Welcome to the 6th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API5:2023 Broken Function Level Authorization. In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it.

It’s been reported that 2.6 million user records sourced from the Duolingo app are for sale. The attacker apparently obtained them from an open API provided by the company. There’s a more technical explanation available here. While we talk a lot about the vulnerabilities in the OWASP API Top-10 and the exploits associated with those vulnerabilities, this incident provides a good reminder that not all vulnerabilities are flaws in code. In fact, this API was working as designed.

We recently discussed the new SEC rule requiring all registered companies to report material cyber incidents within four (4) days.

The Wallarm API Discovery module has been further enhanced to enable customers to identify Orphan APIs and bring them under management. In this post we’ll discuss what Orphan APIs are, why they matter, and how to regain control of your API portfolio.

Welcome to the 5th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API4:2023 Unrestricted Resource Consumption. In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it.

We recently hosted a compact and very engaging panel discussion about the new SEC Cyber Incident Reporting Rules due to come into effect later this year. We were fortunate to be joined by two well-known experts: In the post, we will *not* rehash what was said in the panel discussion. If you did not get to attend the live session, we invite you watch it on-demand – it’s 30 minutes well spent!