OWASP API Security Top 10 (2023) for Financial and Health APIs

The OWASP API Security Top 10 2023 supersedes the 2019 edition, updating risk categories to reflect the evolution of API architectures and exploitation patterns observed in the intervening years. The 2023 list introduces three new entries — API8:2023 Security Misconfiguration (elevated in prominence), API9:2023 Improper Inventory Management, and API10:2023 Unsafe Consumption of APIs — while retaining and refining existing categories. API1:2023 Broken Object Level Authorization (BOLA) remains the top risk: it occurs when an API endpoint returns objects based on a client-supplied identifier without verifying that the authenticated user is authorized to access that specific object. BOLA is the API equivalent of IDOR (Insecure Direct Object Reference) and is the most exploited API vulnerability in financial services and healthcare, enabling attackers to enumerate and access other users' account data, transaction histories, or medical records.

Regulated industries face acute exposure to specific OWASP API Security categories. API2:2023 Broken Authentication applies directly to Open Banking APIs under PSD2 and UK Open Banking Standards, where OAuth 2.0 PKCE implementations, token binding, and mTLS client certificate authentication must be correctly implemented to prevent token theft and session hijacking. API3:2023 Broken Object Property Level Authorization (new in 2023, splitting from 2019's Excessive Data Exposure) is critical for GDPR compliance: APIs that return excessive properties in responses — for example, returning a full patient record when only demographic data was requested — violate the data minimization principle of GDPR Article 5(1)(c) and HIPAA minimum necessary standard. API5:2023 Broken Function Level Authorization is particularly dangerous in financial APIs where function-level controls separate read and write operations on customer accounts.

API9:2023 Improper Inventory Management reflects a systemic risk in large regulated organizations: the existence of undocumented, unpatched "shadow APIs" — legacy endpoints, test environments exposed to production networks, and deprecated API versions still accepting traffic. These shadow APIs bypass the security controls applied to documented API surface and are a primary initial access vector. Remediating this requires API discovery tooling (traffic analysis-based, not just documentation-based) and API gateway enforcement that rejects traffic to undocumented paths. API10:2023 Unsafe Consumption of APIs addresses the third-party API risk — where a regulated firm's application blindly trusts data returned by an external API (e.g., a credit bureau, identity verification service, or market data provider) without validation, enabling injection attacks through compromised third-party APIs.

We assess client API landscapes against the OWASP API Security Top 10 2023 using automated discovery, traffic analysis for shadow API identification, and authenticated penetration testing of documented endpoints. Our remediation programs address API gateway policy configuration, OAuth 2.0 implementation review, and object-level authorization logic across financial and healthcare API ecosystems.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.