As you know by now, the final version of the OWASP API Security Top-10 2023 has been released. At first blush, the final 2023 release seems to retain most of the changes in category naming, language and intent from the 2019 edition which we saw in the RC version.
In this post, we are going to further explore the comment in yesterday’s post about risk ratings– because it turns out the changes buried in them are probably impactful to your API security program.
First, what are these risk ratings?
Basically, Risk = Likelihood x Impact – the likelihood of an attacker finding and exploiting a particular category, and the potential impact of that exploit. As OWASP writes in the Note About Risks:
- An estimate is made of the typical risk that each weakness introduces to a typical web application by looking at common likelihood factors and impact factors for each common weakness.
- Their methodology includes three likelihood factors for each weakness (prevalence, detectability, and ease of exploit) and one impact factor (technical impact).
So, the calculation of any OWASP Top-10 category Risk Rating (or Risk Ranking) is:
Likelihood (the average of exploitability, prevalence, and detectability)
X
Impact
There are a lot of nuances involved. For instance, some threat agents might be application specific while some impacts might be business specific. And while these do not lend themselves to generalization, they need to be considered for your specific situation so be sure to include them in your calculations.
For the new OWASP APIsec Top-10 list, the project team provided us with a section on API Security Risks, summarized below:
OK, now for the fun part.
Digging into the numbers
As we were reading through each of the new risk categories, it looked like a few of the factors had changed – and in some cases by a lot. A systematic data collection shows us just by how much:
Notice that all the lowest ratings (yellow highlight) have disappeared and that there’s a lot more in the highest ratings (deep red highlight). In fact, there are 50% more high ratings in the final release than in the RC version.
Not only that, but when we look at the final risk rating for each category, we see that they go up in 8 / 10 cases, and are unchanged or down somewhat in the other two cases. And in two cases the category risk rating when up by 100% or more!
It appears the project team is trying to tell us it’s a much more dangerous world out there, which is borne out by our API ThreatStats™ reports.
Comparative Risk Ratings
Just eyeballing the changes across the categories suggests the risk ratings have gotten a “high and tight” treatment. And running a simple statistical analysis, including quartiles, proves our eyeballs right:
What we see is that the min-max spread has decreased substantially, from 5.67 for the RC version to 3.67 for the final release. In addition, we see the overall average moved to the right by almost a third – from 5.10 to 6.73 – while the 1st to 3rd quartile range also move right, albeit with a wider spread.
But perhaps the most interesting takeaway is that the minimum category risk rating in the final release exceed the average of the entire RC version – to paraphrase Bananarama, they’re really saying something with that!
Note that the risk spectrum is limited mathematically to a 1 – 9 range, and interestingly we actually see one category – Security Misconfiguration (API8:2023) – actually maxes out that range. Makes one wonder why it ended up in the 8th position.
More to come
Stay tuned as we dig into the details of the final 2023 OWASP Top-10 API Security Risks list, and help you understand the impact on your API security program.
In the meantime, here are some resources from our analysis of the RC version which might help get you up to speed: