--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/368a6984-2913-46f5-8db1-94471e91d816%40owasp.org.
We need to decide if we are going to write a paragraph at the end of every Top-10 item, or create a summary of this at the end of the document.
It can also be in the form of a convenient table. Example:
Code Review | DAST | IAST | WAF | SAST | Alien Technology | |
---|---|---|---|---|---|---|
A1 | X | X | X | X | ||
A2 | X | X | X | X | X | |
A3 | X | X | X | X |
Thoughts?
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/715bd813-e489-4565-9e74-499c8a107ab4%40owasp.org.
--
Hi Erez and all,With the fast evolution of the product market, I would point to “features” rather than giving product categories.For example, A1 can be addressed by :- Filtering data based on a whitelist model- Use ABAC or RBAC
Then users can map those features to product, solutions on the market, or by coding best practices. It will also help make that list last in time, even if the tools categories change, new categories appear, etc.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
Why not both? Reasoning.. for those who are referring to a specific issue, they get the complete "picture" for the issue on that page.... for those who want to take a holistic approach and see/verify their security controls (process-wise or technical), they will benefit from the summary page.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
Sure i understand what exactly you want i will build-up a short (multiple paragraph) against most of the API top 10, like how would i know that im vulnerable? Right?
or how can i detect at the very earlier stage of API development.? is that what you mean?
as far as the Pentesting mean to detect A1 and A5 was concern it was comprehensive and one of the aggressive approach to detect all API top 10, (mentioned in my document" actually i went to the given draft [1][2] but i did not find such technical stuff in those draft which could be used to "detect All API top 10" it was just about the approach to follow "how to detect" like it says "code review or by pentest you can detect, but how to detect technically was not there, so the point im trying to highlighting is there must be a document or something like which tell the world how pentester can detect, i guess that would be really helpful for tester that how and what kind of tricks/techniques is possible to use in order to detect such vulnerabilities.
Regards:
ABID
i guess the pentest should be included as mandatory to detect broken-authentication issue,
as most of the API service use authentication credentials (at backend) before allowing user to access to the API just to ensure user authenticity, and that credentials itself has passed in unsecure way, example in headers or it has some broken cryptographic weakness which might be the easiest target for an attacker to bypass the service authentication using manual pentest and gain direct access to the API services.
Plz note: automated tool might not disclosed such broken authentication credentials in an API as it has no direct interface where tool itself can authorized (using credentials) to detect such weakness, it is only possible when application itself has authentication module like web app, but yes tool can be used against rest of the vulnerabilities associated with “broken-authentication”, like brute force etc,
Please allow me (just to prove my concept) to share some screen-shot of A2 shown how it is possible to detect A2 using Pentest approach, it also shows how it is easiest for an attacker to gain access to the API services.
Regards:
ABID KHAN
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/dae3dde5-1fc2-4003-80ad-57395a400316%40owasp.org.
--
Paulo Silva
OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/304b3851-3b35-4093-a455-434be2c9afe4%40owasp.org.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/dae3dde5-1fc2-4003-80ad-57395a400316%40owasp.org.
--
Paulo Silva
OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/9b4ce2d4-0280-4566-8ad7-a08037811809%40owasp.org.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/dae3dde5-1fc2-4003-80ad-57395a400316%40owasp.org.--Paulo SilvaOWASP API Security Project - Project Main MaintainerOWASP Go Secure Coding Practices Guide - Project Co-Leader
--You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/304b3851-3b35-4093-a455-434be2c9afe4%40owasp.org.
--You received this message because you are subscribed to the Google Groups "API Security Project" group.To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/9b4ce2d4-0280-4566-8ad7-a08037811809%40owasp.org.
--D. Keith Casey, Jr.Check out my book "A Practical Approach to API Design"available now: http://bit.ly/restfulapisand the API Developer Newsletter: http://bit.ly/apiWeekly
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/402f8beb-6f67-4b35-b091-19184fda7a88%40www.fastmail.com.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/dae3dde5-1fc2-4003-80ad-57395a400316%40owasp.org.
>>
>>
>>
>> --
>> Paulo Silva
>>
>> OWASP API Security Project - Project Main Maintainer
>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/304b3851-3b35-4093-a455-434be2c9afe4%40owasp.org.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/9b4ce2d4-0280-4566-8ad7-a08037811809%40owasp.org.
>>
>>
>> --
>> D. Keith Casey, Jr.
>> http://CaseySoftware.com/
>>
>> Check out my book "A Practical Approach to API Design"
>> available now: http://bit.ly/restfulapis
>> and the API Developer Newsletter: http://bit.ly/apiWeekly
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/402f8beb-6f67-4b35-b091-19184fda7a88%40www.fastmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/dae3dde5-1fc2-4003-80ad-57395a400316%40owasp.org.
>>
>>
>>
>> --
>> Paulo Silva
>>
>> OWASP API Security Project - Project Main Maintainer
>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/304b3851-3b35-4093-a455-434be2c9afe4%40owasp.org.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/9b4ce2d4-0280-4566-8ad7-a08037811809%40owasp.org.
>>
>>
>> --
>> D. Keith Casey, Jr.
>> http://CaseySoftware.com/
>>
>> Check out my book "A Practical Approach to API Design"
>> available now: http://bit.ly/restfulapis
>> and the API Developer Newsletter: http://bit.ly/apiWeekly
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/402f8beb-6f67-4b35-b091-19184fda7a88%40www.fastmail.com.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.