1. Introduction
Application Programming Interfaces (APIs) have become the connective tissue of modern digital business. Mobile applications, single-page web front-ends, business-to-business integrations, microservices, partner ecosystems and Internet-of-Things devices all communicate through APIs. Because APIs expose application logic and sensitive data directly, and because they are increasingly automated and machine-to-machine, they have become the single largest attack surface for many organisations. The OWASP API Security Top 10 is the industry-recognised reference that catalogues the most critical security risks specific to APIs, distinct from the general-purpose OWASP Top 10 for web applications.
This guide is written from the perspective of an assessor who must independently verify whether an organisation's APIs are designed, built, deployed and operated in a way that mitigates the risks enumerated in the OWASP API Security Top 10 (2023 edition). It provides a master assessment checklist covering every one of the ten risk categories, the evidence an auditor should collect, a phased implementation approach, a maturity model, mappings to adjacent frameworks, and practical readiness tooling. It is intended for security architects, API product owners, DevSecOps engineers, penetration testers and governance, risk and compliance (GRC) teams.
2. What is the OWASP API Security Top 10
The OWASP API Security Top 10 is a prioritised, consensus-driven list of the ten most serious security risks affecting APIs. It was first published as a dedicated project in 2019 in recognition that APIs have unique threat characteristics that the classic web-application Top 10 did not fully address. The current edition, released in 2023, refines and reorders the categories based on real-world breach data, bug-bounty findings and practitioner input gathered by the OWASP community.
Unlike a formal certifiable standard such as ISO/IEC 27001 or PCI DSS, the OWASP API Security Top 10 is an awareness and prioritisation document rather than a compliance regime. There is no certificate of conformance. Its purpose is to focus limited security effort on the risks that matter most, to establish a shared vocabulary between developers and security teams, and to serve as the backbone of secure-development training, threat modelling, code review, and dynamic and static testing programmes. It is frequently cited as a baseline expectation inside contracts, secure-SDLC policies and vendor security questionnaires.
The ten 2023 categories are: API1:2023 Broken Object Level Authorization (BOLA); API2:2023 Broken Authentication; API3:2023 Broken Object Property Level Authorization; API4:2023 Unrestricted Resource Consumption; API5:2023 Broken Function Level Authorization; API6:2023 Unrestricted Access to Sensitive Business Flows; API7:2023 Server Side Request Forgery (SSRF); API8:2023 Security Misconfiguration; API9:2023 Improper Inventory Management; and API10:2023 Unsafe Consumption of APIs. A recurring theme is authorisation: the majority of the list concerns granting access to the wrong object, property, function or business flow.
3. Who must comply
Because the OWASP API Security Top 10 is a best-practice reference rather than a legal mandate, no organisation is legally compelled to 'comply' with it by name. In practice, however, it is treated as a de facto minimum bar for any organisation that exposes or consumes APIs, and it is routinely invoked by regulators, auditors and enterprise buyers as evidence of due diligence. The following table sets out the parties who should adopt it and why.
| Stakeholder | Why it applies to them |
|---|---|
| SaaS and product companies | Their platforms are delivered predominantly through public and partner APIs, making API risk their primary threat surface. |
| Financial services and fintech | Open Banking, UPI, payment and account-aggregator APIs handle regulated data; supervisory expectations reference secure API design. |
| Healthcare and health-tech | Patient data exposed through FHIR and similar APIs falls under privacy law; BOLA and property-level flaws risk large breaches. |
| E-commerce and marketplaces | High-volume business flows (checkout, coupons, inventory) are targeted by automated abuse addressed in API4 and API6. |
| Enterprises with microservices | Internal east-west API traffic requires the same authorisation and inventory discipline as external endpoints. |
| Government and public-sector digital services | Citizen-facing APIs must demonstrate secure design; the list underpins many national secure-coding guidelines. |
| API-first and integration vendors | API gateways, iPaaS and B2B connectors both expose and consume third-party APIs, invoking API10 obligations. |
| Any organisation subject to PCI DSS, DPDP, GDPR or ISO 27001 | These frameworks require secure development and vulnerability management; the OWASP list is the recognised implementation reference for API layers. |
4. Structure of the OWASP API Security Top 10
The 2023 edition is organised as ten discrete risk categories, each identified by an APIx:2023 code, a descriptive name and a short-hand acronym where applicable. Categories are ordered by a composite of exploitability, prevalence, detectability and technical/business impact. The table below presents the complete structure with the dominant weakness class each category represents.
