Giter VIP home page Giter VIP logo

Comments (4)

gavjl avatar gavjl commented on May 26, 2024 1

I agree entirely with your comments on the subject on some of the other issues.

An awareness document for the top vulnerabilities in APIs that omits the most serious vulnerabilities in APIs is ...challenging

from api-security.

planetlevel avatar planetlevel commented on May 26, 2024

Would love to see a table listing out the entries (along with the other important API risks I've mentioned) and the details of this calculation. I think it will make clear that the entries aren't the right ones.

from api-security.

gavjl avatar gavjl commented on May 26, 2024

For reference, the current scores look like:

exploitability prevalence detectability tech impact Score
API1:2023 3 3 2 3 8
API2:2023 3 2 2 3 7
API3:2023 3 2 2 2 4.666667
API4:2023 2 3 3 2 5.333333
API5:2023 3 2 1 2 4
API6:2023 2 2 1 2 3.333333
API7:2023 3 3 3 2 6
API8:2023 3 3 1 1 2.333333
API9:2023 3 3 2 2 5.333333
API10:2023 2 2 1 3 5

I've heard lots of people suggest it's not an ordered list, completely unaware of the scoring used.

from api-security.

planetlevel avatar planetlevel commented on May 26, 2024

Whether they're aware of it or not, a massive amount of data science, led by Dr. Brian Glas, was performed for the main OWASP T10. I know for a fact the outcome represents months of work for a team of people. Read the methodology section in the document. https://owasp.org/Top10/A00_2021_Introduction/

My request was to do this exercise for the list of categories I suggested, in addition to these, so that we could see how you've rated all the risks side-by-side. It's very obvious to me that the risks here -- like mass assignment (infrequent, often harmless) are way less serious than the use of insecure libraries in APIs (incredibly prevalent, often highly dangerous).

I guess it doesn't matter since it's obvious. The remaining question is whether the API T10 will be changed to cover the top risks to APIs. Or will it remain a document that only includes risks not covered in the Main T10 and only for APIs written in the past few years.

from api-security.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.