Knowledge Center / OWASP API Top 10
OWASP · Global

OWASP API Security Top 10

The most critical security risks to APIs.

1. Introduction

Application Programming Interfaces (APIs) have become the connective tissue of modern digital business. Mobile applications, single-page web front-ends, business-to-business integrations, microservices, partner ecosystems and Internet-of-Things devices all communicate through APIs. Because APIs expose application logic and sensitive data directly, and because they are increasingly automated and machine-to-machine, they have become the single largest attack surface for many organisations. The OWASP API Security Top 10 is the industry-recognised reference that catalogues the most critical security risks specific to APIs, distinct from the general-purpose OWASP Top 10 for web applications.

This guide is written from the perspective of an assessor who must independently verify whether an organisation's APIs are designed, built, deployed and operated in a way that mitigates the risks enumerated in the OWASP API Security Top 10 (2023 edition). It provides a master assessment checklist covering every one of the ten risk categories, the evidence an auditor should collect, a phased implementation approach, a maturity model, mappings to adjacent frameworks, and practical readiness tooling. It is intended for security architects, API product owners, DevSecOps engineers, penetration testers and governance, risk and compliance (GRC) teams.

Licensing and copyright note
The OWASP API Security Top 10 is published by the Open Worldwide Application Security Project (OWASP) Foundation under the Creative Commons Attribution-ShareAlike 4.0 licence. It is free to use and reference. This guide is original CyberSigma commentary and does not reproduce OWASP's copyrighted text; where risk identifiers such as API1:2023 are used, they refer to OWASP's published category codes for interoperability only. Organisations should always consult the authoritative OWASP source for the canonical definitions.

2. What is the OWASP API Security Top 10

The OWASP API Security Top 10 is a prioritised, consensus-driven list of the ten most serious security risks affecting APIs. It was first published as a dedicated project in 2019 in recognition that APIs have unique threat characteristics that the classic web-application Top 10 did not fully address. The current edition, released in 2023, refines and reorders the categories based on real-world breach data, bug-bounty findings and practitioner input gathered by the OWASP community.

Unlike a formal certifiable standard such as ISO/IEC 27001 or PCI DSS, the OWASP API Security Top 10 is an awareness and prioritisation document rather than a compliance regime. There is no certificate of conformance. Its purpose is to focus limited security effort on the risks that matter most, to establish a shared vocabulary between developers and security teams, and to serve as the backbone of secure-development training, threat modelling, code review, and dynamic and static testing programmes. It is frequently cited as a baseline expectation inside contracts, secure-SDLC policies and vendor security questionnaires.

The ten 2023 categories are: API1:2023 Broken Object Level Authorization (BOLA); API2:2023 Broken Authentication; API3:2023 Broken Object Property Level Authorization; API4:2023 Unrestricted Resource Consumption; API5:2023 Broken Function Level Authorization; API6:2023 Unrestricted Access to Sensitive Business Flows; API7:2023 Server Side Request Forgery (SSRF); API8:2023 Security Misconfiguration; API9:2023 Improper Inventory Management; and API10:2023 Unsafe Consumption of APIs. A recurring theme is authorisation: the majority of the list concerns granting access to the wrong object, property, function or business flow.

3. Who must comply

Because the OWASP API Security Top 10 is a best-practice reference rather than a legal mandate, no organisation is legally compelled to 'comply' with it by name. In practice, however, it is treated as a de facto minimum bar for any organisation that exposes or consumes APIs, and it is routinely invoked by regulators, auditors and enterprise buyers as evidence of due diligence. The following table sets out the parties who should adopt it and why.

