Comments (4)
I agree entirely with your comments on the subject on some of the other issues.
An awareness document for the top vulnerabilities in APIs that omits the most serious vulnerabilities in APIs is ...challenging
from api-security.
Would love to see a table listing out the entries (along with the other important API risks I've mentioned) and the details of this calculation. I think it will make clear that the entries aren't the right ones.
from api-security.
For reference, the current scores look like:
exploitability | prevalence | detectability | tech impact | Score | |
---|---|---|---|---|---|
API1:2023 | 3 | 3 | 2 | 3 | 8 |
API2:2023 | 3 | 2 | 2 | 3 | 7 |
API3:2023 | 3 | 2 | 2 | 2 | 4.666667 |
API4:2023 | 2 | 3 | 3 | 2 | 5.333333 |
API5:2023 | 3 | 2 | 1 | 2 | 4 |
API6:2023 | 2 | 2 | 1 | 2 | 3.333333 |
API7:2023 | 3 | 3 | 3 | 2 | 6 |
API8:2023 | 3 | 3 | 1 | 1 | 2.333333 |
API9:2023 | 3 | 3 | 2 | 2 | 5.333333 |
API10:2023 | 2 | 2 | 1 | 3 | 5 |
I've heard lots of people suggest it's not an ordered list, completely unaware of the scoring used.
from api-security.
Whether they're aware of it or not, a massive amount of data science, led by Dr. Brian Glas, was performed for the main OWASP T10. I know for a fact the outcome represents months of work for a team of people. Read the methodology section in the document. https://owasp.org/Top10/A00_2021_Introduction/
My request was to do this exercise for the list of categories I suggested, in addition to these, so that we could see how you've rated all the risks side-by-side. It's very obvious to me that the risks here -- like mass assignment (infrequent, often harmless) are way less serious than the use of insecure libraries in APIs (incredibly prevalent, often highly dangerous).
I guess it doesn't matter since it's obvious. The remaining question is whether the API T10 will be changed to cover the top risks to APIs. Or will it remain a document that only includes risks not covered in the Main T10 and only for APIs written in the past few years.
from api-security.
Related Issues (20)
- 2023RC API8: Suggestion for the Prevention about detecting Non-human patterns
- Inconsistent Naming Improper Inventory Management HOT 1
- Additional configuration recommendations for API7:2023 Security Misconfiguration HOT 3
- Risk factors in all categories need rewrite HOT 4
- OWASP Production - need a license HOT 1
- OWASP Public Slack Channel HOT 1
- OWASP Production - all leaders are admins HOT 1
- OSSF passing - release notes for 2023 HOT 3
- OpenSSF passing - need a build script HOT 1
- Categorizations, rankings & data veracity. HOT 4
- Contradictory risk classification for "Unsafe Consumption of APIs" HOT 1
- Persian Translation for 2023 HOT 2
- Translation to Portuguese (pt-PT) for 2023 version HOT 1
- Translation to French (fr) for 2023 version
- Translation to brasilian portuguese (pt-BR) HOT 1
- Missing link or resource in API2:2023
- Differentiation Between OWASP Top 10 and API Top 10? HOT 8
- Need a demo application having all top 10 api risks HOT 6
- API Lifecycle management HOT 1
- Odata with EF and .Net core Security risks with Front End queries through web components HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api-security.