| ID | Category name | Primary weakness class |
|---|---|---|
| API1:2023 | Broken Object Level Authorization (BOLA) | Object-level access control failure |
| API2:2023 | Broken Authentication | Identity verification failure |
| API3:2023 | Broken Object Property Level Authorization | Field/property access control failure (mass assignment and excessive data exposure) |
| API4:2023 | Unrestricted Resource Consumption | Rate/quota and cost control failure (denial of service and denial of wallet) |
| API5:2023 | Broken Function Level Authorization | Function/operation access control failure |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | Business-logic abuse and automation failure |
| API7:2023 | Server Side Request Forgery (SSRF) | Unvalidated outbound request handling |
| API8:2023 | Security Misconfiguration | Insecure defaults, hardening and header failures |
| API9:2023 | Improper Inventory Management | API and environment visibility/governance failure |
| API10:2023 | Unsafe Consumption of APIs | Trust boundary failure with third-party/upstream APIs |
5. Master assessment checklist
This is the core of the guide. Each of the ten categories is treated as an assessment domain with its own subsection. For every domain the auditor is given a set of verification points ('What to verify') and the artefacts that typically satisfy each point ('Typical evidence'). An assessment should not be considered complete unless every domain below has been walked through against every in-scope API. Verification points are written so they can be tested through documentation review, code and configuration inspection, interviews, and dynamic testing.
API1:2023 — Broken Object Level Authorization (BOLA)
BOLA occurs when an API endpoint receives an object identifier and returns or modifies that object without confirming the caller is entitled to it. It is the single most common and impactful API flaw, enabling horizontal privilege escalation and mass data extraction by iterating identifiers.
| What to verify | Typical evidence |
|---|---|
| Every endpoint that accepts an object identifier enforces an ownership/authorisation check server-side before returning or modifying the object | Authorisation middleware code, policy definitions, unit tests asserting cross-tenant denial |
| Authorisation is derived from the authenticated session/token, never solely from client-supplied identifiers | Token claim usage in access checks, code review notes |
| Object identifiers are unpredictable (UUID/GUID) or, where sequential, protected by robust checks | Data model schema, ID generation strategy documentation |
| Multi-tenant isolation is enforced at the data-access layer so tenant A cannot read tenant B's records | Row-level security policies, ORM tenant scoping, negative test results |
| Automated tests exist that attempt to access another user's objects and confirm a 403/404 | CI test reports, DAST/BOLA fuzzing output |
API2:2023 — Broken Authentication
Authentication weaknesses allow attackers to assume other identities. This includes weak credential policies, flawed token issuance and validation, missing brute-force protection, and insecure password-reset and account-recovery flows.
| What to verify | Typical evidence |
|---|---|
| Authentication endpoints enforce rate limiting, lockout and anomaly detection against credential stuffing and brute force | Gateway rate-limit config, WAF rules, lockout policy, alert samples |
| Tokens (JWT/OAuth) validate signature, issuer, audience and expiry; the 'alg:none' and algorithm-confusion attacks are blocked | Token validation code, library configuration, security test results |
| Credentials and secrets are never transmitted in URLs or query strings and are stored using strong hashing (bcrypt/argon2) | Code review, storage schema, TLS enforcement config |
| Multi-factor authentication is available and enforced for sensitive and administrative operations | MFA policy, IdP configuration screenshots |
| Password reset, email change and account recovery flows cannot be abused to take over accounts | Flow diagrams, token single-use/expiry evidence, test cases |
| Machine-to-machine authentication uses short-lived, scoped credentials rather than static long-lived API keys where feasible | OAuth client-credentials config, key rotation records |
API3:2023 — Broken Object Property Level Authorization
This category merges the former 'Excessive Data Exposure' and 'Mass Assignment' risks. It concerns authorisation at the level of individual object properties: returning fields the caller should not see (read side) or allowing the caller to write fields they should not modify (write side).
