ç™»å½•æŸ¥çœ‹æ›´å¤šå†…å®¹

5 reasons why OWASP Top Ten 2021 is broken

Ivan Novikov

CEO @ Wallarm | Leading API Security Solution for Enterprises

å‘å¸ƒæ—¥æœŸ: 2022å¹´4æœˆ22æ—¥

+ å…³æ³¨

Dear community. Please let me skip any introduction and drop just 5 points straightforwardly.

Why â€œSensitive Data Exposureâ€ issues are a part of â€œCryptographic Failuresâ€?
Why Path Traversal is now a part of Broken Access Control but also is directly mentioned as part of A3. Injections (CWE-73).
Why â€œSoftware and Data Integrity Failuresâ€ that focus on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity include â€œInsecure Deserializationâ€
Why XXE (XML eXternal Entities) is a part of â€œSecurity Misconfigurationâ€ for some reason, and not Insecure Deserialization if XML is a data serialization format.
500k data entities were mentioned but only 22k is available on GitHub. Where is the other data?

I also want to refer to the OWASP Top Ten 2021 statistics-based proposal we published in January 2021, 10 months early an official OWASP Top Ten 2021.

Any thoughts?

Mark Kaley

5 ä¸ªæœˆ

Great share, Ivan!

èµž

å›žå¤

Gary Weessies

Lead Security Analyst

2 å¹´

Usually a top ten or top five list has to leave off some less important items. It looks like OWASP Top Ten needs to either be Top Eleven or include just the top ten.

èµž

å›žå¤

1 æ¬¡å›žåº”

Denis Podgurskii

OWASP Belfast

2 å¹´

Good questions for sure.

èµž

å›žå¤

1 æ¬¡å›žåº”

æŸ¥çœ‹æ›´å¤šè¯„è®º

è¦æŸ¥çœ‹æˆ–æ·»åŠ è¯„è®ºï¼Œè¯·ç™»å½•

Ivan Novikovçš„æ›´å¤šæ–‡ç«

Top 5 API Security Risks Uncovered Through 2023 Incidents

2024å¹´2æœˆ20æ—¥

Top 5 API Security Risks Uncovered Through 2023 Incidents

The year 2023 has seen its fair share of cybersecurity incidents, with API vulnerabilities often at the heart of theseâ€¦
Etherium Response on API Security: how GraphQL CRASH blockchain

2023å¹´10æœˆ18æ—¥

Etherium Response on API Security: how GraphQL CRASH blockchain

Geth, the Go Ethereum node, is integral to Ethereum networks. Though packed with features, itâ€™s not bulletproof.

2 æ¡è¯„è®º
No API Management Without API Security. But API Security Without API Management? Absolutely.

2023å¹´9æœˆ22æ—¥

No API Management Without API Security. But API Security Without API Management? Absolutely.

Here's the deal. You can't talk API management without bringing security to the table.
Moving day! This newsletter is moving to the "API Security Community" group

2022å¹´3æœˆ2æ—¥

Moving day! This newsletter is moving to the "API Security Community" group

Dear subscribers! This newsletter is now converted to a private unlisted group "API Security Community". The group isâ€¦
API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

2022å¹´2æœˆ8æ—¥

API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

DPD package sniffing by API First of all, this is a great example of the vulnerability disclosure efforts from theâ€¦
API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

2022å¹´1æœˆ30æ—¥

API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

We usually think about APIs as IoT, connected cars, medical devices, mobile apps backends, Single Page Applications, orâ€¦
API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.

2022å¹´1æœˆ25æ—¥

API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.

The last seven days were really rich for API exploits. It's not often to meet a dozen of API issues in top securityâ€¦
ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.

2022å¹´1æœˆ15æ—¥

ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.

CISCO Tetration API root-level command injection A vulnerability in the web-based management interface and in the APIâ€¦

1 æ¡è¯„è®º
ApiSec: The week of Dec'27th, 2021. Apache APISIX Remote Code Exeution

2022å¹´1æœˆ2æ—¥

ApiSec: The week of Dec'27th, 2021. Apache APISIX Remote Code Exeution

Apache APISIX Remote Code Execution by API authentication bypass CVE-CVE-2021-45232 Apache APISIX is a cloud-native APIâ€¦

2 æ¡è¯„è®º

See all articles

5 reasons why OWASP Top Ten 2021 is broken

Ivan Novikov

CEO @ Wallarm | Leading API Security Solution for Enterprises

Ivan Novikovçš„æ›´å¤šæ–‡ç«

ç¤¾åŒºæ´žå¯Ÿ

å…¶ä»–ä¼šå‘˜ä¹Ÿæµè§ˆäº†

FDIC Statistics for Q3 â€“ Challenges & Changes

A Great Story of How a Customer Uses Testing Data for Strategic Purposes

Latest News - worldwide IT outage

CVSS Demystified: Part 2: Base Metrics

Where is your data stored?

Proving 'It's Not the Network' with Forensic Packet Analysis

JSean

?? Don't Gamble with Your Data: The Risks of Skipping Backups ??

Symmetric Encryption

Math behind standard for length of passwords are 8 character long including special character, and why should you strictly follow this

Ivan Novikovçš„æ›´å¤šæ–‡ç«

Top 5 API Security Risks Uncovered Through 2023 Incidents

Etherium Response on API Security: how GraphQL CRASH blockchain

No API Management Without API Security. But API Security Without API Management? Absolutely.

Moving day! This newsletter is moving to the "API Security Community" group

API exploits: the week of January 31st. Huawei, Zoho, and DPD API auth bypass.

API exploits: the week of January 24th. Agilia Infusion, Tesla, Codeigniter4, and Reolink cameras

API security exploits of the week of January 17th, 2022. F5, NGINX, Juniper, Istio, and Grafana API vulnerabilities.

ApiSec: The week of Jan'10th, 2022. CISCO, MSFT, IBM, MITRE and NodeJS. The week of command injections.

ApiSec: The week of Dec'27th, 2021. Apache APISIX Remote Code Exeution

ç¤¾åŒºæ´žå¯Ÿ

å…¶ä»–ä¼šå‘˜ä¹Ÿæµè§ˆäº†

FDIC Statistics for Q3 â€“ Challenges & Changes

A Great Story of How a Customer Uses Testing Data for Strategic Purposes

Latest News - worldwide IT outage

CVSS Demystified: Part 2: Base Metrics

Where is your data stored?

Proving 'It's Not the Network' with Forensic Packet Analysis

JSean

?? Don't Gamble with Your Data: The Risks of Skipping Backups ??

Symmetric Encryption

Math behind standard for length of passwords are 8 character long including special character, and why should you strictly follow this

å…¶ä»–ä¼šå‘˜ä¹Ÿæµè§ˆäº†