Back to Frameworks
OWASP API Security Top 10:2023
International
v2023
5 domains
10 controls
The OWASP API Security Top 10 is a standard awareness document focused specifically on API security risks. The 2023 edition identifies the ten most critical API security risks based on exploitability, prevalence, detectability, and technical impact. It complements the OWASP Top 10 for web applications with API-specific risks.
Verified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
OWASP content is used under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Original material © OWASP Foundation. See owasp.org for the authoritative source.
Framework Domains (5)
Authentication and Access
2 controls
API authentication and business flow abuse risks
| Code | Title |
|---|---|
| API2:2023 | Broken Authentication |
| API6:2023 | Unrestricted Access to Sensitive Business Flows |
Authorization
3 controls
API authorization risks covering object-level, property-level, and function-level access control
| Code | Title |
|---|---|
| API1:2023 | Broken Object Level Authorization |
| API3:2023 | Broken Object Property Level Authorization |
| API5:2023 | Broken Function Level Authorization |
Configuration and Inventory
2 controls
API operational security gaps and inventory management
| Code | Title |
|---|---|
| API8:2023 | Security Misconfiguration |
| API9:2023 | Improper Inventory Management |
Data and Resource Protection
2 controls
API resource consumption and server-side request risks
| Code | Title |
|---|---|
| API4:2023 | Unrestricted Resource Consumption |
| API7:2023 | Server Side Request Forgery (SSRF) |
Third-Party Risk
1 controls
Risks from consuming external APIs
| Code | Title |
|---|---|
| API10:2023 | Unsafe Consumption of APIs |
Maps to 362 other frameworks
10 total controls
NYDFS Cybersecurity Regulation (23 NYCRR Part 500)
5 source controls mapped|9 target controls covered
50%
ANSSI Cybersecurity Framework
5 source controls mapped|9 target controls covered
50%
NIST SP 800-171A — Assessing CUI Security Requirements
5 source controls mapped|10 target controls covered
50%
ISO/IEC 27400:2022
5 source controls mapped|3 target controls covered
50%
Australian Energy Sector Cyber Security Framework (AESCSF)
5 source controls mapped|3 target controls covered
50%
OWASP Top 10:2025
5 source controls mapped|7 target controls covered
50%
HL7 FHIR Security Framework
5 source controls mapped|8 target controls covered
50%
3GPP Security
5 source controls mapped|6 target controls covered
50%
ISO/SAE 21434
5 source controls mapped|7 target controls covered
50%
SIG (Shared Assessments)
5 source controls mapped|6 target controls covered
50%
PTES
5 source controls mapped|7 target controls covered
50%
SLSA
5 source controls mapped|6 target controls covered
50%
MITRE D3FEND
5 source controls mapped|7 target controls covered
50%
NIST SP 800-53 Rev 5
5 source controls mapped|14 target controls covered
50%
Spain ENS
5 source controls mapped|7 target controls covered
50%
BSI IT-Grundschutz
5 source controls mapped|8 target controls covered
50%
OWASP SAMM
5 source controls mapped|6 target controls covered
50%
CMMC 2.0
5 source controls mapped|7 target controls covered
50%
PCI DSS v4.0
5 source controls mapped|11 target controls covered
50%
MDS2 (Medical Device)
5 source controls mapped|6 target controls covered
50%
NIST SP 800-187
5 source controls mapped|7 target controls covered
50%
TISAX — Trusted Information Security Assessment Exchange
5 source controls mapped|6 target controls covered
50%
NIST SP 800-82 Rev 3 — Guide to OT Security
5 source controls mapped|5 target controls covered
50%
UNECE WP.29 R155
5 source controls mapped|7 target controls covered
50%
DISA Security Technical Implementation Guides (STIGs)
5 source controls mapped|12 target controls covered
50%
California IoT Security Law
5 source controls mapped|6 target controls covered
50%
ASD Information Security Manual (ISM)
5 source controls mapped|17 target controls covered
50%
NIST SP 800-183
5 source controls mapped|6 target controls covered
50%
MTCS (Singapore)
5 source controls mapped|5 target controls covered
50%
Belgium CyberFundamentals
5 source controls mapped|8 target controls covered
50%
ISO 13485
5 source controls mapped|6 target controls covered
50%
NIST SP 800-63
5 source controls mapped|6 target controls covered
50%
NIST SP 800-190
5 source controls mapped|5 target controls covered
50%
Saudi NCA ECC
5 source controls mapped|8 target controls covered
50%
NIST SP 800-92
