CWEs that violate the OWASP API Security Top 10 standard
The following table describes which categories in the OWASP API Security Top 10 that Veracode supports for Dynamic Analysis.
| Category | Description | Dynamic support | Years on list |
|---|---|---|---|
| API1:2023 | Broken Object Level Authorization | Partial (fuzzing paths) | 2023 |
| API2:2023 | Broken Authentication | Full | 2023 |
| API3:2023 | Broken Object Level Authorization | * | 2023 |
| API4:2023 | Unrestricted Resource Consumption | * | 2023 |
| API5:2023 | Broken Function Level Authorization | * | 2023 |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | * | 2023 |
| API7:2023 | Server Side Request Forgery | Full | 2023 |
| API8:2023 | Security Misconfiguration | Full | 2023 |
| API9:2023 | Improper Inventory Management | Partial | 2023 |
| API10:2023 | Unsafe Consumption of APIs | * | 2023 |
- Dynamic Analysis might provide inaccurate results for these categories. For accurate results, we recommend testing these categories with Manual Penetration Testing (MPT).