| What to verify | Typical evidence |
|---|---|
| API responses return only the properties the caller is authorised to view; sensitive fields are filtered server-side, not client-side | Response schema/DTO definitions, serialization allow-lists, sample responses |
| Write operations use explicit allow-lists (binding whitelists) so clients cannot set privileged fields such as role, isAdmin, balance | Request DTO/binding code, mass-assignment protection config |
| Object property exposure is validated against schema definitions and reviewed when new fields are added | OpenAPI/JSON Schema, change-review records |
| Generic serialization of full data models to responses is avoided in favour of purpose-built response objects | Code review, architecture standards |
API4:2023 — Unrestricted Resource Consumption
APIs consume compute, memory, storage, bandwidth and paid third-party services (SMS, email, cloud functions). Without limits, attackers can cause denial of service or drive up costs ('denial of wallet').
| What to verify | Typical evidence |
|---|---|
| Rate limiting and quotas are enforced per client, per user and per endpoint | Gateway/throttling configuration, quota policy documents |
| Request payload size, array/collection length and query complexity (including GraphQL depth) are bounded | Body-size limits, pagination limits, GraphQL depth/complexity config |
| Resource-intensive operations (file processing, exports, third-party fan-out) have timeouts and concurrency caps | Timeout configuration, worker pool limits, circuit breaker config |
| Spending on paid downstream services triggered by API calls is capped and monitored | Cloud budget alerts, third-party usage dashboards |
| Autoscaling and cost anomalies are monitored and alerted | Monitoring dashboards, alert rules, incident samples |
API5:2023 — Broken Function Level Authorization
Where BOLA concerns access to data objects, BFLA concerns access to functions and operations. It arises when an endpoint or HTTP method (for example an administrative DELETE) is reachable by users who lack the necessary role or privilege.
| What to verify | Typical evidence |
|---|---|
| Administrative and privileged functions are protected by explicit role/permission checks enforced server-side | Role-based access control policy, authorisation code, admin endpoint tests |
| All HTTP methods on each route are individually authorised; unused methods are disabled | Route/method authorisation matrix, negative test results |
| Authorisation is centralised and applied by default (deny-by-default), not implemented ad hoc per handler | Authorisation framework/middleware, secure-by-default architecture docs |
| Regular users cannot invoke admin functions by guessing or manipulating endpoint paths | Penetration test findings, forced-browsing test evidence |
| Segregation between administrative and consumer API surfaces is documented and enforced | API grouping/namespace design, gateway routing rules |
API6:2023 — Unrestricted Access to Sensitive Business Flows
This category addresses business-logic abuse: sensitive workflows (purchasing limited stock, creating accounts, posting comments, redeeming rewards) that are technically 'authorised' but harmful when performed at scale by automation or bots.
| What to verify | Typical evidence |
|---|---|
| Sensitive business flows have been identified through threat modelling and their abuse scenarios documented | Threat model, business-flow inventory, abuse-case catalogue |
| Anti-automation controls (device fingerprinting, CAPTCHA, behavioural analysis, rate limits on the flow) are in place | Bot-mitigation configuration, CAPTCHA integration, analytics rules |
| Business rules enforce limits (per-user purchase caps, cool-down periods, one-per-account restrictions) | Business-rule code, configuration, test cases |
| Monitoring detects anomalous flow usage patterns and triggers response | SIEM/analytics rules, alert samples, response playbooks |
API7:2023 — Server Side Request Forgery (SSRF)
SSRF occurs when an API fetches a remote resource using a URL supplied or influenced by the client without validating it, allowing attackers to make the server issue requests to internal systems, cloud metadata endpoints or arbitrary hosts.
