API attacks are skyrocketing. According to Salt Security’s State of API Security report, “overall API traffic increased 141% while malicious traffic grew 348%.” These attacks are getting past traditional security systems, turning APIs into a top application attack vector.
These findings are in line with a Cloudentity State of API Security, Privacy and Governance report that showed almost half of the respondents expressed concerns surrounding privacy, data leakage and object property exposure with internal or external-facing APIs. About the same number of respondents in the Salt Security survey also said security is their biggest worry when it comes to their API programs.
“Many organizations have had to slow or halt production releases because of API security concerns, which is often a non-starter for DevOps practices and digital transformation initiatives,” said Michael Isbitski, technical evangelist at Salt Security, in an email comment. And because most API attacks actually occur in authenticated and authorized sessions, Isbitski pointed out that even if you can get strong access control “right,” your organization’s functionality and data are still prone to abuse or exposure.
The solution to addressing the security problems surrounding APIs could be found within the Open Web Application Security Project (OWASP).
Recognizing the Threats to APIs
To address API security, it’s necessary to first see where the security issues are. Because newer technologies are implementing API solutions, organizations are now seeing older and known security vulnerabilities—that were previously addressed in simpler web applications—being reintroduced in these APIs, Ben Pick, senior application security consultant at nVisium, explained in an email interview.
“This has resulted in one of the greatest security threats to APIs: A lack of access control. Knowing that an API exists could grant a user access to an improperly configured API or allow its functions to be abused,” Pick said. Authorization flaws are one of the biggest threats to API security, with many incidents resulting from authorization mechanisms not being implemented appropriately, or authorization not being performed at all. Also, APIs often expose too much private or sensitive data.
“Application teams will often engineer APIs to provide significant amounts of data and rely on the client application to filter data appropriately. Unfortunately, attackers regularly bypass client front ends and interface with APIs directly to view the richer data set,” said Isbitski.
What Is OWASP?
“OWASP is a collective organization of projects developed by professionals in the industry. These consist of best practices, testing methodologies and tools intended to share knowledge and improve the overall security of applications,” Pick explained.
Through the OWASP API Security Project, OWASP provides a list of the ten greatest security threats for APIs. There are also multiple testing guides to teach professionals how to properly test an API, including the OWASP Testing Guide, all meant to guide best practices and help harden APIs by teaching developers and testers where an API may be vulnerable.
There’s no shortage of free, open source tooling from OWASP and other communities. “Organizations often seek free, open source options to reduce costs of their security spend, but this can result in piecemeal solutions to complex security problems,” said Isbitski.
However, tooling is often not fully baked or easily integrated, which creates an additional burden for IT teams to engineer around the disparate options and make it all work as part of a holistic, full life cycle security strategy. “Mature security programs must account for security and non-security personas and their workflow within an organization,” Isbitski added. “Unfortunately, free options are often built primarily for subject matter experts and may be unusable by other parties.”
Using OWASP for API Security
One of the biggest barriers is not acknowledging the uniqueness of API-based architectures and the custom business logic that organizations build into APIs.
“Organizations will often rely heavily on API gateways or web application firewalls to provide basic threat protection against certain patterns of injection attacks,” said Isbitski. “Similarly, organizations often emphasize authentication or authorization at the expense of other security tenets like the security of underlying code or continuous validation of authorization levels throughout a complete API call sequence to address malicious API callers.”
No security scanner can identify the types of business logic issues and misconfigurations that lead to API attacks we now see frequently. To address this, Gartner recently created a new category for API security tooling to address the gaps that arise when securing platform services with traditional security approaches and solutions.
What OWASP does is help raise awareness around API security challenges. OWASP first drafted its API Security Top 10 in 2019, which provides a foundation for understanding common API flaws and their relative level of risk.
“There is little repeat of issues described in the API Security Top 10 that overlap with the Application Security Top 10, reinforcing the fact that APIs must be treated uniquely and not just as a subset of applications,” said Isbitski. “We are in a new world where APIs are the thing of value that power applications and provide data,” Isbitski added. “Applications are just a front end or window into this world of APIs.”