5 source controls mapped|6 target controls covered
50%
ISO 27001:2022
5 source controls mapped|8 target controls covered
50%
OWASP MASVS
5 source controls mapped|6 target controls covered
50%
NIST SP 800-207
5 source controls mapped|7 target controls covered
50%
OWASP ASVS
5 source controls mapped|7 target controls covered
50%
ETSI EN 303 645
5 source controls mapped|7 target controls covered
50%
NIST Cybersecurity Framework 2.0
5 source controls mapped|4 target controls covered
50%
ISMAP (Japan)
5 source controls mapped|5 target controls covered
50%
NIST SP 800-171
5 source controls mapped|8 target controls covered
50%
UK PSTI Act
5 source controls mapped|7 target controls covered
50%
ISO 27799
5 source controls mapped|6 target controls covered
50%
PropTech Security Standards — Smart Building Cybersecurity
5 source controls mapped|5 target controls covered
50%
NIST SP 800-161
5 source controls mapped|6 target controls covered
50%
CISA Zero Trust Maturity Model
5 source controls mapped|8 target controls covered
50%
MITRE ATT&CK
5 source controls mapped|7 target controls covered
50%
AWS Well-Architected Security Pillar
5 source controls mapped|5 target controls covered
50%
Ghana Cybersecurity Act
5 source controls mapped|9 target controls covered
50%
CNCF Cloud Native Security (Cloud Native Computing Foundation)
5 source controls mapped|5 target controls covered
50%
NIST SP 800-181
5 source controls mapped|7 target controls covered
50%
FISMA
5 source controls mapped|8 target controls covered
50%
CSA CCM v4
5 source controls mapped|13 target controls covered
50%
DoD Zero Trust Reference Architecture
5 source controls mapped|8 target controls covered
50%
NIST SP 800-172
5 source controls mapped|9 target controls covered
50%
CSA STAR (Security, Trust, Assurance, and Risk)
5 source controls mapped|2 target controls covered
50%
Azure Security Benchmark
5 source controls mapped|5 target controls covered
50%
EU Cyber Resilience Act
5 source controls mapped|6 target controls covered
50%
NIST SP 800-218
5 source controls mapped|7 target controls covered
50%
FDA 21 CFR Part 11
5 source controls mapped|6 target controls covered
50%
CAIQ (CSA)
5 source controls mapped|5 target controls covered
50%
MARS-E
5 source controls mapped|6 target controls covered
50%
OpenSSF Scorecard
5 source controls mapped|8 target controls covered
50%
South Korea ISMS-P
5 source controls mapped|5 target controls covered
50%
ISO 27043
5 source controls mapped|7 target controls covered
50%
Cyber Essentials Plus
5 source controls mapped|7 target controls covered
50%
FBI CJIS Security Policy
5 source controls mapped|10 target controls covered
50%
ISO 27002:2022
5 source controls mapped|6 target controls covered
50%
CISA Cross-Sector Cybersecurity Performance Goals (CPG) 2.0
5 source controls mapped|6 target controls covered
50%
TSA Pipeline Security
5 source controls mapped|5 target controls covered
50%
NIST SP 800-150
5 source controls mapped|7 target controls covered
50%
NIST SP 800-115
5 source controls mapped|7 target controls covered
50%
NIST SP 800-146
5 source controls mapped|5 target controls covered
50%
ASD Strategies to Mitigate Cyber Security Incidents
5 source controls mapped|7 target controls covered
50%
NIST SP 800-171A Rev 3 — Assessing CUI Security Requirements
5 source controls mapped|8 target controls covered
50%
FedRAMP Rev 5
5 source controls mapped|16 target controls covered
50%
NIST SP 800-53A
5 source controls mapped|7 target controls covered
50%
SSDF (NIST)
5 source controls mapped|7 target controls covered
50%
NIST SP 800-137
5 source controls mapped|8 target controls covered
50%
NIST SP 800-61
5 source controls mapped|7 target controls covered
50%
C5 (Germany)
5 source controls mapped|5 target controls covered
50%
NAIC Insurance Data Security Model Law (MDL-668)
5 source controls mapped|7 target controls covered
50%
SWIFT Customer Security Programme (CSP)
5 source controls mapped|4 target controls covered
50%
NIST SP 800-160
5 source controls mapped|6 target controls covered
50%
ISO 27017
5 source controls mapped|5 target controls covered
50%
O-RAN Alliance Security Specifications (O-RAN.WG11)
5 source controls mapped|3 target controls covered
50%
UK Telecommunications (Security) Act 2021
5 source controls mapped|7 target controls covered
50%
NIST SP 800-128
5 source controls mapped|7 target controls covered
50%
NIST SP 800-145
5 source controls mapped|5 target controls covered
50%
FAA Cybersecurity Framework for Aviation
