The first Release Candidate of the popular OWASP Top 10 contained “underprotected APIs” as one of the Top 10 things to watch out for. API Security has become an emerging concern for enterprises not only due the amount of APIs increasing but also due to the fact that their criticality has been growing.
What is OWASP Top10?
OWASP is an Open Community providing awareness for the most critical web application security flaws. The project contains members from around the world containing of security experts and specialists. Recent versions were 2010 and 2013 edition of the OWASP Top10. OWASP Top 10 are often referenced when validating security software implementations or when services that leverage Web technologies are exposed. The 2017th edition of this popular list and Reference Document contained a reference to “Underprotected APIs” in its first Release Candidate.
Why is API Security still an issue?
The Top 10 list mentions “underprotected APIs” which is a broad term for protected or unprotected APIs that could get misused or abused. Not only is this is an issue for external APIs but also for internal APIs. Attackers could send requests on behalf of others causing data theft or damage in multiple ways. Quite often API Security is dangerously ignored or underprioritized. At the same time, APIs increasingly also playing major roles for critical data exchanges like in PSD2 (Payment Services Directive 2) which regulates Payments within Europe requiring Banks to open Payment initiation and Customer Data Access via APIs. Recent API security issues have shown that impacts can be damaging and that APIs are often used by consumers without knowing it. Besides the fact that API Implementations could be vulnerable, tools for API Security testing seem to be not utilized enough.
How to make APIs more secure?
Solutions to protect APIs are available for Enterprises for quite some time and have emerged from Firewall type protection to multilayer, policy based Systems which these days increasingly get help from Machine Learning detecting malicious behavior. 11 Ways to better secure APIs can be found here.
API Gateways provide sophisticated ways to scan and block unwanted traffic including payload going into depth and validating inputs against schemas like (XSD or JSON-Schema) but also limiting requests to protect backend systems – with API quota for example. Policies help provide base level protection defining the known good request and block everything like wrong size, request type and pattern. Antivirus helps scan inbound payload containing binary payload like pictures, PDFs and other file types preventing malicious code to get injected into the backed system. Identities need to get decoupled to reach higher protection. OAuth and OpenID Connect can be enabled in API Management platforms to bridge with existing IAM systems.
When will OWASP Top 10 2017 edition be published?
Underprotected APIs have been mentioned on Position 10 of the first Release Candidate but the release Candidate got rejected during the OWASP Summit 2017. A new Call for Data has been opened to get more opinions and referenceable metrics. To read more, check the OWASP Top 10 Project page. The current release date for the 2017 Edition is scheduled for November 2017.
If API Security is going to get on the OWASP Top10 is still at question but the risk exists and it’s important that enterprises start to take API Security seriously and into their existing processes around APIs.