API Security Weekly: Issue #34

DZone 's Guide to

API Security Weekly: Issue #34

Look at the changing landscape o09izxof OAuth 2.0 security and the use of Postman and Burp for API penetration testing.

· Integration Zone ·
Free Resource

This week, OWASP launched their Top 10 project for API Security. We also look at the changing landscape o09izxof OAuth 2.0 security, and the use of Postman and Burp for API penetration testing.

OWASP Top 10

The Open Web Application Security Project (OWASP) has long been popular for their Top 10 of web application security risks. Now they are extending their efforts to API Security.

See the project’s inaugural slide deck from Erez Yalon and Inon Shkedy.

The goal is to release version one of the document by the end of 2019. You can take part in the project on GitHub.

Here’s what the Top 10 API Security Risks look like in the current draft:

  1. Broken Object Level Access Control
  2. Broken Authentication
  3. Improper Data Filtering
  4. Lack of Resources and Rate Limiting
  5. Missing Function/Resource Level Access Control
  6. Mass Assignment
  7. Security Misconfiguration
  8. Injection
  9. Improper Assets Management
  10. Insufficient Logging and Monitoring

OAuth 2.0 Security Reinforced

OAuth 2.0 and OpenID Connect have become one of the cornerstones of API Security. However, the technology and threat landscape have changed a lot since the adoption of RFC 6749 in 2012.

Torsten Lodderstedt has covered the key changes and new security best practices in his recent talk at EIC 2019. See his slide deck below: 


Mic Whitehorn-Gillam is doing a series of tutorials on API penetration testing with Postman & Burp:


Alissa Knight from Aite Group has published a write-up on API Security:

  • API adoption has grown fast. REST APIs have taken the world by storm.
  • This led to the rise of API breaches. Legacy technology such as Web Application Firewalls (WAF) do not help.
  • Poor API key management and poor handling of API contracts are some of the major factors that companies need to mitigate.

You can subscribe to this weekly newsletter at https://apisecurity.io

api ,api news ,api penetration testing ,api security ,apis ,cybersecurity ,integration ,news ,oauth ,owasp

Published at DZone with permission of Dmitry Sotnikov , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}