OWASP API security – 9: Improper assets management

Improper asset management in API security, as outlined by OWASP, is a critical vulnerability resulting from a lack of comprehensive oversight of deployed API assets, leading to stagnation and potential exploits. Examples include APIs created by former team members with inadequate documentation and products integrated without clear ownership, which can result in outdated, unsecured systems vulnerable to attacks. To mitigate these risks, organizations should implement robust asset management systems like a CMDB, assign clear ownership for all services, and track API usage to update or retire obsolete services. API Management systems (APIMs) play an essential role in enforcing asset deprecation and access controls, while tools like Tyk can aid in managing API versions, ensuring documentation is current, and integrating analytics to identify and address stagnant APIs. Proper asset management is vital for maintaining secure, up-to-date systems and should be integrated into the delivery workflow, with documentation updates considered as part of the definition of done.