StakeholderWhy it applies to them
SaaS and product companiesTheir platforms are delivered predominantly through public and partner APIs, making API risk their primary threat surface.
Financial services and fintechOpen Banking, UPI, payment and account-aggregator APIs handle regulated data; supervisory expectations reference secure API design.
Healthcare and health-techPatient data exposed through FHIR and similar APIs falls under privacy law; BOLA and property-level flaws risk large breaches.
E-commerce and marketplacesHigh-volume business flows (checkout, coupons, inventory) are targeted by automated abuse addressed in API4 and API6.
Enterprises with microservicesInternal east-west API traffic requires the same authorisation and inventory discipline as external endpoints.
Government and public-sector digital servicesCitizen-facing APIs must demonstrate secure design; the list underpins many national secure-coding guidelines.
API-first and integration vendorsAPI gateways, iPaaS and B2B connectors both expose and consume third-party APIs, invoking API10 obligations.
Any organisation subject to PCI DSS, DPDP, GDPR or ISO 27001These frameworks require secure development and vulnerability management; the OWASP list is the recognised implementation reference for API layers.

4. Structure of the OWASP API Security Top 10

The 2023 edition is organised as ten discrete risk categories, each identified by an APIx:2023 code, a descriptive name and a short-hand acronym where applicable. Categories are ordered by a composite of exploitability, prevalence, detectability and technical/business impact. The table below presents the complete structure with the dominant weakness class each category represents.

IDCategory namePrimary weakness class
API1:2023Broken Object Level Authorization (BOLA)Object-level access control failure
API2:2023Broken AuthenticationIdentity verification failure
API3:2023Broken Object Property Level AuthorizationField/property access control failure (mass assignment and excessive data exposure)
API4:2023Unrestricted Resource ConsumptionRate/quota and cost control failure (denial of service and denial of wallet)
API5:2023Broken Function Level AuthorizationFunction/operation access control failure
API6:2023Unrestricted Access to Sensitive Business FlowsBusiness-logic abuse and automation failure
API7:2023Server Side Request Forgery (SSRF)Unvalidated outbound request handling
API8:2023Security MisconfigurationInsecure defaults, hardening and header failures
API9:2023Improper Inventory ManagementAPI and environment visibility/governance failure
API10:2023Unsafe Consumption of APIsTrust boundary failure with third-party/upstream APIs

5. Master assessment checklist

This is the core of the guide. Each of the ten categories is treated as an assessment domain with its own subsection. For every domain the auditor is given a set of verification points ('What to verify') and the artefacts that typically satisfy each point ('Typical evidence'). An assessment should not be considered complete unless every domain below has been walked through against every in-scope API. Verification points are written so they can be tested through documentation review, code and configuration inspection, interviews, and dynamic testing.

API1:2023 — Broken Object Level Authorization (BOLA)

BOLA occurs when an API endpoint receives an object identifier and returns or modifies that object without confirming the caller is entitled to it. It is the single most common and impactful API flaw, enabling horizontal privilege escalation and mass data extraction by iterating identifiers.

What to verifyTypical evidence
Every endpoint that accepts an object identifier enforces an ownership/authorisation check server-side before returning or modifying the objectAuthorisation middleware code, policy definitions, unit tests asserting cross-tenant denial
Authorisation is derived from the authenticated session/token, never solely from client-supplied identifiersToken claim usage in access checks, code review notes
Object identifiers are unpredictable (UUID/GUID) or, where sequential, protected by robust checksData model schema, ID generation strategy documentation
Multi-tenant isolation is enforced at the data-access layer so tenant A cannot read tenant B's recordsRow-level security policies, ORM tenant scoping, negative test results
Automated tests exist that attempt to access another user's objects and confirm a 403/404CI test reports, DAST/BOLA fuzzing output

API2:2023 — Broken Authentication

Authentication weaknesses allow attackers to assume other identities. This includes weak credential policies, flawed token issuance and validation, missing brute-force protection, and insecure password-reset and account-recovery flows.

