The Open Web Application Security Project (OWASP) puts together a list of the biggest security risks for application programming interfaces (APIs).
After reading this article you will be able to:
Related Content
What is API security?
What is the OWASP Top 10?
What is an API?
What is an API call?
Web application security?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
The Open Web Application Security Project (OWASP) is a non-profit organization whose goal is to promote web application security. OWASP offers many free resources for building a more secure web application.
One of the organization’s most widely referenced resources is the OWASP Top 10, which lists the 10 biggest security concerns for web applications. OWASP also maintains a separate, similar list for application programming interfaces (APIs), which are crucial for powering most web and mobile experiences.
APIs can fuel competitive advantages for businesses by providing business intelligence, facilitating cloud deployments, and enabling integration of AI capabilities. But at the same time, APIs can introduce new risks by allowing outside parties to access applications, share data, and run potentially sensitive workflows.
This OWASP API Security Top 10, most recently published in 2023, highlights key issues that organizations should address to better protect their APIs, applications, and data. The list includes:
To learn more about these 10 security risks, see OWASP's official page.
There is some crossover between the OWASP Top 10 list (full list here) and the OWASP API Security Top 10 list. For example, broken access control is the first issue on the OWASP Top 10 list, and there are various forms of broken authentication and authorization among the first five security issues on the API list. In addition, security misconfiguration and server-side request forgery appear on both lists.
However, APIs do present several distinct risks compared to web applications. Developers should take both lists into account.
Cloudflare API Gateway helps keep APIs secure and working as they should through API discovery capabilities, centralized API management and monitoring, and innovative, layered defenses. API Gateway is part of Cloudflare’s application security portfolio, which offers additional capabilities for stopping bots, DDoS attacks, and application attacks while monitoring for supply chain attacks.
Learn how Cloudflare capabilities address the specific risks detailed in the OWASP API Security Top 10. And explore more of Cloudflare’s API security solutions.