Issue 100: API Security advice from top industry experts


Today is a special day for our newsletter – our centennial issue and the number of email subscribers crossing the 5,000 mark (and in addition to that we have about 1300 followers on Twitter and a similar number of members of the API Security LinkedIn group).

This has definitely grown significantly bigger than the original side-project to share with the community the news, updates, and experience that we saw at 42Crunch in the field.

To celebrate, we decided to make this issue special.

  • We reached out to some of our most prominent readers and followers asking them to share their favorite API Security advice (see below!)
  • And we will be giving out extremely cool Nano Leaf smart lighting system to one of our readers sharing this newsletter in social media (see the rules at the end of this newsletter.)

Industry Thought Leaders on API Security

 

Michael Isbitski
Senior Director Analyst, Gartner

“Organizations create and expose APIs to enable automation, system integration, business functionality and data access. An unfortunate side effect of this is that it creates new opportunities for attackers. As a result, API security has become a significant focus area for organizations of all sizes, across verticals and sectors. Traditional security strategies focused heavily on network security and access controls, with encrypted transport, VPNs and API gateways featured prominently. These are pieces of a much larger puzzle of API security strategy.

Certainly, encrypt data in transit using TLS 1.2 or better, and enforce proper access control (where possible) so that only authenticated, authorized parties consume your APIs. However, you should also consider how your APIs may be exploited or abused. An API may be designed with quality, hardened code, only to find that it is susceptible to attacks such as brute forcing, account takeover and scraping. Appropriate countermeasures for business logic and automated attacks that target APIs are often not achievable with code-only approaches or static rate limits offered by most gateways. A common set of best practices includes security testing your APIs, implementing traffic management controls and mediating access to APIs with API management and API gateways. It also includes augmenting with technologies such as web application firewalls, bot mitigation or dedicated API security mechanisms to address newer patterns of attack.”

 


 

Doug Cahill
Vice President and Group Director, Cybersecurity, Enterprise Strategy Group

“The pressure on project teams to write and push more code to production at an accelerated pace has been a central feature of the API economy as well as an opportunity for cyber adversaries. As such, the broad use of APIs by development teams has made API security an essential facet of a cybersecurity program.

According to research conducted by ESG, while 44% of organizations have already invested in formal API security training, another 43% are still learning. Those learnings must start with an understanding of the API threat model including how, for example, misconfigured API usage creates a risk of data loss.

Purposeful API security controls are also required to protect the dev-time and runtime use of APIs. Over half of the organizations who participated in ESG’s research are already employing specialty API security controls with 38% more planning to do so in the next 12 months. ESG’s research indicates the maturation of API security initiatives are well underway, but sustained focus is required.”


 

Alexei Balaganski
Lead Analyst, KuppingerCole Analysts AG

“In just over a decade, APIs have evolved from an obscure technical term for developers to the literate backbone of the Digital Transformation and a major source of income for modern businesses. In a world where digital information is one of the “crown jewels” of many modern businesses, APIs are now powering the logistics of delivering digital products to partners and customers. In short, everyone needs APIs! Creating a REST API is very easy; unfortunately, creating a reliable and secure API is nowhere near as simple. Numerous reports about API-related data breaches clearly indicate that many companies still lack even basic competence in the field and tend to be overconfident about their existing security tools.

Securing APIs is complicated but following a few basic rules can bring you a long way. First, no API should be left behind: public or private, own or 3rd party – all APIs must be accounted for and brought under consistent monitoring and governance. Second, security must be integrated into every phase of the API lifecycle: from its initial design to development, operations, and eventual retirement. Finally, do not try to reinvent the wheel: refer to established frameworks like OWASP API Security Top 10 and best practices and guidance from reputable vendors.

However, the biggest challenge of API security is still raising public awareness of potential API risks and new tools that exist to mitigate them. This newsletter is actually a great resource for both amateurs and professionals!”

 


 

Rik Turner
Principal Analyst, Infrastructure Solutions, Omdia

“API security is nowadays an essential part of the armory of any organization, commercial or not, that interacts with communities (customers, partners, patients, constituents or citizens) via a Web and/or mobile app. App-to-app, system-to-system, and machine-to-machine communications have overtaken those directly involving humans, in terms of the volume of traffic they generate, and guaranteeing that APIs calls are legitimate, i.e. coming from a recognized source and asking for appropriate data etc, is a key capability. Omdia talks about Next-Generation Application Security, which includes capabilities, on the runtime side of things, like DDoS mitigation, WAF, bot management and API security. There is also an increasing role for this technology in the development pipeline, making sure that an API is correctly written and configured before it goes into production. With all this going on, it is no surprise to me that APIsecurity.io has reached its 100th issue, nor that it has over 5,000 subscribers. I salute the endeavour and look forward to reading many more editions!”