| What to verify | Typical evidence |
|---|---|
| User-supplied URLs used for server-side fetches are validated against an allow-list of permitted schemes, hosts and ports | URL validation code, allow-list configuration |
| Requests to internal/private IP ranges, link-local addresses and cloud metadata endpoints (169.254.169.254) are blocked | Egress firewall rules, network policy, validation tests |
| DNS rebinding and redirect-following are mitigated (resolve-then-validate, disable auto-redirects) | Code review, HTTP client configuration |
| Outbound traffic from API services is restricted by network segmentation and egress filtering | Network diagrams, security group/egress rules |
| Responses from fetched resources are not blindly reflected to the caller | Response handling code, blind-SSRF detection results |
API8:2023 — Security Misconfiguration
Misconfiguration spans the entire stack: missing hardening, verbose error messages, permissive CORS, absent security headers, unpatched components, default credentials and unnecessary features left enabled.
| What to verify | Typical evidence |
|---|---|
| A repeatable, hardened configuration baseline is applied consistently across all environments | IaC templates, hardening baseline/CIS benchmark, configuration management records |
| CORS is restricted to trusted origins; wildcard origins with credentials are disallowed | CORS configuration, gateway policy |
| Security headers (HSTS, Content-Security-Policy where relevant, X-Content-Type-Options) and TLS best practice are enforced | Header configuration, TLS scan report |
| Error responses do not leak stack traces, internal paths or verbose diagnostic detail | Sample error responses, error-handling code |
| Unnecessary HTTP methods, verbose HTTP verbs, debug endpoints and default accounts are disabled | Endpoint inventory, configuration review |
| Components and dependencies are patched; a vulnerability management process covers the API stack | Patch records, SCA/dependency scan reports |
API9:2023 — Improper Inventory Management
Organisations cannot protect APIs they do not know about. This category covers unknown, deprecated, shadow and zombie APIs, unmanaged versions, and undocumented environments that widen the attack surface.
| What to verify | Typical evidence |
|---|---|
| A complete, current inventory of all APIs, versions, environments and their exposure is maintained | API catalogue/registry, discovery scan output |
| Every API has up-to-date documentation covering endpoints, authentication, parameters and data handled | OpenAPI/Swagger specs, documentation portal |
| Deprecated and retired API versions are decommissioned on a defined schedule; sunset dates are communicated | Deprecation policy, version lifecycle records, sunset headers |
| Non-production environments (staging, debug, old versions) are not inadvertently exposed to the internet | Attack-surface scan, environment access-control config |
| Data flows and which APIs handle sensitive/regulated data are mapped | Data-flow diagrams, data classification records |
API10:2023 — Unsafe Consumption of APIs
Developers often trust data from third-party or upstream APIs more than direct user input. This category addresses the risks of consuming external APIs without applying the same validation, transport security and error-handling discipline.
| What to verify | Typical evidence |
|---|---|
| Data received from third-party/upstream APIs is validated and sanitised before use, exactly as user input would be | Input validation code for integration boundaries, code review |
| All communication with external APIs uses encrypted transport (TLS) with certificate validation | HTTP client TLS config, certificate pinning where applicable |
| Redirects returned by third-party APIs are not blindly followed to arbitrary destinations | Redirect handling configuration |
| Third-party API failures and malformed responses are handled safely with timeouts and defensive parsing | Timeout/retry config, error-handling code, resilience tests |
| The security posture and data-handling of integrated third parties is assessed and monitored | Vendor assessments, integration inventory, contractual security clauses |
6. Scoping
Scoping determines which API assets are subject to assessment and to what depth. Because the OWASP API Security Top 10 is risk-based rather than certification-based, scope should be driven by exposure and data sensitivity rather than an arbitrary boundary. A well-scoped engagement prevents both under-coverage (leaving shadow APIs untested) and wasted effort (deeply testing low-value internal utilities).
