It’s out. The annual Verizon Data Breach Incident Report. 115 pages. Thousands and thousands of words. Eye-popping graphics. Zero mentions of API. No mentions of the term Application Programming Interface. One mention of the word programming, deep within an industry-specific section. Why no discussion on APIs as an Incident Classification alongside web application attacks? My speculative answer – APIs are plumbing. When you have a leak, your immediate concern is the damage and how to mitigate it. The “broken pipe” is not necessarily top of mind.
Using the Incident Classifications from the report and the OWASP API Security Top 10, here are some thoughts on how APIs may have been a factor behind the scenes, along with recommendations on how to address the security risk. Note that three Incident Classifications (social engineering, lost and stolen assets, everything else) were left out of the conversation as they have little to no direct connection to APIs.
|VBIR Incident Classification||Potential Risk to Your APIs||API Security Recommendations|
|Basic Web Application Attacks: Attacks with a small number of steps/additional actions after the initial web application compromise.||Today’s modern web apps are usually supported by APIs that connect forms and microservices directly to application servers, databases or other microservices. Attackers can exploit insecurely built public-facing APIs to exfiltrate such information, without having to break into servers or the corporate network. This means that any one of the OWASP API Security Top 10 Threats could have been the root cause for such incidents or breaches.||Monitor and protect your public-facing APIs as well as the servers, networks and kiosks mentioned in the report.
|System Intrusion: Complex attacks that leverage Malware and/or Hacking to achieve their objectives including deploying ransomware.||As with basic web attacks, there are many possible API-related avenues for threat actors to access network resources. Most commonly found are authentication and authorization errors (OWASP API19 #1 & #2, (Broken object level authorization and Broken user authentication).||From an API perspective, system intrusion and privilege misuse go hand in hand. To protect your APIs from both of these risks, start first by making sure all parties fully understand the API authentication and authorization workflow.
|Privilege Misuse: Incidents predominantly driven by unapproved or malicious use of legitimate privileges.||The most common avenue to gaining access to elevated privileges is poorly implemented authentication and authorization, as highlighted by their respective #1 & #2 placement in the OWASP API Security Top 10 list.|
|Denial of Service: Attacks intended to compromise the availability of networks and systems. Includes both network and application-layer attacks.||The dark side of APIs are the ease with which it can be attacked at scale. Without backend resource and rate limiting (#8 on the OWASP list), the API can be easily targeted for a DoS/DDoS attack.||During the design phase, development, business groups and security should document and look for ways to enforce the following:
· Rate limits for API calls and client notifications (e.g., resets, lockout, etc.).
· Resource consumption limits and server-side validation for response size (e.g., # of records, etc.).
· Implementing controls on the backend can help act as an added line of defense during high volume spikes or large-scale attacks.
|Miscellaneous Errors: Incidents where unintentional actions directly compromised a security attribute of an information asset. This does not include lost devices, which is grouped with theft instead.||Outside of authentication and authorization errors discussed above, the most applicable entry on the OWASP API Security Top 10 list would be #7, security misconfiguration.||Group collaboration should document and enforce the following:
Improving your API security posture is best done using a combination of documented best practices and technology to monitor and enforce policies. The OWASP API Security Top 10 list is a great place to start and you can see how Cequence Security can help enforce your best practices with comprehensive runtime API security. Check out the webinar, Demystifying the OWASP API Security Top 10, where we took a threat actor (Jason Kent, our Hacker in Residence) vs. protector (Subbu Iyer, VP of Products) approach of defining each of the attacks on the list, discussing the ways threat actors will use the security weakness, prevention tips, and how the Cequence Application Security Platform can augment your API coding best practices.
Never miss an update!