What to verifyTypical evidence
Authentication endpoints enforce rate limiting, lockout and anomaly detection against credential stuffing and brute forceGateway rate-limit config, WAF rules, lockout policy, alert samples
Tokens (JWT/OAuth) validate signature, issuer, audience and expiry; the 'alg:none' and algorithm-confusion attacks are blockedToken validation code, library configuration, security test results
Credentials and secrets are never transmitted in URLs or query strings and are stored using strong hashing (bcrypt/argon2)Code review, storage schema, TLS enforcement config
Multi-factor authentication is available and enforced for sensitive and administrative operationsMFA policy, IdP configuration screenshots
Password reset, email change and account recovery flows cannot be abused to take over accountsFlow diagrams, token single-use/expiry evidence, test cases
Machine-to-machine authentication uses short-lived, scoped credentials rather than static long-lived API keys where feasibleOAuth client-credentials config, key rotation records

API3:2023 — Broken Object Property Level Authorization

This category merges the former 'Excessive Data Exposure' and 'Mass Assignment' risks. It concerns authorisation at the level of individual object properties: returning fields the caller should not see (read side) or allowing the caller to write fields they should not modify (write side).

What to verifyTypical evidence
API responses return only the properties the caller is authorised to view; sensitive fields are filtered server-side, not client-sideResponse schema/DTO definitions, serialization allow-lists, sample responses
Write operations use explicit allow-lists (binding whitelists) so clients cannot set privileged fields such as role, isAdmin, balanceRequest DTO/binding code, mass-assignment protection config
Object property exposure is validated against schema definitions and reviewed when new fields are addedOpenAPI/JSON Schema, change-review records
Generic serialization of full data models to responses is avoided in favour of purpose-built response objectsCode review, architecture standards

API4:2023 — Unrestricted Resource Consumption

APIs consume compute, memory, storage, bandwidth and paid third-party services (SMS, email, cloud functions). Without limits, attackers can cause denial of service or drive up costs ('denial of wallet').

What to verifyTypical evidence
Rate limiting and quotas are enforced per client, per user and per endpointGateway/throttling configuration, quota policy documents
Request payload size, array/collection length and query complexity (including GraphQL depth) are boundedBody-size limits, pagination limits, GraphQL depth/complexity config
Resource-intensive operations (file processing, exports, third-party fan-out) have timeouts and concurrency capsTimeout configuration, worker pool limits, circuit breaker config
Spending on paid downstream services triggered by API calls is capped and monitoredCloud budget alerts, third-party usage dashboards
Autoscaling and cost anomalies are monitored and alertedMonitoring dashboards, alert rules, incident samples

API5:2023 — Broken Function Level Authorization

Where BOLA concerns access to data objects, BFLA concerns access to functions and operations. It arises when an endpoint or HTTP method (for example an administrative DELETE) is reachable by users who lack the necessary role or privilege.

What to verifyTypical evidence
Administrative and privileged functions are protected by explicit role/permission checks enforced server-sideRole-based access control policy, authorisation code, admin endpoint tests
All HTTP methods on each route are individually authorised; unused methods are disabledRoute/method authorisation matrix, negative test results
Authorisation is centralised and applied by default (deny-by-default), not implemented ad hoc per handlerAuthorisation framework/middleware, secure-by-default architecture docs
Regular users cannot invoke admin functions by guessing or manipulating endpoint pathsPenetration test findings, forced-browsing test evidence
Segregation between administrative and consumer API surfaces is documented and enforcedAPI grouping/namespace design, gateway routing rules

API6:2023 — Unrestricted Access to Sensitive Business Flows

This category addresses business-logic abuse: sensitive workflows (purchasing limited stock, creating accounts, posting comments, redeeming rewards) that are technically 'authorised' but harmful when performed at scale by automation or bots.

What to verifyTypical evidence
Sensitive business flows have been identified through threat modelling and their abuse scenarios documentedThreat model, business-flow inventory, abuse-case catalogue
Anti-automation controls (device fingerprinting, CAPTCHA, behavioural analysis, rate limits on the flow) are in placeBot-mitigation configuration, CAPTCHA integration, analytics rules
Business rules enforce limits (per-user purchase caps, cool-down periods, one-per-account restrictions)Business-rule code, configuration, test cases
Monitoring detects anomalous flow usage patterns and triggers responseSIEM/analytics rules, alert samples, response playbooks

API7:2023 — Server Side Request Forgery (SSRF)

SSRF occurs when an API fetches a remote resource using a URL supplied or influenced by the client without validating it, allowing attackers to make the server issue requests to internal systems, cloud metadata endpoints or arbitrary hosts.