5 source controls mapped|3 target controls covered
50%
Oman National Cybersecurity Framework
5 source controls mapped|3 target controls covered
50%
UK Gambling Commission — Cyber Resilience Requirements
5 source controls mapped|4 target controls covered
50%
BSIMM
5 source controls mapped|6 target controls covered
50%
CISA ICS-CERT Advisories and Industrial Control Systems Security Guidelines
5 source controls mapped|8 target controls covered
50%
NIST SP 800-123
5 source controls mapped|6 target controls covered
50%
AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)
5 source controls mapped|7 target controls covered
50%
3GPP 5G Security Architecture (TS 33.501)
5 source controls mapped|6 target controls covered
50%
NIST SP 800-144
5 source controls mapped|5 target controls covered
50%
NIS2 Directive Implementing Acts
5 source controls mapped|11 target controls covered
50%
NIST SP 800-66
5 source controls mapped|6 target controls covered
50%
NIST SP 800-88
5 source controls mapped|7 target controls covered
50%
UNECE WP.29 R156
5 source controls mapped|7 target controls covered
50%
ISO 27018
5 source controls mapped|5 target controls covered
50%
NIST Privacy Framework 1.0
5 source controls mapped|6 target controls covered
50%
CISA Secure by Design Principles
5 source controls mapped|5 target controls covered
50%
OWASP DevSecOps Maturity Model (DSOMM)
5 source controls mapped|6 target controls covered
50%
ISO/IEC 27011:2024
4 source controls mapped|3 target controls covered
40%
IEC 62351 — Power Systems Communication Security
4 source controls mapped|2 target controls covered
40%
US ITAR and EAR — Export Control and Data Security
4 source controls mapped|4 target controls covered
40%
Defence Security Principles Framework (DSPF)
4 source controls mapped|11 target controls covered
40%
Protective Security Policy Framework (PSPF) Release 2024
4 source controls mapped|11 target controls covered
40%
HITECH Act
4 source controls mapped|2 target controls covered
40%
EAR — Export Administration Regulations
4 source controls mapped|5 target controls covered
40%
US NRC 10 CFR 73.54 — Cyber Security for Nuclear Power Plants
4 source controls mapped|2 target controls covered
40%
FFIEC Cybersecurity Assessment Tool (CAT)
4 source controls mapped|4 target controls covered
40%
EDM Council CDMC — Cloud Data Management Capabilities Framework
4 source controls mapped|2 target controls covered
40%
Singapore Government Instruction Manual on ICT&SS Management (IM8)
4 source controls mapped|2 target controls covered
40%
ISO 22739:2024 — Blockchain and Distributed Ledger Technologies Vocabulary
4 source controls mapped|4 target controls covered
40%
EU Digital Markets Act
4 source controls mapped|2 target controls covered
40%
FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)
4 source controls mapped|4 target controls covered
40%
DAMA-DMBOK2 — Data Management Body of Knowledge (2nd Edition)
4 source controls mapped|2 target controls covered
40%
OWASP Top 10 for LLM Applications 2025
4 source controls mapped|4 target controls covered
40%
CWE Top 25 Most Dangerous Software Weaknesses (2024)
4 source controls mapped|6 target controls covered
40%
TSA Pipeline Cybersecurity Directives
4 source controls mapped|2 target controls covered
40%
WCO Authorised Economic Operator (AEO) Framework
4 source controls mapped|7 target controls covered
40%
ASD Essential Eight Maturity Model
4 source controls mapped|6 target controls covered
40%
SSAE 18 — Attestation Standards (SOC Reporting)
4 source controls mapped|2 target controls covered
40%
Zimbabwe Data Protection Act (2021)
4 source controls mapped|2 target controls covered
40%
US Gramm-Leach-Bliley Act (GLBA) — Higher Education Safeguards Rule
3 source controls mapped|8 target controls covered
30%
HIPAA Security Rule
3 source controls mapped|9 target controls covered
30%
GLI-33 — Gaming Laboratories International Event Wagering Systems
3 source controls mapped|5 target controls covered
30%
PAS 1192-5:2015 — Security-Minded Approach to BIM and Digital Built Environments
3 source controls mapped|6 target controls covered
30%
Canada ITSG-33 — IT Security Risk Management
3 source controls mapped|6 target controls covered
30%
New Zealand Information Security Manual (NZISM)
3 source controls mapped|6 target controls covered
30%
MARS-E — Minimum Acceptable Risk Standards for Exchanges
3 source controls mapped|6 target controls covered
30%
South Korea Cloud Security Assurance Program (CSAP)