- Enumerate all API assets first: public, partner, internal/east-west, mobile back-ends, GraphQL and gRPC services, webhooks and third-party integrations consumed.
- Classify each API by data sensitivity (regulated, personal, financial, public) and by exposure (internet-facing, partner-restricted, internal only).
- Prioritise internet-facing APIs handling sensitive or regulated data for the deepest testing, including authenticated multi-role dynamic testing.
- Include non-production environments that are reachable, as staging and debug endpoints are a recognised API9 risk.
- Define which roles and tenants are available for authorisation testing (essential for BOLA and BFLA coverage).
- Explicitly note out-of-scope systems and the residual risk their exclusion carries.
- Confirm testing windows, rate-limit exemptions and rollback plans for any active dynamic testing against production.
7. Implementation approach
Mitigating the OWASP API Security Top 10 is a programme, not a one-off scan. The following phased approach embeds API security across the software development lifecycle and operations. Each phase lists indicative activities and the deliverables an auditor would expect to see.
Phase 1 — Discover and inventory
Activities: run automated API discovery against traffic, gateways and code repositories; build a central API catalogue; classify data sensitivity and exposure; identify shadow, deprecated and zombie APIs. Deliverables: authoritative API inventory, data classification, exposure map, and a prioritised backlog of unmanaged APIs to remediate (directly addressing API9).
Phase 2 — Threat model and design controls
Activities: threat-model high-value APIs and sensitive business flows; define authorisation model (object, property and function level); establish secure-by-default patterns, standard authentication, and reference architectures. Deliverables: threat models, authorisation matrices, secure API design standards, and abuse-case catalogues (addressing API1, API3, API5 and API6).
Phase 3 — Build securely
Activities: implement centralised authorisation middleware, allow-list request binding, response DTO filtering, input validation, rate limiting and SSRF protection; integrate SAST and SCA into CI. Deliverables: reusable security libraries, hardened gateway configuration, dependency scan gates, and secure-coding training records.
Phase 4 — Test and validate
Activities: run DAST and dedicated API security testing (including BOLA/BFLA fuzzing with multiple roles and tenants), business-logic and authentication testing, and third-party integration reviews. Deliverables: test plans, penetration test reports, CI security test evidence, and a triaged findings register.
Phase 5 — Deploy and harden
Activities: apply configuration baselines through infrastructure as code; enforce TLS, CORS, headers and error hygiene; disable debug endpoints; validate egress controls. Deliverables: IaC-managed hardening baseline, configuration compliance reports, and a pre-production security gate (addressing API8).
Phase 6 — Operate and monitor
Activities: deploy API-aware runtime protection (WAAP/gateway monitoring), anomaly and abuse detection, quota and cost monitoring, and a vulnerability/patch management cadence; maintain inventory currency. Deliverables: monitoring dashboards, alerting rules, incident response playbooks, and periodic re-assessment schedule.
8. Maturity and capability model
Because there is no formal scoring scheme in the OWASP API Security Top 10 itself, organisations benefit from a capability maturity model to gauge and communicate progress. The five-level model below can be applied per risk category or to the API security programme as a whole.
| Level | Name | Characteristics |
|---|---|---|
| 1 | Initial / Ad hoc | No API inventory; authorisation handled inconsistently per endpoint; security testing rare; reliance on perimeter controls only. |
| 2 | Reactive | Some documentation and gateway rate limiting exist; security testing occurs after incidents; authorisation checks present but not standardised. |
| 3 | Defined | Central API catalogue maintained; authorisation model documented; secure-coding standards and SAST/SCA in CI; periodic penetration testing. |
| 4 | Managed | Automated BOLA/BFLA testing in CI; runtime API monitoring and anomaly detection; metrics tracked; inventory kept current automatically. |
| 5 | Optimised | Threat-driven, continuously assessed programme; deny-by-default authorisation everywhere; abuse detection with automated response; measurable, improving KPIs. |
9. Assessment and audit approach
An assessment against the OWASP API Security Top 10 combines documentation review, technical testing and interviews. The following ordered steps describe a defensible audit methodology.
