StackHawk Highlights Broken Function Level Authorization Risk in API Security

According to a recent LinkedIn post from StackHawk, the company is drawing attention to Broken Function Level Authorization (BFLA), identified as #5 on the OWASP API Top 10. The post describes a common security gap where user interfaces may hide administrative actions such as delete buttons from non-admin users, but backend APIs still accept those calls if they verify only authentication and not role-based authorization. In this scenario, a user who discovers an endpoint like DELETE /api/workspaces/123 could perform unauthorized actions despite having a valid token, because the API does not enforce role-level permissions.

The post highlights that this issue is distinct from typical data-access violations, focusing instead on actions that a user’s current role should not be allowed to perform—such as content moderators deleting accounts or read-only users performing write operations. It also suggests that many security tools may miss these vulnerabilities because the requests appear legitimate in format and authentication. StackHawk’s post positions its platform as a way to systematically test what each role can execute across endpoints and HTTP methods, and it promotes a guide on preventing and identifying BFLA risks.

For investors, the emphasis on BFLA underscores StackHawk’s focus on advanced API security use cases that go beyond basic authentication checks, potentially enhancing the perceived value of its application security testing offering. As API-driven architectures continue to proliferate, demand for tools that can detect nuanced authorization flaws may support product adoption and differentiation within the competitive application security market. If StackHawk’s tooling proves effective at identifying BFLA and similar logic-layer issues, it could strengthen the company’s positioning among DevSecOps and security engineering teams, with potential implications for growth and pricing power over time.