The Open Worldwide Application Security Project (OWASP) is a non-profit community dedicated to improving software security. Its API Security Top 10 project documents the most common API threats for best practices when creating or assessing APIs. In 2019, the OWASP Foundation released the first version of the API Security Top 10. This year, they’re publishing the next iteration of the list that’s updated for 2023. The 2023 release candidate of the updated list is now available and open to the community for contributions and feedback.
As Arthur’s MLOps observability platform is built with an API-first development approach, the OWASP API Security Top 10 is one of the many best practices we incorporate into our software development culture. We are happy to see that the investments we’ve been making in our security features and practices are matching the latest security trends identified by the OWASP community.
In the 2023 version of OWASP API Security Top 10, authorization is identified as the #1 biggest challenge of API security. Last year, Arthur did a complete overhaul of our platform’s authorization mechanism that introduced the capability for granular and customizable RBAC. The new RBAC system enforces strict authorization policies, allowing our customers to implement Segregation of Duty models that are tailored to their enterprise.
Authentication remains on the 2023 list as the #2 threat. Arthur’s RBAC is backed by the authentication mechanism that’s built based on our Zero Trust principle. It can also adapt your enterprise standards by integrating with your Identity Provider (IdP) to achieve federated identity and single sign-on (SSO). In 2022, Arthur expanded the IdP integration capability by introducing support for OpenID Connect (OIDC) in addition to Security Assertion Markup Language (SAML) protocol.
What’s new on the 2023 list is the automated threats from bots and bot-nets. With more sensitive data and business logic exposed via APIs today, they’ve become more profitable. And with the combination of AI and affordable cloud services, bots are more sophisticated, scalable, and dangerous. Earlier this year, Arthur did an assessment of our platform to identify and implement layers of additional protections to mitigate the risk from automated attacks. Various security and resiliency work has been done through this effort both at the application level as well as the infrastructure level for our SaaS environment.
The work of reducing API threats is not a one-time effort. Arthur’s security features mentioned in this blog are continuously evaluated and improved. The OWASP API Security project creates a standard awareness for API security that should be applied to your software development continuously. At Arthur, we have a framework to exercise education on security practices, threat modeling, secure design, penetration testing, code analysis, and other security related activities through the Software Development Lifecycle (SDLC), the Continuous Integration and Continuous Delivery (CICD), and the System and Organization Controls (SOC 2). In this framework, projects like the OWASP API Security are helpful for us to identify what security work we should prioritize. We are grateful to OWASP and other organizations alike for helping the MLOps community build safe innovations.