Merge branch 'release/0.1.0'

Author: PauloASilva

.gitignore

@@ -0,0 +1,4 @@
+*.swp
+*.swo
+.~lock*
+

2019/en/dist/owasp-api-security-top-10.odt

@@ -0,0 +1,17 @@
+![OWASP LOGO](images/owasp-logo.png)
+
+## OWASP API Security Top 10 2019
+
+The Ten Most Critical API Security Risks
+
+May 29th, 2019
+
+![WASP Logo URL TBA](images/front-wasp.png)
+
+| | | |
+| - | - | - |
+| https://owasp.org | This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License][1] | ![Creative Commons License Logo](images/front-cc.png) |
+
+[1]: http://creativecommons.org/licenses/by-sa/4.0/
+
+

2019/en/dist/owasp-api-security-top-10.pdf

@@ -0,0 +1,14 @@
+Notice
+======
+
+This is the text version of OWASP API Security Top 10, used as source for the
+official version distributed as a Portable Document Format (PDF).
+
+Contributions to the project such as comments, corrections or translations
+should be done here. For details on [How To Contribute][1], please refer to
+[CONTRIBUTING.md][1].
+
+* Erez Yallon
+* Inon Shkedy
+
+[1]: ../../CONTRIBUTING.md

2019/en/src/0x00-header.md

@@ -0,0 +1,24 @@
+Table of Contents
+=================
+
+* [Table of Contents](0x00-toc.md)
+* [About OWASP](0x01-about-owasp.md)
+* [Foreword](0x02-foreward.md)
+* [Introduction](0x03-introduction.md)
+* [Release Notes](0x04-release-notes.md)
+* [API Security Risks](0x10-api-security-risks.md)
+* [OWASP Top 10 API Security Risks – 2019](0x11-t10.md)
+* [A1:2019 Broken Object Level Authorization](0xa1-broken-object-level-authorization.md)
+* [A2:2019 Broken Authentication](0xa2-broken-authentication.md)
+* [A3:2019 Excessive Data Exposure](0xa3-excessive-data-exposure.md)
+* [A4:2019 Lack of Resources & Rate Limiting](0xa4-lack-of-resources-and-rate-limiting.md)
+* [A5:2019 Broken Function Level Authorization](0xa5-broken-function-level-authorization.md)
+* [A6:2019 Mass Assignment](0xa6-mass-assignment.md)
+* [A7:2019 Security Misconfiguration](0xa7-security-misconfiguration.md)
+* [A8:2019 Injection](0xa8-injection.md)
+* [A9:2019 Improper Assets Management](0xa9-improper-assets-management.md)
+* [A10:2019 Insufficient Logging & Monitoring](0xaa-insufficient-logging-monitoring.md)
+* [What's Next For Developers](0xb0-next-devs.md)
+* [What's Next For DevSecOps](0xb1-next-devsecops.md)
+* [Methodology and Data](0xd0-about-data.md)
+* [Acknowledgments](0xd1-acknowledgments.md)

2019/en/src/0x00-notice.md

@@ -0,0 +1,59 @@
+About OWASP
+===========
+
+The Open Web Application Security Project (OWASP) is an open community dedicated
+to enabling organizations to develop, purchase, and maintain applications and
+APIs that can be trusted.
+
+At OWASP, you'll find free and open:
+
+* Application security tools and standards.
+* Complete books on application security testing, secure code development, and
+  secure code review.
+* Presentations and [videos][1].
+* [Cheat sheets][2] on many common topics.
+* Standard security controls and libraries.
+* [Local chapters worldwide][3].
+* Cutting edge research.
+* Extensive [conferences worldwide][4].
+* [Mailing lists][5].
+
+Learn more at: [https://www.owasp.org][6].
+
+All OWASP tools, documents, videos, presentations, and chapters are free and
+open to anyone interested in improving application security.
+
+We advocate approaching application security as a people, process, and
+technology problem, because the most effective approaches to application
+security require improvements in these areas.
+
+OWASP is a new kind of organization. Our freedom from commercial pressures
+allows us to provide unbiased, practical, and cost-effective information about
+application security.
+
+OWASP is not affiliated with any technology company, although we support the
+informed use of commercial security technology. OWASP produces many types of
+materials in a collaborative, transparent, and open way.
+
+The OWASP Foundation is the non-profit entity that ensures the project's
+long-term success. Almost everyone associated with OWASP is a volunteer,
+including the OWASP board, chapter leaders, project leaders, and project
+members. We support innovative security research with grants and infrastructure.
+
+Come join us!
+
+## Copyright and License
+
+![license](images/license.png)
+
+Copyright © 2003-2017 The OWASP Foundation. This document is released under the
+[Creative Commons Attribution Share-Alike 4.0 license][7]. For any reuse or
+distribution, you must make it clear to others the license terms of this work.
+
+[1]: https://www.youtube.com/user/OWASPGLOBAL
+[2]: https://www.owasp.org/index.php/OWASP_Cheat_Sheet_Series
+[3]: https://www.owasp.org/index.php/OWASP_Chapter
+[4]: https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference
+[5]: https://lists.owasp.org/mailman/listinfo
+[6]: https://www.owasp.org
+[7]: http://creativecommons.org/licenses/by-sa/4.0/

2019/en/src/0x00-toc.md

@@ -0,0 +1,44 @@
+Foreword
+========
+
+A foundational element of innovation in today’s app-driven world is the
+Application Programming Interface (API). From banks, retail, and transportation
+to IoT, autonomous vehicles, and smart cities, APIs are a critical part of
+modern mobile, SaaS, and web applications and can be found in customer-facing,
+partner-facing, and internal applications.
+
+By nature, APIs expose application logic and sensitive data such as Personally
+Identifiable Information (PII) and because of this, APIs have increasingly
+become a target for attackers. Without secure APIs, rapid innovation would be
+impossible.
+
+Although a broader web application security risks Top 10 still makes sense, due
+to their particular nature, an API specific security risks list is required.
+API security focuses on strategies and solutions to understand and mitigate the
+unique vulnerabilities and security risks associated with APIs.
+
+If you're familiar with the [OWASP Top 10 Project][1], then you'll notice the
+similarities between both documents: they are intended for readability and
+adoption. If you're new to the OWASP Top 10 series, you may be better off
+reading the [API Security Risks][2] and [Methodology and Data][3] sections
+before jumping into the Top 10 list.
+
+You can contribute to OWASP API Security Top 10 with your questions, comments,
+and ideas at our GitHub project repository:
+
+* https://github.com/OWASP/API-Security/issues
+* https://github.com/OWASP/API-Security/blob/master/CONTRIBUTING.md
+
+You can find the OWASP API Security Top 10 here:
+
+* https://www.owasp.org/index.php/OWASP_API_Security_Project
+* https://github.com/OWASP/API-Security
+
+We wish to thank all the contributors who made this project possible with their
+effort and contributions. They are all listed in the [Acknowledgments
+section][4]. Thank you!
+
+[1]: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
+[2]: ./0x10-api-security-risks.md
+[3]: ./0xd0-about-data.md
+[4]: ./0xd1-acknowledgments.md

2019/en/src/0x01-about-owasp.md

@@ -0,0 +1,29 @@
+Introduction
+============
+
+## Welcome to the OWASP API Security Top 10 - 2019!
+
+Welcome to the first edition of the OWASP API Security Top 10. If you're
+familiar with the  OWASP Top 10 series, you'll notice the similarities: they are
+intended for readability and adoption. Otherwise, consider visiting the [OWASP
+API Security Project wiki page][1], before digging deeper into the most critical
+API security risks.
+
+APIs play a very important role in modern applications' architecture. Since
+creating security awareness and innovation have different paces, it's important
+to focus on common API security weaknesses.
+
+The primary goal of the OWASP API Security Top 10 is to educate those involved
+in API development and maintenance, for example, developers, designers,
+architects, managers, or organizations.
+
+In the [Methodology and Data][2] section, you can read more about how this first
+edition was created. In future versions, we want to involve the security
+industry, with a public call for data. For now, we encourage everyone to
+contribute with questions, comments and ideas at our [GitHub repository][3] or
+[Mailing list][4].
+
+[1]: https://www.owasp.org/index.php/OWASP_API_Security_Project
+[2]: ./0xd0-about-data.md
+[3]: https://github.com/OWASP/API-Security
+[4]: https://groups.google.com/a/owasp.org/forum/#!forum/api-security-project

2019/en/src/0x02-foreword.md

@@ -0,0 +1,25 @@
+Release Notes
+=============
+
+This is the first OWASP API Security Top 10 edition, which we plan to be updated
+periodically, every three or four years.
+
+Unlike this version, in future versions, we want to make a public call for data,
+involving the security industry in this effort. In the [Methodology and Data][1]
+section, you'll find more details about how this version was built. For more
+details about the security risks, please refer to the [API Security Risks][2]
+section.
+
+It is important to realize that over the last few years, applications'
+architecture has significantly changed. Currently, APIs play a very important
+role in this new architecture of microservices, Single Page Applications (SPAs),
+mobile apps, IoT, etc.
+
+The OWASP API Security Top 10 was a required effort to create awareness about
+modern APIs security issues. It was only possible due to a great effort of
+several volunteers, all of them listed in the [Acknowledgments][3] section.
+Thank you!
+
+[1]: ./0xd0-about-data.md
+[2]: ./0x10-api-security-risks.md
+[3]: ./0xd1-acknowledgments.md