 


 

Kin Lane
API Evangelist

“When it comes to API security, the most important thing you can do is know where all of your APIs are–as you can’t secure what you don’t know about. Beyond that, treat ALL YOUR APIs like they are public APIs, because if you are using public DNS for accessing your APIs, you have public APIs! Then all you have to do is read APIsecurity.io and you are good to go!! ;-)”

 


 

Alissa Knight
Cybersecurity Influencer, Content Creator, Hacker, Published Author, Partner at Knight Ink

“Every single one of the successful API penetration tests I’ve done in the financial services market over the past year have suffered from some form of broken object level authorization vulnerability. This is clearly a growing problem that organizations are not testing for. If I can offer any advice at all in hardening APIs, it would be to test for BOLA vulnerabilities. In my findings, they are becoming all too systemic and have allowed me to transfer money between accounts I don’t own or make changes to account authentication parameters.”

 


 

Philippe De Ryck
Founder, Pragmatic Web Security

“API security is challenging because it is so easy to get distracted by the shiny exterior. API security is not about responsive Single Page Applications or beautifully designed mobile apps. API security is not about user features offered by client applications. API security is not about the rules enforced by the client. Instead, API security is about raw requests and responses, arbitrary JSON and XML data structures, and data. Lots of data. Untrusted data. Sensitive data.

The real attack surface of an API consists of its exposed endpoints. Whether the client uses it or not, every endpoint that is offered can be attacked. None of the assumptions about data formats are valid unless the API enforces them. Every single piece of data sent in a response is exposed, regardless of whether the client renders it or not. The restrictions imposed by the client do not limit an attacker coming after your API. Many of the OWASP API Security Top 10 vulnerabilities aptly illustrate this common misconception. Examples include Broken Object Level Authorization (#1), Excessive Data Exposure (#3), Lack of Rate Limiting (#4), and Mass Assignment (#6).

API security happens in the underbelly of the application, not on the surface.”

 


 

Jim Manico
Founder, Secure Coding Instructor at Manicode Security
OWASP

“APIs emerged as one of the primary attack vectors for modern applications and infrastructure.

It is important to understand that, as it often happens in app security, this one is not going to have a silver bullet or one magic solution that can make an insecure system secure.

Instead, you’ll need to understand your system components and attack surface, educate your teams about API security, ensure that security spans the complete life-cycle from API design and development, to testing, to runtime protection, know and follow current standards and industry security best practices, and finally automate the whole process to minimize possible human error.”

 


 

Katie Paxton-Fear
PhD Student, Occasional Bug Bounty Hunter and Educational YouTuber

“When developing APIs it’s often tempting to use built-in middleware for authentication, however just because a user is logged in doesn’t mean they should have permission to see API endpoints! Always question if you need to be making custom middleware for different endpoints based on permission levels – especially true for mobile apps! And hackers keep an eye out for authentication issues! Always question if you should be seeing the results from an API call!”

 


 

Farah Hawa
Infosec content creator

“GraphQL has a very unique feature known as the Introspection system which gives out a lot of information about what kind of queries, mutations, subscriptions, fields and types that the API supports. It essentially gives attackers all the ammo they need so it’s extremely important for developers to secure their GraphQL API, especially those endpoints that are exposed via Introspection, against common API bugs like BOLA/IDOR, SQL Injection, Rate Limiting, etc.”

 


 

Mitesh Shah
Sr. Principal Security Architect, Corporate Information Security, Verizon

“With the growing popularity of mobile enablement of applications using API backends and projects focusing on transforming legacy applications into microservices based architecture, the need for an API security program is more important than ever. Because of the massive volume of new API development activities, keeping up with security assessments is a key challenge. Focusing on security by design, a whitelisting approach and effectively reducing attack vectors, can help address API security issues. Automation and DevSecOps can help further to ensure baseline API security requirements are met prior to production release.

APISecurity.io has achieved the milestone of releasing their 100th issue and continues to provide information around key API security issues and new developments. Looking forward to reading many more in the future.”

 


 

Ravi Krishnan Muthukrishnan
Product Security Lead, Financial Industry

“Application Programming Interfaces (APIs) have proliferated the web, powering well known websites and microservices, and are ever growing with increasing adoption of single page applications that rely on APIs to serve responsive web pages. Most often these APIs hold the gate to sensitive data, so API security is of utmost importance to almost any organization irrespective of their size and hosting model (on-perm vs hybrid vs public cloud). Organizations should embrace a continuous approach to API security with API discovery at the core and have a well defined API security strategy & roadmap. APIs are constantly undergoing changes by developers and API discovery & cataloging is going to be a critical first step to secure these APIs.”

Disclaimer: The views and opinions expressed here are those of the author and do not represent or reflect their past or current employers.


100th Newsletter Giveaway

UPDATE: We had our raffle and the prize went to Alex Savage! Congratulations, Alex, and big thanks to all our readers, contributors, and everyone spreading the word about API Security!

 


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy