Secure OWASP API Top 10 with F5 products | Start here

What is API

Application programming interfaces (APIs) are software components that provide a contract for client devices to interact with the server-side of an application. For example, a client can use APIs to send a GET request to retrieve data from a server. The server processes the request according to pre-defined functions and responds to the client with the application data. This differs from traditional web application requests where clients communicate with servers through web browsers and servers respond with HTML web pages. 

API security requires its own set of security strategies

Each API request (GET /userinfo, DELETE /userId/item and so on) that provides functionality for users exposes API endpoints that have become a target for attackers. As an application grows and becomes more complex, the number of API endpoints increase and so does the attack surface of the application. Compared to traditional web application where the client's main responsibility is to render the web page, API applications can rely more on the client side such as to maintain session state. In addition to that, APIs by nature exposes application logic and sensitive data. As a result, vulnerabilities due to API security are different from what you have in the OWASP top 10 for web applications (2021). API security vulnerabilities have their own unique details and require their own set of security strategies and solutions; therefore, that group of vulnerabilities has its own: OWASP top 10 for API security (2023)

Secure your APIs with F5 products

The responsibility of securing your APIs does not fall solely on application code on the client and server systems. F5 products are strategically positioned in this line of (client-sever) communication as they can see parameters in the API requests, orchestrate data flow, and understand the business logic of the application. The range of BIG-IP modules (Advanced WAF, BIG-IP APM, BIG-IP LTM), NGINX and F5 Distributed Cloud products provide you with granular control to implement specific API protections (such as content validation, access control, rate limiting, and so on) that you need to protect against the OWASP API security Top 10 (2023).

To find out more on to protect how your APIs with F5's range of BIG-IP, NGINX and F5 Distributed Cloud products, refer to one of the following chapters that you're most interested in:

• K000135973: Guide introduction and Contents
• K000135154: Broken object level authorization
• K000135769: Broken authentication
• K000135841: Broken object property level authorization
• K000135849: Unrestricted resource consumption
• K000135872: Broken function level authorization
• K000135973: Unrestricted access to sensitive business flows
• K000135696: Server-side request forgery
• K000135642: Security misconfiguration
• K000135762: Improper inventory management
• K000135892: Unsafe Consumption of APIs