When it comes to attacks against application programming interfaces (APIs), the building blocks that provide access to many of our applications, the OWASP API Top Ten is seen as definitive – and rightly so. Compiled in 2019 based on a risk analysis conducted by an OWASP working party as well as the in the field experience of security practitioners, the list acts as a bible to developers and security professionals alike. But it very clearly delineates between each of the attack types. What we’re seeing today is that attack tools, techniques, and procedures (TTPs) no longer follow these clear-cut definitions. Instead, they’re combining multiple variants.