What to verifyTypical evidence
User-supplied URLs used for server-side fetches are validated against an allow-list of permitted schemes, hosts and portsURL validation code, allow-list configuration
Requests to internal/private IP ranges, link-local addresses and cloud metadata endpoints (169.254.169.254) are blockedEgress firewall rules, network policy, validation tests
DNS rebinding and redirect-following are mitigated (resolve-then-validate, disable auto-redirects)Code review, HTTP client configuration
Outbound traffic from API services is restricted by network segmentation and egress filteringNetwork diagrams, security group/egress rules
Responses from fetched resources are not blindly reflected to the callerResponse handling code, blind-SSRF detection results

API8:2023 — Security Misconfiguration

Misconfiguration spans the entire stack: missing hardening, verbose error messages, permissive CORS, absent security headers, unpatched components, default credentials and unnecessary features left enabled.

What to verifyTypical evidence
A repeatable, hardened configuration baseline is applied consistently across all environmentsIaC templates, hardening baseline/CIS benchmark, configuration management records
CORS is restricted to trusted origins; wildcard origins with credentials are disallowedCORS configuration, gateway policy
Security headers (HSTS, Content-Security-Policy where relevant, X-Content-Type-Options) and TLS best practice are enforcedHeader configuration, TLS scan report
Error responses do not leak stack traces, internal paths or verbose diagnostic detailSample error responses, error-handling code
Unnecessary HTTP methods, verbose HTTP verbs, debug endpoints and default accounts are disabledEndpoint inventory, configuration review
Components and dependencies are patched; a vulnerability management process covers the API stackPatch records, SCA/dependency scan reports

API9:2023 — Improper Inventory Management

Organisations cannot protect APIs they do not know about. This category covers unknown, deprecated, shadow and zombie APIs, unmanaged versions, and undocumented environments that widen the attack surface.

What to verifyTypical evidence
A complete, current inventory of all APIs, versions, environments and their exposure is maintainedAPI catalogue/registry, discovery scan output
Every API has up-to-date documentation covering endpoints, authentication, parameters and data handledOpenAPI/Swagger specs, documentation portal
Deprecated and retired API versions are decommissioned on a defined schedule; sunset dates are communicatedDeprecation policy, version lifecycle records, sunset headers
Non-production environments (staging, debug, old versions) are not inadvertently exposed to the internetAttack-surface scan, environment access-control config
Data flows and which APIs handle sensitive/regulated data are mappedData-flow diagrams, data classification records

API10:2023 — Unsafe Consumption of APIs

Developers often trust data from third-party or upstream APIs more than direct user input. This category addresses the risks of consuming external APIs without applying the same validation, transport security and error-handling discipline.

What to verifyTypical evidence
Data received from third-party/upstream APIs is validated and sanitised before use, exactly as user input would beInput validation code for integration boundaries, code review
All communication with external APIs uses encrypted transport (TLS) with certificate validationHTTP client TLS config, certificate pinning where applicable
Redirects returned by third-party APIs are not blindly followed to arbitrary destinationsRedirect handling configuration
Third-party API failures and malformed responses are handled safely with timeouts and defensive parsingTimeout/retry config, error-handling code, resilience tests
The security posture and data-handling of integrated third parties is assessed and monitoredVendor assessments, integration inventory, contractual security clauses

6. Scoping

Scoping determines which API assets are subject to assessment and to what depth. Because the OWASP API Security Top 10 is risk-based rather than certification-based, scope should be driven by exposure and data sensitivity rather than an arbitrary boundary. A well-scoped engagement prevents both under-coverage (leaving shadow APIs untested) and wasted effort (deeply testing low-value internal utilities).

