Earlier this month, the Open Web Application Security Project (OWASP) published a release candidate for its well-known Top 10 list of the most critical web application vulnerabilities. In this first update since 2013, some vulnerabilities have been combined or dropped, making way for new entrants including under-protected Application Programming Interfaces (APIs). This update is notable because the OWASP Top 10 is an important reference for many cybersecurity compliance and regulatory standards but also highlights the shifting threat landscape for web-based applications and technologies over the last few years. While API security is not new, the responsibility for it has been largely left to the software teams developing the APIs. Awareness and concern for web API security is increasing for CISOs in the broader enterprise security market.

From SaaS to social media, APIs provide the connective tissue between systems and services in our interconnected world of mobile, cloud, and IoT applications. APIs are software programming methods, protocols, and tools that enable communication between software components. APIs have long existed for computer hardware and software, including operating systems and databases, but are perhaps more commonly associated with mobile applications and web-based systems in today’s cloud-connected world. Enterprises are now connecting disparate and non-traditional IT systems (e.g. life/safety, physical access control) through web APIs and enterprise service bus platforms to enable better and more efficient business outcomes.

Web APIs use the same underlying technology as browser-based applications, so many of the same security concerns exist that enterprises are familiar with from browser-based applications. An under-protected web API can serve as an efficient way for an attacker to exfiltrate data, using malicious programmatic requests that are much faster to execute than web browser-based methods. Web APIs that are critical to business operations may be the specific target of data integrity or DDoS attacks, disrupting critical business operations. Some APIs include file transfer capabilities that can be a vector to introduce malware to a network. However, since web APIs are not relegated to web browsers, the attack surface is varied and may go undetected if organizations are not adequately monitoring web API activity across the enterprise. So what can CISOs do to shore up defenses for the web APIs in their environment?

  1. Asset Management – As with other areas of cybersecurity, you need to know what assets (APIs) are in your organization and also understand their function and security capabilities. This can be no small task since web APIs exist for both hardware and software, including on premise or cloud-hosted software applications (especially unsanctioned SaaS applications of Shadow IT). And you cannot just look at traditional enterprise IT assets – badge systems, embedded ICS controllers, and IoT devices use APIs to function or integrate with other systems. Aside from reviewing the API documentation of sanctioned systems, an application-aware firewall or cloud access security broker (CASB) can help identify previously unknown APIs, and the associated software application, unmanaged IoT device, etc.
  1. Secure communication – Using properly-implemented TLS encryption for communication between API endpoints can provide confidentiality and integrity for the data in transit, preventing data sniffing or manipulation from man-in-the-middle attacks. If you want to inspect the API traffic, using TLS will require decryption/encryption capabilities similar to what you may already use for a web proxy. Also remember that care must still be taken to securely store sensitive data (e.g. credit card numbers) after it is transmitted using web APIs.
  1. Strong authentication and authorization schemes – CISOs will need to work closely with API developers or vendors to understand what authentication and authorization schemes are supported. Authentication will validate the identity of the application or service requesting access to the API; use strong authentication, such as API tokens, instead of basic authentication (i.e. usernames and passwords in the HTTP authorization header). An authorization framework like the token-based OAuth 2.0 standard enables limiting applications or services to only a certain sub-set of API methods and data.
  1. Segmentation – Limit the accessibility of your APIs to known and trusted endpoints using an API gateway or firewall network segmentation. These options may not always be operationally feasible and can introduce availability or scalability concerns in certain scenarios or topologies. However, these control points can serve as a mitigation for legacy APIs in your environment that do not support strong encryption, authentication, or authorization schemes.
  1. Attack Detection and Prevention – Implement protections to detect and protect against API attacks. CASBs, web application firewalls (WAFs), and application-aware firewalls can help to detect and prevent API-based attacks. However, because each web API can have a unique syntax, data structure, set of methods, etc., these tools can only be so effective without specific understanding of the APIs in your environment. For example, CASBs may include specific logic for APIs from leading SaaS applications and can be effective in identifying malicious activity or data exfiltration for those applications. Web application firewalls (WAF) may protect against certain common web-based attacks that are launched against APIs, such as code injection or malformed requests, using WAF protection rules or API rate limiting. Anti-malware systems can detect malware in files that are embedded in an API call.

API security begins with good software development practices – many of the other OWASP Top 10 recommendations are also applicable to developing secure web APIs. Including under-protected APIs as a distinct threat in the latest OWASP Top 10 release candidate highlights the growing concern of API-based attacks. Traditionally the purview of software developers, web API security is becoming a greater consideration in enterprise security. CISOs now find themselves defending a growing and more diverse IT environment, which includes more cloud-based applications and IoT devices as well as enterprise-level application integrations. Web APIs present an amazing opportunity for business and IT extensibility, efficiency, integration… and mischief.

 

 

Bo Lane

Bo Lane

Head of Security Architecture at Kudelski Security
Bo is the Head of Security Architecture at Kudelski Security, a leading global information security solutions firm focused on innovation. He is responsible for establishing and driving the technology strategy and solutions architecture for Kudelski Security's information security solutions.
Bo Lane