securitylevelup
commented
1 year ago For instance, missing elements such as proper keys/secrets management/storage, vulnerability scanning, lower-level APIs accessible etc.
Closed securitylevelup closed 1 year ago
securitylevelup
commented
1 year ago For instance, missing elements such as proper keys/secrets management/storage, vulnerability scanning, lower-level APIs accessible etc.
planetlevel
commented
1 year ago Interesting point. As I noted in an article yesterday, isn't every vulnerability also a problem with the CI/CD pipeline? Probably should be considered in the main T10 as well.
ErezYalon
commented
1 year ago Interesting indeed. I think it is an important angle of asset management.
In both API7:2023, API9:2023 and API10:2023, the focus is made on developers managing their API infrastructure properly through proper configuration, proper inventory management and proper third-party integration.
I am missing the 'DevSecOps' tooling angle here which is becoming a threat. This does not need to become it's own category, but allows for the reference to the OWASP CI/CD Top 10.
With API sprawl, API drift, API documentation and plethora of monitoring and logging infrastructure to support the API microservices, I think it is a good opportunity to call out this part of the infrastructure as a risk and security threat.
I have seen attackers aim at third-party vendors that help organizations manage their APIs (DevOps tooling, API gateways, SIEM, API logging) etc. that require their own proper security implementation, access control etc.
I think adding this angle to API9: Improper Inventory Management would make the most sense and elevate this beyond 'just document'.