  • Enumerate all API assets first: public, partner, internal/east-west, mobile back-ends, GraphQL and gRPC services, webhooks and third-party integrations consumed.
  • Classify each API by data sensitivity (regulated, personal, financial, public) and by exposure (internet-facing, partner-restricted, internal only).
  • Prioritise internet-facing APIs handling sensitive or regulated data for the deepest testing, including authenticated multi-role dynamic testing.
  • Include non-production environments that are reachable, as staging and debug endpoints are a recognised API9 risk.
  • Define which roles and tenants are available for authorisation testing (essential for BOLA and BFLA coverage).
  • Explicitly note out-of-scope systems and the residual risk their exclusion carries.
  • Confirm testing windows, rate-limit exemptions and rollback plans for any active dynamic testing against production.

7. Implementation approach

Mitigating the OWASP API Security Top 10 is a programme, not a one-off scan. The following phased approach embeds API security across the software development lifecycle and operations. Each phase lists indicative activities and the deliverables an auditor would expect to see.

Phase 1 — Discover and inventory

Activities: run automated API discovery against traffic, gateways and code repositories; build a central API catalogue; classify data sensitivity and exposure; identify shadow, deprecated and zombie APIs. Deliverables: authoritative API inventory, data classification, exposure map, and a prioritised backlog of unmanaged APIs to remediate (directly addressing API9).

Phase 2 — Threat model and design controls

Activities: threat-model high-value APIs and sensitive business flows; define authorisation model (object, property and function level); establish secure-by-default patterns, standard authentication, and reference architectures. Deliverables: threat models, authorisation matrices, secure API design standards, and abuse-case catalogues (addressing API1, API3, API5 and API6).

Phase 3 — Build securely

Activities: implement centralised authorisation middleware, allow-list request binding, response DTO filtering, input validation, rate limiting and SSRF protection; integrate SAST and SCA into CI. Deliverables: reusable security libraries, hardened gateway configuration, dependency scan gates, and secure-coding training records.

Phase 4 — Test and validate

Activities: run DAST and dedicated API security testing (including BOLA/BFLA fuzzing with multiple roles and tenants), business-logic and authentication testing, and third-party integration reviews. Deliverables: test plans, penetration test reports, CI security test evidence, and a triaged findings register.

Phase 5 — Deploy and harden

Activities: apply configuration baselines through infrastructure as code; enforce TLS, CORS, headers and error hygiene; disable debug endpoints; validate egress controls. Deliverables: IaC-managed hardening baseline, configuration compliance reports, and a pre-production security gate (addressing API8).

Phase 6 — Operate and monitor

Activities: deploy API-aware runtime protection (WAAP/gateway monitoring), anomaly and abuse detection, quota and cost monitoring, and a vulnerability/patch management cadence; maintain inventory currency. Deliverables: monitoring dashboards, alerting rules, incident response playbooks, and periodic re-assessment schedule.

8. Maturity and capability model

Because there is no formal scoring scheme in the OWASP API Security Top 10 itself, organisations benefit from a capability maturity model to gauge and communicate progress. The five-level model below can be applied per risk category or to the API security programme as a whole.

LevelNameCharacteristics
1Initial / Ad hocNo API inventory; authorisation handled inconsistently per endpoint; security testing rare; reliance on perimeter controls only.
2ReactiveSome documentation and gateway rate limiting exist; security testing occurs after incidents; authorisation checks present but not standardised.
3DefinedCentral API catalogue maintained; authorisation model documented; secure-coding standards and SAST/SCA in CI; periodic penetration testing.
4ManagedAutomated BOLA/BFLA testing in CI; runtime API monitoring and anomaly detection; metrics tracked; inventory kept current automatically.
5OptimisedThreat-driven, continuously assessed programme; deny-by-default authorisation everywhere; abuse detection with automated response; measurable, improving KPIs.

9. Assessment and audit approach

An assessment against the OWASP API Security Top 10 combines documentation review, technical testing and interviews. The following ordered steps describe a defensible audit methodology.