3 source controls mapped|6 target controls covered
30%
NRC 10 CFR 73.54 — Nuclear Facility Cybersecurity
3 source controls mapped|6 target controls covered
30%
FTC GLBA Safeguards Rule (16 CFR Part 314)
3 source controls mapped|3 target controls covered
30%
FTC Safeguards Rule (16 CFR Part 314)
3 source controls mapped|3 target controls covered
30%
CCSDS 350.0-G-3 — Space Communications Security (Consultative Committee for Space Data Systems)
3 source controls mapped|7 target controls covered
30%
ASIC Cyber Resilience Good Practices
3 source controls mapped|2 target controls covered
30%
IACS Unified Requirements E26/E27 — Cyber Resilience of Ships and On-Board Systems
3 source controls mapped|3 target controls covered
30%
IRS Publication 1075 — Tax Information Security Guidelines
3 source controls mapped|2 target controls covered
30%
Angola Personal Data Protection Law (Law No. 22/11)
3 source controls mapped|1 target controls covered
30%
C-TPAT — Customs-Trade Partnership Against Terrorism
3 source controls mapped|6 target controls covered
30%
US Automated Commercial Environment (ACE) — CBP Trade Data Requirements
3 source controls mapped|1 target controls covered
30%
ISO/IEC 27006:2024
3 source controls mapped|1 target controls covered
30%
ISO/IEC 17025:2017 — General Requirements for Testing and Calibration Laboratories
3 source controls mapped|1 target controls covered
30%
ISO 15189:2022 — Medical Laboratories Requirements for Quality and Competence
3 source controls mapped|1 target controls covered
30%
ITAR — International Traffic in Arms Regulations
3 source controls mapped|2 target controls covered
30%
Authorised Economic Operator (AEO) Programmes — Global Standards
3 source controls mapped|1 target controls covered
30%
Australia Consumer Data Right — Banking (CDR)
3 source controls mapped|3 target controls covered
30%
Security of Critical Infrastructure Act 2018 (SOCI)
3 source controls mapped|1 target controls covered
30%
Philippines Data Privacy Act (RA 10173)
3 source controls mapped|2 target controls covered
30%
Samoa Telecommunications Act (2005) — Privacy & Data Protection
3 source controls mapped|2 target controls covered
30%
ICAO Annex 17 — Aviation Security (AVSEC)
3 source controls mapped|2 target controls covered
30%
SSAE 18 SOC 1 — Report on Controls at a Service Organisation (ICFR)
3 source controls mapped|2 target controls covered
30%
ILO Declaration on Fundamental Principles and Rights at Work (Core Conventions)
3 source controls mapped|1 target controls covered
30%
MiFID II / MiFIR
3 source controls mapped|1 target controls covered
30%
SOC 2
3 source controls mapped|2 target controls covered
30%
Notifiable Data Breaches Scheme (Australia)
3 source controls mapped|1 target controls covered
30%
FTC Health Breach Notification Rule
3 source controls mapped|1 target controls covered
30%
UK Product Security and Telecommunications Infrastructure Act (PSTI)
3 source controls mapped|1 target controls covered
30%
European Accessibility Act (Directive (EU) 2019/882)
3 source controls mapped|1 target controls covered
30%
EU Deforestation-Free Products Regulation (EUDR)
3 source controls mapped|1 target controls covered
30%
Ontario Accessibility for Ontarians with Disabilities Act (AODA) — IASR Web Standard
3 source controls mapped|1 target controls covered
30%
EU NIS2 Directive — Energy Sector Cybersecurity Requirements (Directive 2022/2555)
3 source controls mapped|1 target controls covered
30%
US SEC Digital Assets and Crypto Regulatory Framework
3 source controls mapped|1 target controls covered
30%
Australia eSafety Commissioner — Online Safety Expectations for Industry
3 source controls mapped|1 target controls covered
30%
EU Markets in Crypto-Assets Regulation (MiCA)
3 source controls mapped|3 target controls covered
30%
EU Clinical Trials Regulation (CTR 536/2014)
3 source controls mapped|1 target controls covered
30%
ISO 19650 — Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)
3 source controls mapped|1 target controls covered
30%
ILO Tripartite Declaration of Principles concerning Multinational Enterprises (MNE Declaration)
3 source controls mapped|1 target controls covered
30%
Uganda Data Protection and Privacy Act (2019)
3 source controls mapped|1 target controls covered
30%
3GPP Security Architecture (TS 33.501 — 5G Security)
2 source controls mapped|5 target controls covered
20%
ISO/IEC 27010:2015
2 source controls mapped|3 target controls covered
20%
Privacy Act 1988 (Australia)
2 source controls mapped|2 target controls covered