- Agree scope, rules of engagement and testing windows; obtain necessary authorisations and test credentials for multiple roles and tenants.
- Obtain and validate the API inventory and documentation (OpenAPI specs); identify undocumented or shadow endpoints through discovery (covers API9).
- Review the authorisation architecture and perform object-level, property-level and function-level access testing across roles and tenants (API1, API3, API5).
- Assess authentication and session/token handling, including brute-force protection and token validation (API2).
- Test resource consumption controls: rate limits, payload and query complexity limits, and cost controls (API4).
- Analyse sensitive business flows for automation and abuse resistance (API6).
- Test server-side request handling for SSRF and review egress controls (API7).
- Review configuration, headers, CORS, error handling and dependency hygiene across environments (API8).
- Review consumption of third-party APIs for validation, transport security and error handling (API10).
- Consolidate findings, rate them by risk, map each to its OWASP category, and produce a prioritised remediation roadmap with retest criteria.
10. Evidence request list
The following categorised artefacts should be requested at the outset of an assessment to support efficient, evidence-based verification.
- Governance and inventory: API catalogue/registry, data classification, exposure map, deprecation and versioning policy.
- Documentation: OpenAPI/Swagger specifications, architecture and data-flow diagrams, threat models and abuse-case catalogues.
- Authorisation and authentication: RBAC/ABAC policies, authorisation middleware code, IdP/OAuth configuration, MFA policy, token validation configuration.
- Configuration: gateway and WAF/WAAP configuration, rate-limit and quota policies, CORS and security-header configuration, TLS scan reports, IaC hardening baselines.
- Development assurance: secure-coding standards, SAST/DAST/SCA reports, CI security-gate evidence, code-review records, training records.
- Testing: penetration test reports (including BOLA/BFLA testing), business-logic test results, and the current findings/remediation register.
- Third-party: integration inventory, vendor security assessments, and contractual security clauses.
- Operations: monitoring dashboards, anomaly/abuse alert rules, incident response playbooks, patch and vulnerability management records.
11. Roles and responsibilities
Clear ownership is essential; API security spans product, engineering, security and operations. The RACI-style table below sets out typical accountabilities.
| Role | Primary responsibilities |
|---|---|
| API product owner | Maintains API inventory, prioritises security backlog, owns versioning and deprecation decisions. |
| Security architect | Defines authorisation model, secure-design standards, threat models and reference architectures. |
| Development team | Implements authorisation, validation and hardening; remediates findings; writes security tests. |
| DevSecOps / platform engineering | Owns gateway, CI security gates, IaC hardening baselines and runtime protection. |
| Application security / penetration testers | Conduct API security testing, validate remediations and maintain the findings register. |
| GRC / compliance | Maps API risks to regulatory obligations, tracks metrics and reports residual risk to leadership. |
| Incident response / SOC | Monitors runtime alerts, investigates abuse and executes response playbooks. |
12. KPIs to track
- Percentage of APIs inventoried and documented against the estimated total (inventory coverage).
- Percentage of endpoints covered by automated authorisation (BOLA/BFLA) tests in CI.
- Number of shadow, deprecated or zombie APIs discovered and time to decommission.
- Mean time to remediate high and critical API findings.
- Percentage of APIs behind enforced rate limiting and quotas.
- Number of API security findings by OWASP category over time (trend by risk).
- Percentage of third-party integrations with completed security assessments.
- Proportion of APIs conforming to the configuration hardening baseline.
- Rate of abuse/anomaly alerts on sensitive business flows and time to response.
13. Readiness checklist
- A complete, current inventory of all APIs, versions and environments is maintained.
- Every endpoint enforces server-side object-level authorisation tied to the authenticated identity (API1).
