Methodology and Data
Since the AppSec industry has not been specifically focused on the most recent architecture of applications, in which APIs play an important role, compiling a list of the ten most critical API security risks, based on a public call for data, would have been a hard task. Despite there being no public data call, the resulting Top 10 list is still based on publicly available data, security experts' contributions, and open discussion with the security community.
In the first phase, publicly available data about APIs security incidents were collected, reviewed, and categorized by a group of security experts. Such data was collected from bug bounty platforms and vulnerability databases, within a one-year-old time frame. It was used for statistical purposes.
In the next phase, security practitioners with penetration testing experience were asked to compile their own Top 10 list.
The OWASP Risk Rating Methodology was used to perform he Risk Analysis. The scores were discussed and reviewed between the security practitioners. For considerations on these matters, please refer to the API Security Risks section.
The first draft of the OWASP API Security Top 10 2019 resulted from a consensus between statistical results from phase one, and the security practitioners' lists. This draft was then submitted for appreciation and review by another group of security practitioners, with relevant experience in the API security fields.
The OWASP API Security Top 10 2019 was first presented in the OWASP Global AppSec Tel Aviv event (May 2019). Since then, it has been available on GitHub for public discussion and contributions.
The list of contributors is available in the Acknowledgments section.