20%
ISO/IEC 29115:2023 — Entity Authentication Assurance Framework
2 source controls mapped|4 target controls covered
20%
API 1164
2 source controls mapped|5 target controls covered
20%
ISO/IEC 23837 — Security Requirements for Quantum Key Distribution
2 source controls mapped|4 target controls covered
20%
EMV 3-D Secure (3DS2) — Payment Authentication Protocol
2 source controls mapped|4 target controls covered
20%
New Zealand Privacy Act
2 source controls mapped|2 target controls covered
20%
HKMA Cyber Resilience Assessment Framework (C-RAF)
2 source controls mapped|3 target controls covered
20%
IEC 62443
2 source controls mapped|5 target controls covered
20%
Indonesia PDP Law
2 source controls mapped|2 target controls covered
20%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
2 source controls mapped|4 target controls covered
20%
EIOPA Guidelines on ICT Security and Governance (2020)
2 source controls mapped|4 target controls covered
20%
Telecommunications Sector Security Reforms (TSSR)
2 source controls mapped|4 target controls covered
20%
NIS2 Directive
2 source controls mapped|5 target controls covered
20%
Iceland DPA
2 source controls mapped|2 target controls covered
20%
Maryland Online Data Privacy Act
2 source controls mapped|2 target controls covered
20%
Nigeria NDPR
2 source controls mapped|2 target controls covered
20%
UK Defence Standard 05-138 — Cyber Security for Defence Suppliers
2 source controls mapped|3 target controls covered
20%
PDPA Thailand
2 source controls mapped|2 target controls covered
20%
NIST SP 800-124 Rev 2 — Mobile Device Security
2 source controls mapped|3 target controls covered
20%
Vietnam PDPD
2 source controls mapped|2 target controls covered
20%
Tennessee IPA
2 source controls mapped|2 target controls covered
20%
FIDO2 and W3C WebAuthn Standard
2 source controls mapped|3 target controls covered
20%
Philippines DPA
2 source controls mapped|2 target controls covered
20%
RBI Cybersecurity Framework for Banks
2 source controls mapped|1 target controls covered
20%
PDPA Singapore
2 source controls mapped|2 target controls covered
20%
C2M2
2 source controls mapped|5 target controls covered
20%
Malaysia PDPA 2010
2 source controls mapped|2 target controls covered
20%
Connecticut DPA
2 source controls mapped|2 target controls covered
20%
UK Open Banking Standard
2 source controls mapped|4 target controls covered
20%
NIST SP 800-122
2 source controls mapped|2 target controls covered
20%
Chile Personal Data Protection Law (Law No. 21.719)
2 source controls mapped|2 target controls covered
20%
DO-326A
2 source controls mapped|5 target controls covered
20%
Norway PDPA
2 source controls mapped|2 target controls covered
20%
NIST SP 1800-32
2 source controls mapped|5 target controls covered
20%
Mexico LFPDPPP
2 source controls mapped|2 target controls covered
20%
Rwanda DPL
2 source controls mapped|2 target controls covered
20%
Dominican Republic DPL
2 source controls mapped|2 target controls covered
20%
IEEE 1686
2 source controls mapped|5 target controls covered
20%
FERPA
2 source controls mapped|2 target controls covered
20%
UK Data Protection Act 2018
2 source controls mapped|2 target controls covered
20%
India DPDP Act
2 source controls mapped|2 target controls covered
20%
RFC 2350 — Expectations for Computer Security Incident Response (BCP 21)
2 source controls mapped|2 target controls covered
20%
PIPEDA
2 source controls mapped|2 target controls covered
20%
IAEA Nuclear Security Series — Computer Security at Nuclear Facilities (NSS-17-T Rev 1)
2 source controls mapped|2 target controls covered
20%
Iowa Consumer Data Protection Act
2 source controls mapped|2 target controls covered
20%
COPPA
2 source controls mapped|2 target controls covered
20%
UAE PDPL
2 source controls mapped|2 target controls covered
20%
Saudi Arabia PDPL
2 source controls mapped|2 target controls covered
20%
Delaware Personal Data Privacy Act
2 source controls mapped|2 target controls covered
20%
Kenya DPA
2 source controls mapped|2 target controls covered
20%
POPIA
2 source controls mapped|2 target controls covered
20%
Texas Data Privacy Act
2 source controls mapped|2 target controls covered
20%
Uruguay DPL
2 source controls mapped|2 target controls covered
20%
Indiana Consumer Data Protection Act
2 source controls mapped|2 target controls covered
20%
Virginia CDPA
2 source controls mapped|2 target controls covered
20%
BIMCO Cyber Security
2 source controls mapped|5 target controls covered
