OWASP this month released a top ten list focused on application programming interfaces (APIs). The list summarizes the new vectors that attackers use today to breach APIs, and is intended to serve as an awareness document to highlight the security risks in API-based apps, according to both Inon Shkedy and Erez Yalon, leaders of the API Security Project for OWASP.
An API is a software interface, an intermediary that allows two applications to talk to each other. In an increasingly interconnected enterprise, security around APIs has become critical as more businesses use them to connect services and transfer data to support the delivery of new products and services. Shkedy said the majority of enterprises consider APIs to be vital to digital transformation, but also find API security to be one of their top challenges. The list tries to fill the gap between traditional application security and modern attack vectors. While traditional vulnerabilities such as SQLi, CSRF and XSS are becoming less common in APIs, modern technologies rely on APIs increasingly and deeply.
“Alongside the vulnerabilities that are becoming less common, we see a rise in threats that are either specific to APIs or present a bigger risk,” added Yalon. “A lot of developers are still not aware of those, and the API Security Top 10 list looks to change that.”
Indeed, many high-profile breaches in recent years have been related to third-party API infrastructure vulnerabilities. Last year, Facebook made news when it was found that a third-party app exposed more than a million records of Facebook user data. And while information loss is often the focus of API-related incidents, vulnerabilities also can mean opportunity for attackers to take over systems. Last month, Cisco Systems patched four critical vulnerabilities that could have allowed an attacker to control several elements in their big data packages.
“The list will also help to prioritize and address new and old attack vectors and the way they affect APIs. CISOs can get a better understanding of how and where to invest resources to improve their API security,” said Shkedy.
“First and foremost is awareness,” added Yalon. “You cannot mitigate or avoid risks that you are not aware of. This list, and the full documentation that accompanies it, should be used for education. At a later stage, it will ideally serve as the basis of good practices and correct ‘API housekeeping.’”