Welcome to the 6th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API5:2023 Broken Function Level Authorization. In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it.
It’s been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API provided by the company. There’s a more technical explanation available here. While we talk a lot about the vulnerabilities in the OWASP API Top-10 and the exploits associated with those vulnerabilities, this incident provides a good reminder that not all vulnerabilities are flaws in code. In fact, this API was working as designed.
We recently discussed the new SEC rule requiring all registered companies to report material cyber incidents within four (4) days.
Businesses of all sizes are increasingly relying on APIs to connect with their customers, partners, and other systems. APIs, or application programming interfaces, are the building blocks of the modern web, and they allow businesses to share data and functionality in a secure and efficient way. Without APIs, businesses are limited in their ability to innovate and grow. They lack the ability to integrate with other systems, create new products and services, or reach new markets.
What does a good DevSecOps pipeline should look like from a code security perspective? We hear this question often, and even though there are multiple answers, we’ve put together a blueprint that everybody could easily start with.