20%
Argentina PDPA
2 source controls mapped|2 target controls covered
20%
CCPA/CPRA
2 source controls mapped|2 target controls covered
20%
W3C Verifiable Credentials (VC) Data Model 2.0
2 source controls mapped|3 target controls covered
20%
Qatar DPL
2 source controls mapped|2 target controls covered
20%
Bahrain PDPL
2 source controls mapped|2 target controls covered
20%
ITIL 4
2 source controls mapped|2 target controls covered
20%
Colorado Privacy Act
2 source controls mapped|2 target controls covered
20%
Kentucky Consumer Data Protection Act
2 source controls mapped|2 target controls covered
20%
Mauritius DPA
2 source controls mapped|2 target controls covered
20%
Ecuador LOPDP
2 source controls mapped|2 target controls covered
20%
Peru DPL
2 source controls mapped|2 target controls covered
20%
EU GMP Annex 11 — Computerised Systems
2 source controls mapped|2 target controls covered
20%
China PIPL
2 source controls mapped|2 target controls covered
20%
New Jersey Data Privacy Act
2 source controls mapped|2 target controls covered
20%
ISO 27701
2 source controls mapped|2 target controls covered
20%
Liechtenstein DPA
2 source controls mapped|2 target controls covered
20%
Utah Consumer Privacy Act
2 source controls mapped|2 target controls covered
20%
APPI
2 source controls mapped|2 target controls covered
20%
Colombia Habeas Data Law
2 source controls mapped|2 target controls covered
20%
Taiwan PDPA
2 source controls mapped|2 target controls covered
20%
Switzerland FADP
2 source controls mapped|2 target controls covered
20%
Chile DPL
2 source controls mapped|2 target controls covered
20%
SOC for Cybersecurity — Cybersecurity Risk Management Examination
2 source controls mapped|2 target controls covered
20%
ISO 27019
2 source controls mapped|5 target controls covered
20%
Digital Economy Partnership Agreement (DEPA)
2 source controls mapped|2 target controls covered
20%
LGPD
2 source controls mapped|2 target controls covered
20%
Oregon Consumer Privacy Act
2 source controls mapped|2 target controls covered
20%
Minnesota Consumer Data Privacy Act
2 source controls mapped|2 target controls covered
20%
Nebraska Data Privacy Act
2 source controls mapped|2 target controls covered
20%
US Executive Order 14028 — Improving the Nation's Cybersecurity
2 source controls mapped|1 target controls covered
20%
ISO 20000-1
2 source controls mapped|2 target controls covered
20%
Turkey KVKK
2 source controls mapped|2 target controls covered
20%
Jamaica DPA
2 source controls mapped|2 target controls covered
20%
New Hampshire Privacy Act
2 source controls mapped|2 target controls covered
20%
Montana Consumer Data Privacy Act
2 source controls mapped|2 target controls covered
20%
ITU-T X.805 — Security Architecture for End-to-End Communications
2 source controls mapped|2 target controls covered
20%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2019/04)
2 source controls mapped|1 target controls covered
20%
NIST Privacy Framework Version 1.0
2 source controls mapped|1 target controls covered
20%
NRF Cybersecurity and Data Privacy Framework (National Retail Federation)
2 source controls mapped|3 target controls covered
20%
WCO SAFE Framework of Standards to Secure and Facilitate Global Trade (2021)
2 source controls mapped|3 target controls covered
20%
Customs-Trade Partnership Against Terrorism (C-TPAT)
2 source controls mapped|4 target controls covered
20%
EU Critical Raw Materials Act (Regulation (EU) 2024/1252)
2 source controls mapped|3 target controls covered
20%
EU Chips Act (Regulation (EU) 2023/1781)
2 source controls mapped|3 target controls covered
20%
US Consumer Product Safety Commission (CPSC) — Connected Product Safety
2 source controls mapped|1 target controls covered
20%
EU Maritime Single Window Environment Regulation (EU 2019/1239) and EMSA Cybersecurity
2 source controls mapped|1 target controls covered
20%
US EPA Safe Drinking Water Act (SDWA) — Cybersecurity Requirements
2 source controls mapped|1 target controls covered
20%
AS9100D:2016 — Quality Management Systems for Aviation, Space, and Defence
1 source controls mapped|2 target controls covered
10%
ISO/IEC 27557:2022 — Organisational Privacy Risk Management
1 source controls mapped|1 target controls covered
10%
GLBA
1 source controls mapped|2 target controls covered
10%
AS9100D — Aerospace Quality Management System
1 source controls mapped|1 target controls covered
10%
ISO/IEC 27003:2017
1 source controls mapped|1 target controls covered
10%
NERC CIP
