owasp-api-top-10
Safeguard articles tagged "owasp-api-top-10" — guides, analysis, and best practices for software supply chain and application security.
18 articles
A practical REST API hardening checklist
OWASP's 2023 API Security Top 10 still ranks broken object-level authorization as the #1 risk — here's a concrete checklist for authn, rate limiting, and input validation.
API security and the rise of shadow/zombie APIs
Shadow and zombie APIs caused breaches at Optus, T-Mobile, and Peloton. Here's why code-scanning tools miss them and what API security best practices actually work.
How to secure a REST API
REST API breaches from T-Mobile to Optus trace to a handful of recurring mistakes. Here's how to fix authorization, auth, injection, and rate limiting.
Building a secure GraphQL API with Node.js
A practical guide to securing Node.js GraphQL APIs: query complexity limits, field-level authorization, injection-safe resolvers, and CSRF hardening.
What is API Security
API security explained: what it is, why APIs are the top breach vector, the OWASP API Top 10, real breaches, and how to test and monitor endpoints.
API Security Testing Checklist & Best Practices
A concrete API security testing checklist covering OWASP API Top 10 risks, BOLA, SSRF, testing cadence, SAST/DAST, and how Safeguard closes the gaps.
How to Secure REST APIs
REST APIs keep failing the same way: BOLA, weak auth, shadow endpoints. Real breaches (T-Mobile, Optus, Peloton) and concrete fixes for each.
What is GraphQL Security
GraphQL's flexibility creates unique risks—excessive data exposure, DoS via nested queries, and broken field-level authorization. Here's how to defend it.
API Security Misconfiguration
API misconfigurations exposed 37M T-Mobile and 9.8M Optus accounts without a single exploit. Here's why it keeps happening and how to stop it.
What is Broken Object Level Authorization (BOLA)
BOLA lets attackers swap an object ID in an API request to pull someone else's data. Here's how it works, real breaches, and how to stop it.
What is API Authentication
API authentication verifies who's calling your API before authorization decides what they can do — here's how it works, common methods, and where it fails.
Broken Object Level Authorization (BOLA/IDOR) in APIs
BOLA/IDOR has topped the OWASP API Security Top 10 since 2019. Here's how USPS, Peloton, and Parler got breached by it—and how to catch it before you do.