Back to Frameworks
OWASP API Security Top 10 - 2023
International
v2023
8 domains
8 controls
The OWASP API Security Top 10 - 2023 is a community‑driven awareness document that identifies the ten most critical API security risks based on exploitability, prevalence, detectability, and technical impact. It complements the OWASP Top 10 for web applications by focusing specifically on API‑related threats.
Verified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
OWASP content is used under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Original material © OWASP Foundation. See owasp.org for the authoritative source.
Framework Domains (8)
Authentication and Tokens
1 controls
| Code | Title |
|---|---|
| OWASPAPI-2 | Broken Authentication and Token Management |
Authorization (BOLA/BFLA)
1 controls
| Code | Title |
|---|---|
| OWASPAPI-1 | Broken Object Level Authorization (BOLA) and BFLA |
Inventory and Consumption
1 controls
| Code | Title |
|---|---|
| OWASPAPI-7 | Improper Inventory Management and Unsafe API Consumption |
Misconfiguration and Secure Design
1 controls
| Code | Title |
|---|---|
| OWASPAPI-6 | Security Misconfiguration and Secure API Design |
Property-Level Authorization
1 controls
| Code | Title |
|---|---|
| OWASPAPI-3 | Broken Object Property Level Authorization (BOPLA) |
Resource and Business Flow Protection
1 controls
| Code | Title |
|---|---|
| OWASPAPI-4 | Unrestricted Resource Consumption and Sensitive Business Flows |
SSRF and Input Validation
1 controls
| Code | Title |
|---|---|
| OWASPAPI-5 | Server Side Request Forgery (SSRF) and Input Validation |
Testing + Logging + Monitoring
1 controls
| Code | Title |
|---|---|
| OWASPAPI-8 | Automated Security Testing, Logging, and Monitoring |
Your Compliance Coverage
If you comply with OWASP API Security Top 10 - 2023, you already cover:
OWASP Top 10:2025
50%
4 controls mapped
Compare →NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
50%
4 controls mapped
Compare →ISO/IEC 27400:2022
50%
4 controls mapped
Compare →+ 108 more: FDA 21 CFR Part 11 (50%), FedRAMP Rev 5 (50%)
See all 111 mapped frameworks ↓Maps to 111 other frameworks
8 total controls
OWASP Top 10:2025
4 source controls mapped|5 target controls covered
50%
NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI)
4 source controls mapped|10 target controls covered
50%
ISO/IEC 27400:2022
4 source controls mapped|3 target controls covered
50%
FDA 21 CFR Part 11
4 source controls mapped|3 target controls covered
50%
FedRAMP Rev 5
4 source controls mapped|2 target controls covered
50%
FISMA
4 source controls mapped|3 target controls covered
50%
Ghana Cybersecurity Act
4 source controls mapped|5 target controls covered
50%
HL7 FHIR Security Framework
4 source controls mapped|2 target controls covered
50%
ISMAP (Japan)
4 source controls mapped|3 target controls covered
50%
MARS-E
4 source controls mapped|5 target controls covered
50%
MDS2 (Medical Device)
4 source controls mapped|3 target controls covered
50%
MITRE ATT&CK
4 source controls mapped|3 target controls covered
50%
MITRE D3FEND
4 source controls mapped|1 target controls covered
50%
MTCS (Singapore)
4 source controls mapped|3 target controls covered
50%
NAIC Insurance Data Security Model Law (MDL-668)
4 source controls mapped|3 target controls covered
50%
NIS2 Directive Implementing Acts
4 source controls mapped|2 target controls covered
50%
NIST Privacy Framework
4 source controls mapped|3 target controls covered
50%
NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment)
4 source controls mapped|1 target controls covered
50%
OpenSSF Scorecard
4 source controls mapped|2 target controls covered
50%
Oman National Cybersecurity Framework
4 source controls mapped|3 target controls covered
50%
O-RAN WG11 Security Specification
4 source controls mapped|2 target controls covered
50%
NIST SP 800-92
4 source controls mapped|1 target controls covered
50%
NIST SP 800-88
4 source controls mapped|2 target controls covered
50%
NIST SP 800-82 Revision 3: Guide to Industrial Control Systems (ICS) Security
4 source controls mapped|4 target controls covered
50%
NIST SP 800-66
4 source controls mapped|3 target controls covered
50%
NIST SP 800-63-4
4 source controls mapped|2 target controls covered
50%
NIST SP 800-61
4 source controls mapped|2 target controls covered
50%
NIST SP 800-146
4 source controls mapped|2 target controls covered
50%
NIST SP 800-145
4 source controls mapped|2 target controls covered
50%
NIST SP 800-144
4 source controls mapped|3 target controls covered