  1. Agree scope, rules of engagement and testing windows; obtain necessary authorisations and test credentials for multiple roles and tenants.
  2. Obtain and validate the API inventory and documentation (OpenAPI specs); identify undocumented or shadow endpoints through discovery (covers API9).
  3. Review the authorisation architecture and perform object-level, property-level and function-level access testing across roles and tenants (API1, API3, API5).
  4. Assess authentication and session/token handling, including brute-force protection and token validation (API2).
  5. Test resource consumption controls: rate limits, payload and query complexity limits, and cost controls (API4).
  6. Analyse sensitive business flows for automation and abuse resistance (API6).
  7. Test server-side request handling for SSRF and review egress controls (API7).
  8. Review configuration, headers, CORS, error handling and dependency hygiene across environments (API8).
  9. Review consumption of third-party APIs for validation, transport security and error handling (API10).
  10. Consolidate findings, rate them by risk, map each to its OWASP category, and produce a prioritised remediation roadmap with retest criteria.

10. Evidence request list

The following categorised artefacts should be requested at the outset of an assessment to support efficient, evidence-based verification.

  • Governance and inventory: API catalogue/registry, data classification, exposure map, deprecation and versioning policy.
  • Documentation: OpenAPI/Swagger specifications, architecture and data-flow diagrams, threat models and abuse-case catalogues.
  • Authorisation and authentication: RBAC/ABAC policies, authorisation middleware code, IdP/OAuth configuration, MFA policy, token validation configuration.
  • Configuration: gateway and WAF/WAAP configuration, rate-limit and quota policies, CORS and security-header configuration, TLS scan reports, IaC hardening baselines.
  • Development assurance: secure-coding standards, SAST/DAST/SCA reports, CI security-gate evidence, code-review records, training records.
  • Testing: penetration test reports (including BOLA/BFLA testing), business-logic test results, and the current findings/remediation register.
  • Third-party: integration inventory, vendor security assessments, and contractual security clauses.
  • Operations: monitoring dashboards, anomaly/abuse alert rules, incident response playbooks, patch and vulnerability management records.

11. Roles and responsibilities

Clear ownership is essential; API security spans product, engineering, security and operations. The RACI-style table below sets out typical accountabilities.

RolePrimary responsibilities
API product ownerMaintains API inventory, prioritises security backlog, owns versioning and deprecation decisions.
Security architectDefines authorisation model, secure-design standards, threat models and reference architectures.
Development teamImplements authorisation, validation and hardening; remediates findings; writes security tests.
DevSecOps / platform engineeringOwns gateway, CI security gates, IaC hardening baselines and runtime protection.
Application security / penetration testersConduct API security testing, validate remediations and maintain the findings register.
GRC / complianceMaps API risks to regulatory obligations, tracks metrics and reports residual risk to leadership.
Incident response / SOCMonitors runtime alerts, investigates abuse and executes response playbooks.

12. KPIs to track

  • Percentage of APIs inventoried and documented against the estimated total (inventory coverage).
  • Percentage of endpoints covered by automated authorisation (BOLA/BFLA) tests in CI.
  • Number of shadow, deprecated or zombie APIs discovered and time to decommission.
  • Mean time to remediate high and critical API findings.
  • Percentage of APIs behind enforced rate limiting and quotas.
  • Number of API security findings by OWASP category over time (trend by risk).
  • Percentage of third-party integrations with completed security assessments.
  • Proportion of APIs conforming to the configuration hardening baseline.
  • Rate of abuse/anomaly alerts on sensitive business flows and time to response.

13. Readiness checklist

  • A complete, current inventory of all APIs, versions and environments is maintained.
  • Every endpoint enforces server-side object-level authorisation tied to the authenticated identity (API1).
  • Authentication is hardened with rate limiting, robust token validation and MFA on sensitive operations (API2).
  • Responses filter sensitive properties and writes use allow-list binding (API3).
  • Rate limits, payload/query complexity limits and cost controls are enforced (API4).
  • Privileged functions and HTTP methods enforce role checks with deny-by-default (API5).
  • Sensitive business flows have anti-automation and business-rule limits (API6).
  • Server-side URL fetches are validated and egress to internal ranges/metadata is blocked (API7).
  • A hardened configuration baseline, secure headers, restricted CORS and clean error handling are applied across environments (API8).
  • Deprecated versions are decommissioned and non-production environments are not exposed (API9).
  • Third-party API data is validated and consumed over TLS with defensive error handling (API10).
  • Automated API security testing runs in CI and periodic penetration testing is scheduled.
  • Runtime monitoring, anomaly detection and incident playbooks are in place.

