Missing focus on 'DevSecOps' tooling / API infrastructure for either API7:2023, API9:2023 or API10:2023

[securitylevelup]

In both API7:2023, API9:2023 and API10:2023, the focus is made on developers managing their API infrastructure properly through proper configuration, proper inventory management and proper third-party integration.

I am missing the 'DevSecOps' tooling angle here which is becoming a threat. This does not need to become it's own category, but allows for the reference to the OWASP CI/CD Top 10.

With API sprawl, API drift, API documentation and plethora of monitoring and logging infrastructure to support the API microservices, I think it is a good opportunity to call out this part of the infrastructure as a risk and security threat.

I have seen attackers aim at third-party vendors that help organizations manage their APIs (DevOps tooling, API gateways, SIEM, API logging) etc. that require their own proper security implementation, access control etc.

I think adding this angle to API9: Improper Inventory Management would make the most sense and elevate this beyond 'just document'.

[securitylevelup]

For instance, missing elements such as proper keys/secrets management/storage, vulnerability scanning, lower-level APIs accessible etc.

[planetlevel]

Interesting point. As I noted in an article yesterday, isn't every vulnerability also a problem with the CI/CD pipeline? Probably should be considered in the main T10 as well.

[ErezYalon]

Interesting indeed. I think it is an important angle of asset management.