It’s been a little quiet here lately. I blame christmas etc. During the time since the last post I have done a bit of work with API security (or more the lack thereof). So in this post I write up some of the things I’ve been looking at.

Why should you care?

Keeping your APIs secure is important. In fact Gartner predicts that by 2022 APIs will be the most frequent attack vector against enterprise web applications. To back this up Salt Security f.ex is reporting that malicious traffic grew 3 times the rate of overall API traffic from Dec 2020 to June 2021 in their State of API Security 2021.

APIs are a foundational element in todays cloud, data and app-driven world. APIs are a critical part of cloud platforms and modern mobile, SaaS and web applications and can be both public and internal facing. APIs expose application logic and potentially sensitive data - and this is why APIs have increasingly become a target for attackers. Secure APIs are essential for todays data-driven economy which relies on APIs to access and share data. Keeping your APIs secure should be a priority not only because of laws and regulations, but also because data breaches will have an enormous impact on your companys’ reputation. A data breach could mean the end of your company - in fact a report from the National Cybersecurity Alliance shows that 37% of small businesses suffered financial losses and 10% of small businesses went out of business because of data breaches.

Top API Security risks and vulnerabilities

Looking OWASP API Security Top 10 the top risks and vulnerabilities are:

  • API1:2019 Broken Object Level Authorization
  • API2:2019 Broken User Authentication
  • API3:2019 Excessive Data Exposure
  • API4:2019 Lack of Resources & Rate Limiting
  • API5:2019 Broken Function Level Authorization
  • API6:2019 Mass Assignment
  • API7:2019 Security Misconfiguration
  • API8:2019 Injection
  • API9:2019 Improper Assets Management
  • API10:2019 Insufficient Logging & Monitoring

These roughly correspond to the security problems respondents of the State of API Security report have had:

API security problems the last 12 months

How to mitigate API security risks and vulnerabilities

API security in itself focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs.

Looking at how respondents of the State of API Security indicate how API attacks or attackers are identified we get some insight into strategies/solutions used:

How do you identify an attack or attacker targeting your APIs

One of the best resources I have found on security guidelines when it comes to both providing and consuming APIs is Cloud Security Alliances’ “Security Guidelines for Providing and Consuming APIs”. Here you’ll find guidance on how to best design for ingress API connectivity going through the phases of design, development, testing, implementation and logging and monitoring. Among the things which are listed in the guidance are:

  • Using best practice for service authentication (OpenID, OAuth)
  • Least privilege
  • Decouple authorization from the service
  • Request rate limiting
  • Safe package usage (Supply chain security - think Log4j)
  • Use encrypted communication (TLS/https)
  • Use an API Gateway
  • Protect the API Gateway with WAF
  • Denial of Service mitigation
  • Do proper logging to be able to both monitor usage and detect misusage.

There is also corresponding guidance on how to best consume APIs, also going through the same phases.

Following the guidance from CSA (or other good guidance) is highly recommended. API security is not necessarily very difficult, but there’s a lot to think about. Much of this thinking has already been done by CSA and others - we all should take advantage of this!