat mitigation.

The dashboards cover the OWASP API Security Top 10 risks of both the 2019 and 2023 versions.

By using these dashboards, you can assess the overall security state and proactively address discovered security issues by setting up appropriate security controls.

OWASP API Top 10 2019 dashboardOWASP API Top 10 2023 dashboard

Threat assessment¶

Wallarm estimates the risk for each API threat based on applied security controls and discovered vulnerabilities:

Red - it happens if there are no security controls applied or your APIs have active high risk vulnerabilities.
Yellow - it happens if security controls are only partially applied or your APIs have active medium or low risk vulnerabilities.
Green indicates that your APIs are protected and do not have open vulnerabilities.

For each OWASP API Top 10 threat you can find detailed info about the threat, available security controls, corresponding vulnerabilities, and investigate related attacks:

Wallarm security controls for OWASP API 2019¶

Wallarm security platform provides full-fledged protection against OWASP API Security Top 10 2019 by the following security controls:

OWASP API Top 10 threat 2019	Wallarm security controls
API1:2019 Broken Object Level Authorization	Automatic BOLA mitigation to automatically create triggers to protect vulnerable endpoints
API2:2019 Broken User Authentication	Vulnerability Scanner to discover active vulnerabilities of the corresponding type Brute force trigger to mitigate brute force attacks targeting authentication endpoints Weak JWT detection trigger to discover weak authentication vulnerabilities based on requests with weak JWTs
API3:2019 Excessive Data Exposure	Vulnerability Scanner to discover active vulnerabilities of the corresponding type
API4:2019 Lack of Resources & Rate Limiting	Brute force trigger to mitigate brute force attacks which often lead to DoS, making the API unresponsive or even unavailable API Abuse Prevention mitigating malicious bot actions which often lead to DoS, making the API unresponsive or even unavailable
API5:2019 Broken Function Level Authorization	Vulnerability Scanner to discover active vulnerabilities of the corresponding type Forced browsing trigger to mitigate forced browsing attempts that are also a way for this threat exploitation
API6:2019 Mass Assignment	Mass Assignment attacks are detected automatically, specific security controls are not required
API7:2019 Security Misconfiguration	Vulnerability Scanner to discover active vulnerabilities of the corresponding type Wallarm node self-checks to keep node versions and security policies up to date (see how to address the issues)
API8:2019 Injection	Malicious injections are detected automatically, specific security controls are not required
API9:2019 Improper Assets Management	API Discovery to automatically discover actual API inventory based on real traffic
API10:2019 Insufficient Logging & Monitoring	Integrations with SIEMs, SOAPs, messengers, etc. to get timely notifications and reports on your API security status

Wallarm security controls for OWASP API 2023¶

Wallarm security platform provides full-fledged protection against OWASP API Security Top 10 2023 by the following security controls:

OWASP API Top 10 threat 2023	Wallarm security controls
API1:2023 Broken Object Level Authorization	Automatic BOLA mitigation to automatically create triggers to protect vulnerable endpoints
API2:2023 Broken Authentication	Vulnerability Scanner to discover active vulnerabilities of the corresponding type Brute force trigger to mitigate brute force attacks targeting authentication endpoints Weak JWT detection trigger to discover weak authentication vulnerabilities based on requests with weak JWTs
API3:2023 Broken Object Property Level Authorization	Vulnerability Scanner to discover active vulnerabilities of the corresponding type
API4:2023 Unrestricted Resource Consumption	Brute force trigger to mitigate brute force attacks which often lead to DoS, making the API unresponsive or even unavailable
API5:2023 Broken Function Level Authorization	Vulnerability Scanner to discover active vulnerabilities of the corresponding type Forced browsing trigger to mitigate forced browsing attempts that are also a way for this threat exploitation
API6:2023 Unrestricted Access to Sensitive Business Flows	API Abuse Prevention mitigating malicious bot actions
API7:2023 Server Side Request Forgery	Vulnerability Scanner to discover active vulnerabilities of the corresponding type
API8:2023 Security Misconfiguration	Vulnerability Scanner to discover active vulnerabilities of the corresponding type Wallarm node self-checks to keep node versions and security policies up to date (see how to address the issues)
API9:2023 Improper Inventory Management	API Discovery to automatically discover actual API inventory based on real traffic
API10:2023 Unsafe Consumption of APIs	Vulnerability Scanner to discover active vulnerabilities of the corresponding type

Comparison of OWASP API Top 10 2019 and 2023¶

According to the OWASP project, the top security threats for 2023 are largely similar to those identified in 2019, with a few notable exceptions:

The API6:2019 Mass Assignment threat has been combined with API3:2023 Broken Object Property Level Authorization.
The API8:2019 Injection threat is no longer listed separately and has been included in the new API10:2023 Unsafe Consumption of APIs category.
The API10:2019 Insufficient Logging & Monitoring threat has been removed from the OWASP API Security Top 10.
The list now includes two new API threats, namely API6:2023 Unrestricted Access to Sensitive Business Flows, which introduces automated threats, and API7:2023 Server Side Request Forgery, thereby underscoring the significance of these threats.