14. Common gaps

  • Authorisation checks that trust client-supplied object identifiers, leading to BOLA and mass data extraction.
  • Filtering sensitive fields in the client or UI rather than server-side, leaving full data in API responses.
  • Accepting arbitrary request bodies without allow-list binding, enabling mass assignment of privileged fields.
  • Rate limiting applied only globally at the perimeter rather than per user, per client and per endpoint.
  • Admin functions distinguished only by an unlinked URL path, discoverable through forced browsing (BFLA).
  • No threat modelling of business flows, leaving them open to automated abuse and inventory hoarding.
  • URL-fetching features without allow-lists or egress controls, exposing cloud metadata and internal services to SSRF.
  • Verbose error messages, permissive wildcard CORS with credentials, and missing security headers.
  • Forgotten staging, debug and old-version endpoints exposed to the internet with weaker controls.
  • Blind trust in third-party API responses without validation, safe redirect handling or TLS verification.

15. OWASP API Security Top 10 mapped to other frameworks

The OWASP API Security Top 10 is not a standalone compliance regime; it operationalises the secure-development and vulnerability-management expectations found in broader frameworks. The mapping below shows how each category supports adjacent controls. Mappings are indicative and should be tailored per assessment.

OWASP API categoryISO/IEC 27001 (Annex A)PCI DSS v4.0NIST CSF 2.0 / OWASP ASVS
API1 BOLAA.8.3 Information access restrictionReq 7 Restrict access by need to knowPR.AA (Access control) / ASVS V4 Access Control
API2 Broken AuthenticationA.5.17 Authentication information; A.8.5Req 8 Identify and authenticate accessPR.AA / ASVS V2 Authentication
API3 Property-Level AuthzA.8.3; A.5.34 Privacy and PIIReq 3 Protect stored account dataPR.DS (Data security) / ASVS V13 API and Web Service
API4 Resource ConsumptionA.8.6 Capacity managementReq 6 Secure systems and softwareDE.CM (Continuous monitoring) / ASVS V13
API5 BFLAA.8.2 Privileged access rightsReq 7 Restrict access by need to knowPR.AA / ASVS V4 Access Control
API6 Sensitive Business FlowsA.8.16 Monitoring activitiesReq 6 Secure systems and softwareDE.AE (Anomalies and events)
API7 SSRFA.8.20 Network security; A.8.22 SegregationReq 1 Network security controlsPR.IR (Infrastructure resilience) / ASVS V12
API8 Security MisconfigurationA.8.9 Configuration managementReq 2 Apply secure configurationsPR.PS (Platform security) / ASVS V14 Configuration
API9 Inventory ManagementA.5.9 Inventory of assetsReq 12 Support information security with policiesID.AM (Asset management)
API10 Unsafe ConsumptionA.5.19 Supplier relationships securityReq 6 Secure systems and softwareGV.SC (Supply chain) / ASVS V13

16. How CyberSigma helps

Partner with CyberSigma for end-to-end API security
CyberSigma brings CERT-In empanelled and PCI QSA expertise to every stage of your API security journey. We discover and inventory your full API estate (including shadow and zombie APIs), threat-model your sensitive business flows, and run authenticated, multi-role BOLA and BFLA testing that automated scanners miss. Our assessments map every finding to the OWASP API Security Top 10 and to your regulatory obligations under ISO 27001, PCI DSS and India's DPDP Act, delivering a prioritised, developer-ready remediation roadmap. Beyond point-in-time testing, we help you embed secure-by-default authorisation patterns, CI security gates and runtime API monitoring so your programme matures from reactive to optimised. Contact CyberSigma to book an API security readiness assessment and close your most critical API risks with confidence.

Frequently asked questions

Why do APIs need a separate Top 10?
APIs expose object- and function-level operations directly, making authorisation flaws (like BOLA) the dominant risk — distinct from the general web application Top 10.

Need help with OWASP API Top 10?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.