50%
NIST SP 800-137
4 source controls mapped|2 target controls covered
50%
NIST SP 800-123
4 source controls mapped|2 target controls covered
50%
IEC 62351 - Power Systems Communication Security
3 source controls mapped|2 target controls covered
38%
ISO/IEC 27011:2024
3 source controls mapped|3 target controls covered
38%
FTC GLBA Safeguards Rule (16 CFR Part 314)
3 source controls mapped|1 target controls covered
38%
HITECH Act
3 source controls mapped|2 target controls covered
38%
IACS Unified Requirements E26/E27 - Cyber Resilience of Ships and On-Board Systems
3 source controls mapped|3 target controls covered
38%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
3 source controls mapped|3 target controls covered
38%
ISO/IEC 27010:2015
2 source controls mapped|3 target controls covered
25%
Privacy Act 1988 (Australia)
2 source controls mapped|1 target controls covered
25%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
2 source controls mapped|4 target controls covered
25%
API 1164
2 source controls mapped|5 target controls covered
25%
ISO/IEC 29115:2023 - Entity Authentication Assurance Framework
2 source controls mapped|4 target controls covered
25%
ISO 19011
2 source controls mapped|3 target controls covered
25%
ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence
2 source controls mapped|3 target controls covered
25%
Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)
2 source controls mapped|2 target controls covered
25%
Family Educational Rights and Privacy Act (FERPA)
2 source controls mapped|1 target controls covered
25%
FIDO2 / WebAuthn
2 source controls mapped|2 target controls covered
25%
HKMA Cyber Resilience Assessment Framework (C-RAF)
2 source controls mapped|1 target controls covered
25%
IAEA Nuclear Security Series - Computer Security at Nuclear Facilities (NSS-17-T Rev 1)
2 source controls mapped|2 target controls covered
25%
Iceland Data Protection and Processing of Personal Data Act (Act No. 90/2018)
2 source controls mapped|1 target controls covered
25%
IEEE 1686
2 source controls mapped|2 target controls covered
25%
India DPDP Act
2 source controls mapped|2 target controls covered
25%
Indiana Consumer Data Protection Act
2 source controls mapped|1 target controls covered
25%
Indonesia PDP Law
2 source controls mapped|2 target controls covered
25%
Iowa Consumer Data Protection Act
2 source controls mapped|2 target controls covered
25%
Jamaica Data Protection Act 2020
2 source controls mapped|2 target controls covered
25%
Kentucky Consumer Data Protection Act
2 source controls mapped|2 target controls covered
25%
Law No. 172-13 on the Protection of Personal Data
2 source controls mapped|1 target controls covered
25%
Ley Orgánica de Protección de Datos Personales (LOPDP)
2 source controls mapped|1 target controls covered
25%
LGPD
2 source controls mapped|1 target controls covered
25%
Liechtenstein DPA
2 source controls mapped|1 target controls covered
25%
Malaysia PDPA 2010
2 source controls mapped|2 target controls covered
25%
Maryland Online Data Privacy Act of 2024
2 source controls mapped|1 target controls covered
25%
Mauritius DPA
2 source controls mapped|2 target controls covered
25%
Mexico LFPDPPP
2 source controls mapped|2 target controls covered
25%
Minnesota Consumer Data Privacy Act
2 source controls mapped|2 target controls covered
25%
Montana Consumer Data Privacy Act
2 source controls mapped|2 target controls covered
25%
Nebraska Data Privacy Act
2 source controls mapped|3 target controls covered
25%
New Hampshire Data Privacy Act
2 source controls mapped|2 target controls covered
25%
New Jersey Data Privacy Act
2 source controls mapped|2 target controls covered
25%
Nigeria Data Protection Act 2023 (NDPA)
2 source controls mapped|3 target controls covered
25%
Nigeria Data Protection Regulation (NDPR)
2 source controls mapped|1 target controls covered
25%
NIS2 Directive
2 source controls mapped|1 target controls covered
25%
NIST SP 800-122
2 source controls mapped|1 target controls covered
25%
Oregon Consumer Privacy Act
2 source controls mapped|2 target controls covered
25%
ICAO Annex 17 - Aviation Security (AVSEC)
2 source controls mapped|3 target controls covered
25%
ILO Declaration on Fundamental Principles and Rights at Work (Core Conventions)
2 source controls mapped|1 target controls covered
25%
ILO Tripartite Declaration of Principles concerning Multinational Enterprises (MNE Declaration)
2 source controls mapped|1 target controls covered
25%
ITAR - International Traffic in Arms Regulations
