Skip to content

docs(api9): add missing references to align with other Top 10 entries#152

Open
venkatapgummadi wants to merge 2 commits intoOWASP:masterfrom
venkatapgummadi:docs/api9-references-expansion
Open

docs(api9): add missing references to align with other Top 10 entries#152
venkatapgummadi wants to merge 2 commits intoOWASP:masterfrom
venkatapgummadi:docs/api9-references-expansion

Conversation

@venkatapgummadi
Copy link
Copy Markdown

@venkatapgummadi venkatapgummadi commented Apr 30, 2026

Summary

Adds two missing references to the API9 (Improper Inventory Management) section to align with the reference patterns used by other Top 10 entries.

Motivation

A reader scanning the References sections across the 2023 edition will notice that API9 has only one reference (CWE-1059: Incomplete Documentation), while most other entries cite multiple OWASP cheat sheets and external sources. In particular:

  • API4 (Unrestricted Resource Consumption) cites NIST SP 800-204 and three OWASP cheat sheets.
  • API7 (SSRF) cites the URL Validation Bypass Cheat Sheet and four CWEs.
  • API8 (Security Misconfiguration) cites six external references.
  • API9 (current) cites only CWE-1059.

This PR adds two references that are clearly applicable to API9 and that are already used by the project elsewhere:

  1. OWASP REST Security Cheat Sheet — has explicit subsections on API versioning and access management that map directly to API9's "data flow blindspot" and "documentation blindspot" definitions.
  2. NIST SP 800-204 (Security Strategies for Microservices-based Application Systems) — already cited by API4 in this same edition. SP 800-204 has substantive content on microservice inventory, versioning, and lifecycle that's directly relevant to API9.

Changes

Single file: editions/2023/en/0xa9-improper-inventory-management.md — the References section gets a new "OWASP" subsection with one entry, and a second entry added to the existing "External" subsection. Reference link definitions at the bottom of the file are renumbered accordingly.

Out of scope

  • Content rewrites of API9 — none.
  • Adding references to other Top 10 entries — would be a separate PR if useful.
  • Adding additional CWEs to API9 (e.g., CWE-1188) — judgment call; happy to follow up if maintainers think it's appropriate.

Per CONTRIBUTING.md

CONTRIBUTING.md notes that "Fixing typos or rephrasing for better understanding DO NOT require discussion." This PR is in that spirit — closing a documented asymmetry without changing any narrative content. If maintainers prefer this go through an issue first, happy to convert; please advise.

PauloASilva and others added 2 commits December 31, 2024 12:02
@PauloASilva
Merge tag 'v2.7.0' into develop
0dd3627 
v2.7.0

* OWASP API Security Top 10 2023 Português (Portugal) translation added
@venkatapgummadi
docs(api9): add missing references to align with other Top 10 entries
e350d2d 
Signed-off-by: Venkata Pavan Kumar Gummadi <venkata.p.gummadi@ieee.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@venkatapgummadi @PauloASilva