Problem description
Spectral ruleset rules from the Stoplight API Stylebook implements checks for the OWASP API Security Top 10 2023. These rules can be used with Spectral to automatically lint OpenAPI documents for security issues.

Source: https://github.com/stoplightio/spectral-owasp-ruleset
Documentation: https://apistylebook.stoplight.io/docs/owasp-top-10-2023

Possible evolution
Review the rules and what needs to be changed in CAMARA API guide documents to make API definitions pass the checks.

Alternative solution
Use the ruleset but deactivate rules raising errors for CAMARA APIs supporting current guidelines.

Additional context

Coverage by OWASP Category

• API1:2023 - Broken Object Level Authorization: 1 rule
• API2:2023 - Broken Authentication: 7 rules
• API3:2023 - Broken Object Property Level Authorization: 4 rules
• API4:2023 - Unrestricted Resource Consumption: 8 rules
• API5:2023 - Broken Function Level Authorization: 1 rule
• API6:2023 - Unrestricted Access to Sensitive Business Flows: No automated rules (requires business logic analysis)
• API7:2023 - Server Side Request Forgery: 1 rule
• API8:2023 - Security Misconfiguration: 7 rules
• API9:2023 - Improper Inventory Management: 2 rules
• API10:2023 - Unsafe Consumption of APIs: No automated rules (requires runtime analysis)

Notes

• Not all OWASP recommendations can be checked through static analysis of OpenAPI documents
• Some categories (API6, API10) require runtime behavior analysis and cannot be fully automated
• The ruleset focuses on what can be detected from the API surface definition in OpenAPI