1 source controls mapped|2 target controls covered
10%
NSA Quantum-Resistant (QR) Cryptography Migration Guidance
1 source controls mapped|3 target controls covered
10%
PCI P2PE
1 source controls mapped|2 target controls covered
10%
NSA CNSA Suite 2.0 — Commercial National Security Algorithm Suite
1 source controls mapped|3 target controls covered
10%
ISO 26262:2018 — Functional Safety for Road Vehicles
1 source controls mapped|1 target controls covered
10%
ESA ECSS-E-ST-40C — Space Software Engineering Standard
1 source controls mapped|2 target controls covered
10%
ECSS Software Engineering Standards (ESA)
1 source controls mapped|2 target controls covered
10%
MAS TRM
1 source controls mapped|2 target controls covered
10%
PCI PIN Security
1 source controls mapped|2 target controls covered
10%
PSD2 SCA
1 source controls mapped|2 target controls covered
10%
SWIFT CSCF
1 source controls mapped|2 target controls covered
10%
AICPA SOC 3
1 source controls mapped|2 target controls covered
10%
NATO AQAP 2110 — Quality Assurance Requirements for Design, Development, and Production
1 source controls mapped|1 target controls covered
10%
NIST Post-Quantum Cryptography Standards (FIPS 203, 204, 205)
1 source controls mapped|3 target controls covered
10%
SWIFT CSP
1 source controls mapped|2 target controls covered
10%
GAMP 5 — Good Automated Manufacturing Practice
1 source controls mapped|1 target controls covered
10%
AICPA SOC 1
1 source controls mapped|2 target controls covered
10%
OSFI B-13
1 source controls mapped|2 target controls covered
10%
Open Banking Security
1 source controls mapped|2 target controls covered
10%
NATO STANAG 4774/4778 — Confidentiality Metadata Labels
1 source controls mapped|2 target controls covered
10%
ESRB Privacy Certified Programme
1 source controls mapped|2 target controls covered
10%
Hungary Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act)
1 source controls mapped|2 target controls covered
10%
Automotive SPICE (ASPICE) v4.0 — Process Assessment Model
1 source controls mapped|1 target controls covered
10%
DO-178C / ED-12C — Software Considerations in Airborne Systems
1 source controls mapped|1 target controls covered
10%
BCBS 239
1 source controls mapped|2 target controls covered
10%
ENISA Privacy Enhancing Technologies (PETs) Guidance
1 source controls mapped|2 target controls covered
10%
IEC 62304:2015 Medical Device Software Lifecycle Processes
1 source controls mapped|2 target controls covered
10%
NIST SP 800-34 Rev 1 — Contingency Planning Guide
1 source controls mapped|1 target controls covered
10%
APRA CPS 234
1 source controls mapped|2 target controls covered
10%
ECB TIBER-EU
1 source controls mapped|2 target controls covered
10%
DORA
1 source controls mapped|2 target controls covered
10%
ILO Nursing Personnel Convention C149 (1977)
1 source controls mapped|1 target controls covered
10%
EU Anti-Money Laundering Directive (AMLD6 / Directive 2018/1673)
1 source controls mapped|1 target controls covered
10%
ISO 8000 — Data Quality
1 source controls mapped|1 target controls covered
10%
FATF Recommendation 16 — Virtual Asset Travel Rule
1 source controls mapped|1 target controls covered
10%
Privacy by Design (PbD) — Seven Foundational Principles
1 source controls mapped|1 target controls covered
10%
BS 65000:2014 — Guidance on Organizational Resilience
1 source controls mapped|1 target controls covered
10%
PCI SSF
1 source controls mapped|2 target controls covered
10%
HKMA SPM
1 source controls mapped|2 target controls covered
10%
NIST AI Risk Management Framework (AI RMF 1.0)
1 source controls mapped|1 target controls covered
10%
NIST AI 600-1 Generative AI Profile
1 source controls mapped|1 target controls covered
10%
FFIEC IT Examination Handbook
1 source controls mapped|2 target controls covered
10%
Nigeria Open Banking Regulatory Framework (CBN, 2023)
1 source controls mapped|1 target controls covered
10%
Armenia Law on Protection of Personal Data (2015)
1 source controls mapped|2 target controls covered
10%
Russia Federal Law on Personal Data (152-FZ)
1 source controls mapped|1 target controls covered
10%
AML/CTF Act 2006 (Australia)
1 source controls mapped|1 target controls covered
10%
Colorado Privacy Act (CPA)
1 source controls mapped|4 target controls covered
10%
Vermont Artificial Intelligence and Consumer Data Act (AICDA)
1 source controls mapped|2 target controls covered
10%
US Maritime Transportation Security Act (MTSA) and USCG Cybersecurity Requirements
1 source controls mapped|1 target controls covered
