OWASP API Security and the OWASP API Top Ten
During a recent API Security conversation with a customer, I asked if they had seen the OWASP API Security Top 10 list. They had not heard about it yet, a response that is consistent with other customers as well as from industry analysts including Gartner, Forrester and the Aite Group. Like the preceding Web App Security Top 10 list, the OWASP API Security Top 10 is a great addition to your API programs and initiatives, acting as a set of guidelines for both security and development teams alike.
API Security and API Protection Has Become a Top Priority
APIs have long been the vehicle of choice for automated bots – it’s far easier to target the API for a shopping cart, a login or registration endpoint than it is to script a web form fill. However, a long list of API security incidents in 2020 shows that APIs are increasingly targeted for data theft due to security gaps like weak authentication or verbose error messages. Clearly, the explosive use of APIs has exposed security gaps within both the development and security teams, as highlighted in our API Security Risks webinar with the Aite Group.
Demystifying the OWASP API Top 10
Improving your API security posture to protect your APIs, data, and applications is best done using a combination of documented best practices and technology to monitor and enforce policies. To that end, we recently held an educational webinar, Demystifying the OWASP API Security Top 10, where we took a threat actor (Jason Kent, our Hacker in Residence) vs. protector (Subbu Iyer, VP of Products) approach of defining each of the attacks on the list, discussing the ways threat actors will use the security weakness, prevention tips, and how the Cequence Unified API Protection solution can augment your API coding best practices. You can see the webinar here, and a summary is shown in the table below.
OWASP API Security Top 10 | Laymen’s Description | Prevention Tips | How Cequence Can Help |
---|---|---|---|
API1:2019 Broken object level authorization | Insufficient validation of an object access request allows an attacker to perform an unauthorized action by reusing an access token. |
|
|
API2:2019 Broken user authentication | Poorly implemented user authentication allows attackers to impersonate legitimate users by exploiting implementation flaws in authentication mechanisms. |
|
|
API3:2019 Excessive data exposure | A published API might expose more data than necessary, relying on the client app to perform the necessary filtering. |
|
|
API4:2019 Lack of resources & rate limiting | By not implementing rate limiting policies, attackers can overwhelm the backend with denial-of-service attacks. | API definition and test plans should include:
|
|
API5:2019 Broken function level authorization | This threat is a variation on API1 and is also an authorization vulnerability. With this threat, an attacker is able to perform actions by sending requests to functions they are unauthorized to access. | Define, document and implement a strong and consistent access control/authorization mechanism that defaults to positive security model – deny all, except those you want to allow. |
|
API6:2019 Mass assignment | Unfiltered data provided via APIs to client apps allows attackers to guess object properties via requests. |
|
|
API7:2019 Security misconfiguration | Commonly a result of insecure default configurations, incomplete or ad-hoc configurations, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information. |
|
|
API8:2019 Injection | Untrusted injection of data, such as SQL, NoSQL, XML Parsers, ORM, LDAP, OS Commands, and JavaScript, into API requests can result in the execution of unintended commands or unauthorized data access. |
|
|
API9:2019 Improper assets management | Insufficient environment management and environment segregation allows attackers to access under-secured API endpoints. |
|
|
API10:2019 Insufficient logging & monitoring | Insufficient logging, monitoring, and alerts allows attacks in progress to go undetected. |
|
|
Items shown in Italics* = Roadmap
Never miss an update!
By clicking Subscribe, I agree to the use of my personal data in accordance with Cequence Security Privacy Policy. Cequence Security will not sell, trade, lease, or rent your personal data to third parties.