CWEs that violate the 2023 OWASP API Security Top 10 standard
The following table describes which categories in the OWASP 2023 API Security Top 10 that Veracode supports for Dynamic Analysis and DAST.
| Category | Description | Dynamic Analysis | DAST |
|---|---|---|---|
| API1:2023 | Broken Object Level Authorization | Partial support (fuzzing paths) | Partial support (fuzzing paths) |
| API2:2023 | Broken Authentication | Full support | Full support |
| API3:2023 | Broken Object Level Authorization | * | * |
| API4:2023 | Unrestricted Resource Consumption | * | * |
| API5:2023 | Broken Function Level Authorization | * | * |
| API6:2023 | Unrestricted Access to Sensitive Business Flows | * | * |
| API7:2023 | Server Side Request Forgery | Full support | Full support |
| API8:2023 | Security Misconfiguration | Full support | Full support |
| API9:2023 | Improper Inventory Management | Partial support | Partial support |
| API10:2023 | Unsafe Consumption of APIs | * | * |
- Veracode Dynamic Analysis and DAST might provide inaccurate results for these categories. For accurate results, Veracode recommends that you test these categories with Manual Penetration Testing (MPT).