10%
TEFCA — Trusted Exchange Framework and Common Agreement
1 source controls mapped|2 target controls covered
10%
EN 301 549 — ICT Accessibility Requirements
1 source controls mapped|1 target controls covered
10%
Florida Digital Bill of Rights (SB 262)
1 source controls mapped|2 target controls covered
10%
Regional Comprehensive Economic Partnership (RCEP) — E-Commerce Chapter
1 source controls mapped|1 target controls covered
10%
EU PSD3 and Payment Services Regulation (Proposed)
1 source controls mapped|3 target controls covered
10%
Bank Secrecy Act / Anti-Money Laundering (BSA/AML)
1 source controls mapped|1 target controls covered
10%
DFARS 252.204-7012 — Safeguarding Covered Defense Information
1 source controls mapped|3 target controls covered
10%
Connecticut Data Privacy Act (CTDPA)
1 source controls mapped|5 target controls covered
10%
Illinois Biometric Information Privacy Act (BIPA)
1 source controls mapped|3 target controls covered
10%
Modern Slavery Act 2018 (Australia)
1 source controls mapped|3 target controls covered
10%
WCAG 2.2
1 source controls mapped|2 target controls covered
10%
eIDAS 2.0 — EU Digital Identity Regulation
1 source controls mapped|1 target controls covered
10%
FIDO2 / WebAuthn — Passwordless Authentication Standard
1 source controls mapped|3 target controls covered
10%
Wisconsin Data Privacy Act (SB 670)
1 source controls mapped|3 target controls covered
10%
EU European Health Data Space (EHDS)
1 source controls mapped|1 target controls covered
10%
Lebanon Electronic Transactions and Personal Data Protection Law (Law No. 81/2018)
1 source controls mapped|2 target controls covered
10%
Tennessee Information Protection Act (TIPA)
1 source controls mapped|2 target controls covered
10%
USMCA Chapter 19 — Digital Trade (United States-Mexico-Canada Agreement)
1 source controls mapped|1 target controls covered
10%
UK ONR Cyber Security and Information Assurance (CSIA) for Nuclear Facilities
1 source controls mapped|1 target controls covered
10%
ISO 28001:2007 Supply Chain Security Management
1 source controls mapped|1 target controls covered
10%
South Korea PIPA
1 source controls mapped|1 target controls covered
10%
UK Security and Emergency Measures Direction (SEMD) — Water Industry
1 source controls mapped|3 target controls covered
10%
Defence Industry Security Program (DISP)
1 source controls mapped|2 target controls covered
10%
EU Data Act
1 source controls mapped|1 target controls covered
10%
BSI C5 — Cloud Computing Compliance Criteria Catalogue
1 source controls mapped|1 target controls covered
10%
Australia My Health Records Act 2012
1 source controls mapped|1 target controls covered
10%
IMO Maritime Cybersecurity Guidelines (MSC-FAL.1/Circ.3/Rev.2)
1 source controls mapped|1 target controls covered
10%
IATA Operational Safety Audit (IOSA) Standards Manual
1 source controls mapped|1 target controls covered
10%
Frequently Asked Questions
What is OWASP API Security Top 10:2023?
OWASP API Security Top 10:2023 is a compliance framework from International with 5 domains and 10 controls. The OWASP API Security Top 10 is a standard awareness document focused specifically on API security risks. The 2023 edition identifies the ten most critical API security risks based on exploitability, prevalence, detectability, and technical impact. It complements the OWASP Top 10 for web applications with API-specific risks. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does OWASP API Security Top 10:2023 have?
OWASP API Security Top 10:2023 has 10 controls organised across 5 domains. The largest domains are Authorization (3 controls), Authentication and Access (2 controls), Configuration and Inventory (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does OWASP API Security Top 10:2023 map to?
OWASP API Security Top 10:2023 maps to 362 other compliance frameworks. The top mapping partners are NYDFS Cybersecurity Regulation (23 NYCRR Part 500) (50% coverage), ANSSI Cybersecurity Framework (50% coverage), NIST SP 800-171A — Assessing CUI Security Requirements (50% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with OWASP API Security Top 10:2023 compliance?
Start your OWASP API Security Top 10:2023 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about OWASP API Security Top 10:2023 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 10 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 692 frameworks.
Get Started Free →Free forever — no credit card required