- Authentication is hardened with rate limiting, robust token validation and MFA on sensitive operations (API2).
- Responses filter sensitive properties and writes use allow-list binding (API3).
- Rate limits, payload/query complexity limits and cost controls are enforced (API4).
- Privileged functions and HTTP methods enforce role checks with deny-by-default (API5).
- Sensitive business flows have anti-automation and business-rule limits (API6).
- Server-side URL fetches are validated and egress to internal ranges/metadata is blocked (API7).
- A hardened configuration baseline, secure headers, restricted CORS and clean error handling are applied across environments (API8).
- Deprecated versions are decommissioned and non-production environments are not exposed (API9).
- Third-party API data is validated and consumed over TLS with defensive error handling (API10).
- Automated API security testing runs in CI and periodic penetration testing is scheduled.
- Runtime monitoring, anomaly detection and incident playbooks are in place.
14. Common gaps
- Authorisation checks that trust client-supplied object identifiers, leading to BOLA and mass data extraction.
- Filtering sensitive fields in the client or UI rather than server-side, leaving full data in API responses.
- Accepting arbitrary request bodies without allow-list binding, enabling mass assignment of privileged fields.
- Rate limiting applied only globally at the perimeter rather than per user, per client and per endpoint.
- Admin functions distinguished only by an unlinked URL path, discoverable through forced browsing (BFLA).
- No threat modelling of business flows, leaving them open to automated abuse and inventory hoarding.
- URL-fetching features without allow-lists or egress controls, exposing cloud metadata and internal services to SSRF.
- Verbose error messages, permissive wildcard CORS with credentials, and missing security headers.
- Forgotten staging, debug and old-version endpoints exposed to the internet with weaker controls.
- Blind trust in third-party API responses without validation, safe redirect handling or TLS verification.
15. OWASP API Security Top 10 mapped to other frameworks
The OWASP API Security Top 10 is not a standalone compliance regime; it operationalises the secure-development and vulnerability-management expectations found in broader frameworks. The mapping below shows how each category supports adjacent controls. Mappings are indicative and should be tailored per assessment.
| OWASP API category | ISO/IEC 27001 (Annex A) | PCI DSS v4.0 | NIST CSF 2.0 / OWASP ASVS |
|---|---|---|---|
| API1 BOLA | A.8.3 Information access restriction | Req 7 Restrict access by need to know | PR.AA (Access control) / ASVS V4 Access Control |
| API2 Broken Authentication | A.5.17 Authentication information; A.8.5 | Req 8 Identify and authenticate access | PR.AA / ASVS V2 Authentication |
| API3 Property-Level Authz | A.8.3; A.5.34 Privacy and PII | Req 3 Protect stored account data | PR.DS (Data security) / ASVS V13 API and Web Service |
| API4 Resource Consumption | A.8.6 Capacity management | Req 6 Secure systems and software | DE.CM (Continuous monitoring) / ASVS V13 |
| API5 BFLA | A.8.2 Privileged access rights | Req 7 Restrict access by need to know | PR.AA / ASVS V4 Access Control |
| API6 Sensitive Business Flows | A.8.16 Monitoring activities | Req 6 Secure systems and software | DE.AE (Anomalies and events) |
| API7 SSRF | A.8.20 Network security; A.8.22 Segregation | Req 1 Network security controls | PR.IR (Infrastructure resilience) / ASVS V12 |
| API8 Security Misconfiguration | A.8.9 Configuration management | Req 2 Apply secure configurations | PR.PS (Platform security) / ASVS V14 Configuration |
| API9 Inventory Management | A.5.9 Inventory of assets | Req 12 Support information security with policies | ID.AM (Asset management) |
| API10 Unsafe Consumption | A.5.19 Supplier relationships security | Req 6 Secure systems and software | GV.SC (Supply chain) / ASVS V13 |
16. How CyberSigma helps
Frequently asked questions
Need help with OWASP API Top 10?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
