Secure Development Using OWASP API Security Top 10
Web API developers must address the top 10 security risks identified by OWASP to ensure safety.
Plain language
When developing web applications, it's crucial to focus on the top security risks identified by the OWASP (Open Web Application Security Project) for APIs. If not addressed, these risks can make your application vulnerable to attacks, which might lead to data theft or disruption of services, potentially damaging your reputation and trust with customers.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentSection
Web application developmentOfficial control statement
The OWASP API Security Top 10 are mitigated in the development of web APIs.
Why it matters
Without addressing the OWASP API Security Top 10, web APIs may allow unauthorised access, data exposure, and business disruption, harming trust and finances.
Operational notes
Map API threats to the OWASP API Security Top 10; test authn/authz, validate inputs, and harden endpoints to prevent common API exploits.
Implementation tips
- Developers should familiarise themselves with the OWASP API Security Top 10 list of risks. This can be done by reading the latest OWASP guidelines and discussing them in team meetings to understand how these risks apply to the current API projects.
- IT teams should conduct regular code reviews focused on security. This means checking the code against OWASP's top 10 API security risks, making use of automated tools where possible, and documenting findings and resolutions.
- Project managers should ensure training sessions for developers about secure coding practices. Arrange for workshops or online courses where security experts explain how to mitigate each of the top 10 API risks in practical terms.
- System owners should regularly test their APIs for vulnerabilities. Engage external security experts to perform penetration testing, which simulates attacks on your system to identify any weaknesses that might exist.
- Developers should implement security checks during the build process. This involves integrating tools that automatically scan for vulnerabilities whenever the code changes, and setting up alerts for any issues found, so they can be quickly addressed.
Audit / evidence tips
-
Askthe security training records of the development team
Goodoutcome is recent, regular training sessions covering all top 10 risks
-
Goodshows thorough reviews with clear, actionable outcomes
-
Goodresult is regular testing with detailed reports of any findings and evidence of rectifications
-
Askrecords of the automated security checks integrated into the development process
-
Goodincludes a comprehensive, clear policy with practical mitigation strategies for each risk
Cross-framework mappings
How ISM-1851 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 8.25 | ISM-1851 requires that OWASP API Security Top 10 risks are addressed during web API development | |
| Annex A 8.26 | ISM-1851 requires web API developers to mitigate the OWASP API Security Top 10 risks | |
| Annex A 8.29 | ISM-1851 requires that OWASP API Security Top 10 issues are mitigated as part of building web APIs | |
| handshake Supports (1) expand_less | ||
| Annex A 8.28 | Annex A 8.28 requires developers to apply secure coding principles to reduce software vulnerabilities | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.