OAuth (Open Authorization) is one of the fastest adopted technologies in the AppSec domain. From its first introduction in 2006, as an attempt to introduce a standard authorization protocol, it has become one of the most popular protocols for both user authorization and authentication, and it’s being used by almost every major web service and website today. One of the reasons for its huge popularity is its ease of implementation.

Manufacturing is an industry in flux. The sector has been acutely affected by inflation, supply chain challenges and labor shortages in recent years, while also grappling with rapid developments in technology. It is no stretch to state that a manufacturer’s ability to leverage technology is a key determinant in its success and failure – now and into the future.

In an age characterized by digital transformation, APIs serve as the backbone of modern applications, enabling diverse systems to communicate and share data seamlessly. This widespread API adoption, however, exposes organizations to a considerable attack surface, inviting the attention of cyber adversaries searching for vulnerabilities to exploit.

Over 18 months ago, a small group of us started a program to support the US federal government and the broader public sector with robust API security. Recognizing the major shifts in government cyber security, we focused on Zero Trust early. We wrote about it, talked about it, and evangelized on the importance of including API security in a ZT architecture. An early achievement was a detailed mapping of API security to the pillars of ZT over a year ago.

Over the past several months, we've taken a journey through the new 2023 OWASP API Security Top-10 list. In the previous 12 weekly posts, we've delved into each category, discussed what it is, how it's exploited, why it matters, and suggested effective protections for each. Now, as we conclude this series, it's time to summarize and offer some practical guidance for security practitioners looking to bolster API security in their organizations.

Application programming interfaces, better known as APIs, link unrelated platforms so data can flow freely between them. And in order for providers to share patient health data across different systems, APIs must be produced at rapid speed and maintained with diligence to foster interoperability. However, this innovation comes with a catch. The more APIs an organization uses, the greater opportunity for risk they face in both performance and security.

The Open Web Application Security Project (OWASP) has published the latest edition of its API Security Top Ten, which was first published in 2019. The Top Ten is a significant daughter list of the OWASP Top Ten, which is one of the most definitive lists of the most severe web application risks. Why is this important? What are its main findings? And what does this mean for application security?

Welcome to the 12th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it. To see previous posts you might have missed, click here. This post will put a spotlight on Injection, which used to be its own category (OWASP API8:2019) but has now been subsumed into OWASP API10:2023 (Unsafe Consumption of APIs).

Over the last few years, APIs have rapidly become a core strategic element for businesses that want to scale and succeed within their industries. In fact, according to recent research, 97% of enterprise leaders believe that successfully executing an API strategy is essential to ensuring their organization’s growth and revenue.