That's a great question, and I'm glad you asked it.
The creation process of the initial version of the OWASP Top 10 for APIs was a ten months process led by Erez, Paulo and me.
Unfortunately, we had a limited amount of time to spend on the project (we all have full-time jobs). As you can imagine, this type of project requires a lot of research, and there are many ways to do it. We decided to focus our research by using the following inputs:
Our goal was to create a useful and practical list for engineers who want to learn about API Security, not to write an academic paper. I'm positive that if we spend time reviewing technical books and theoretical documents from universities, we can find more scientific evidence for our hypothesis.
I would be more than happy to see that, but we preferred to invest our time on reviewing more practical inputs and on consulting with many experts in the industry.
I'm sorry I can't provide you with what you asked for, but here are two "non-scientific" resources that shed some light on the "More Parameters" aspect:
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/843fa706-f6c6-4ab1-a701-875084f4f9bd%40owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAL2Mnteb4w7ygcv9DQX3K41oG2Oy0jgJmRB4eLDHONq3LMoxYQ%40mail.gmail.com.
Principal Security Engineer
CISSP, CCSP, AWS Solutions Architect
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAG7PD3nE8O9Pny8p1KFdS-kidgWePqsOnhmnYv%3DxinBvS0UEXg%40mail.gmail.com.
On May 4, 2020, at 11:50 PM, Adam Fisher <ad...@salt.security> wrote:
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CADZTyAeNWu6RLakkDosB%2B9MhUSW_ri8a25ifoCBnsQBKHiY9Xg%40mail.gmail.com.