2 source controls mapped|2 target controls covered
25%
MiFID II / MiFIR
2 source controls mapped|1 target controls covered
25%
ITU-T X.805 - Security Architecture for End-to-End Communications
2 source controls mapped|2 target controls covered
25%
ISO/IEC 27557:2022 - Organisational Privacy Risk Management
1 source controls mapped|1 target controls covered
13%
AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence
1 source controls mapped|1 target controls covered
13%
ISO 27005
1 source controls mapped|1 target controls covered
13%
ISO 20000-1
1 source controls mapped|1 target controls covered
13%
ISO 31000:2018
1 source controls mapped|1 target controls covered
13%
GAMP 5 - Good Automated Manufacturing Practice
1 source controls mapped|1 target controls covered
13%
GLBA
1 source controls mapped|1 target controls covered
13%
HKMA SPM
1 source controls mapped|1 target controls covered
13%
Monetary Authority of Singapore Technology Risk Management Guidelines
1 source controls mapped|1 target controls covered
13%
NATO AQAP 2110 - Quality Assurance Requirements for Design, Development, and Production
1 source controls mapped|1 target controls covered
13%
NATO STANAG 4774 (Confidentiality Metadata Labels) and STANAG 4778 (Metadata Binding)
1 source controls mapped|1 target controls covered
13%
NERC CIP
1 source controls mapped|1 target controls covered
13%
New Zealand Information Security Manual (NZISM)
1 source controls mapped|1 target controls covered
13%
Nigeria Open Banking Regulatory Framework (CBN, 2023)
1 source controls mapped|1 target controls covered
13%
NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)
1 source controls mapped|3 target controls covered
13%
OSFI B-13
1 source controls mapped|1 target controls covered
13%
Open Banking Security
1 source controls mapped|1 target controls covered
13%
NIST Special Publication 800-34 Revision 1, Contingency Planning Guide for Federal Information Systems
1 source controls mapped|1 target controls covered
13%
Vermont Artificial Intelligence and Consumer Data Act (AICDA)
1 source controls mapped|1 target controls covered
13%
SWIFT CSCF
1 source controls mapped|1 target controls covered
13%
Russia Federal Law on Personal Data (152-FZ)
1 source controls mapped|1 target controls covered
13%
AML/CTF Act 2006 (Australia)
1 source controls mapped|1 target controls covered
13%
ISO 13485
1 source controls mapped|1 target controls covered
13%
Florida Digital Bill of Rights (FDBR)
1 source controls mapped|2 target controls covered
13%
GLI-33 - Gaming Laboratories International Event Wagering Systems
1 source controls mapped|1 target controls covered
13%
Armenia Law on Protection of Personal Data (2015)
1 source controls mapped|1 target controls covered
13%
IATA Operational Safety Audit (IOSA) Standards Manual
1 source controls mapped|1 target controls covered
13%
IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)
1 source controls mapped|1 target controls covered
13%
South Korea PIPA
1 source controls mapped|1 target controls covered
13%
Frequently Asked Questions
What is OWASP API Security Top 10 - 2023?
OWASP API Security Top 10 - 2023 is a compliance framework from International with 8 domains and 8 controls. The OWASP API Security Top 10 - 2023 is a community‑driven awareness document that identifies the ten most critical API security risks based on exploitability, prevalence, detectability, and technical impact. It complements the OWASP Top 10 for web applications by focusing specifically on API‑related threats. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does OWASP API Security Top 10 - 2023 have?
OWASP API Security Top 10 - 2023 has 8 controls organised across 8 domains. The largest domains are Authentication and Tokens (1 controls), Authorization (BOLA/BFLA) (1 controls), Inventory and Consumption (1 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does OWASP API Security Top 10 - 2023 map to?
OWASP API Security Top 10 - 2023 maps to 111 other compliance frameworks. The top mapping partners are OWASP Top 10:2025 (50% coverage), NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified Information (CUI) (50% coverage), ISO/IEC 27400:2022 (50% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with OWASP API Security Top 10 - 2023 compliance?
Start your OWASP API Security Top 10 - 2023 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about OWASP API Security Top 10 - 2023 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 8 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required