Top 3 API Security Risks and How to Mitigate Them
Cyber Security Threat Summary:
“The application programming interface (API) is an unsung hero of the digital revolution. It provides the glue that sticks together diverse software components in order to create new user experiences. But in providing a direct path to back-end databases, APIs are also an attractive target for threat actors. It doesn’t help that they have exploded in number over recent years, leading many deployments to go undocumented and unsecured. According to one recent study, 94% of global organizations have experienced API security problems in production over the past year with nearly a fifth (17%) suffering an API-related breach. It’s time to gain visibility and control of these digital building blocks” (ESET, 2023).
According to a recent survey by ESET, 97% of global IT leaders agree that a successful API strategy is vital to future revenue and growth. The ever increasing volume of APIs and their distribution is a noted concern. There may be tens or even hundreds of thousands of customer- and partner-facing APIs in a large enterprise. Even mid-sized organizations may be running thousands.
API threats are not theoretical, T-Mobile USA admitted that 37 million customers had their personal and account information accessed by a malicious actor via an API and Misconfigured Open Authorization (OAuth) implementations on Booking[.]com almost enabled serious user account takeover attacks on the site.
Security Officer Comments:
There are dozens of ways hackers can exploit an API, but OWASP is the go-to resource for those wanting to understand the biggest threats to their organization. Its OWASP API Security Top 10 2023 list details the following three main security risks:
- Broken Object Level Authorization (BOLA): API fails to verify whether a requester should have access to an object. This can lead to data theft, modification or deletion. Attackers need only be aware that the problem exists – no code hacks or stolen passwords are needed to exploit BOLA.
- Broken Authentication: Missing and/or mis-implemented authentication protections. API authentication can be “complex and confusing” for many developers, who may have misconceptions about how to implement it, OWASP warns. The authentication mechanism itself is also exposed to anyone, making it an attractive target. API endpoints responsible for authentication must be treated differently from others, with enhanced protection. And any authentication mechanism used must be appropriate to the relevant attack vector.
- Broken Object Property Level Authorization (BOPLA): Attackers are able to read or change the values of object properties they are not supposed to access. API endpoints are vulnerable if they expose the properties of an object that are considered sensitive (“excessive data exposure”); or if they allow a user to change, add/or delete the value of a sensitive object’s property (“mass assignment”). Unauthorized access could result in data disclosure to unauthorized parties, data loss, or data manipulation.
Suggested Correction(s):
ESET recommends the following API best practices to mitigate threats:
- Improve API governance by following an API-centric app development model which allows you to gain visibility and control. In so doing, you’ll shift security left to apply controls early on in the software development lifecycle and automate them in the CI/CD pipeline. Use API discovery tools to eliminate the number of shadow APIs already in the organization and understand where APIs are and if they contain vulnerabilities.
- Deploy an API gateway which accepts client requests and routes them to the right backend services. This management tool will help you authenticate, control, monitor and secure API traffic.
- Add a web application firewall (WAF) to enhance the security of your gateway, blocking malicious traffic including DDoS and exploitation attempts.
- Encrypt all data (i.e., via TLS) travelling through APIs, so it can’t be intercepted in man-in-the-middle attacks.
- Use OAuth for controlling API access to resources like websites without exposing user credentials Apply rate limiting to restrict how often your API can be called. This will mitigate the threat from DDoS attacks and other unwanted spikes.
- Use a monitoring tool to log all security events and flag suspicious activity.
- Consider a zero trust approach which posits that no users, assets or resources inside the perimeter can be trusted. Instead, you will need to demand proof of authentication and authorization for every operation.
https://www.welivesecurity.com/2023/06/01/top-3-api-security-risks-mitigate/