This week, we have an article on applying a DevSecOps approach to API security, by utilizing a shift-left and protect and monitor right approach; a pair of vulnerabilities patched by F5; views on the top 10 API integration trends by Brenton House: and finally, a view on the rise of bot attacks against APIs.
Article: Taking a DevSecOps approach to API security
This week, Doug Dooley has published an article on how a DevSecOps approach could be applied to API security. It describes how an approach of shift-left and protect and monitor right could result in more secure APIs by bringing API development more in line with well-established processes for application development.
Dooley describes how a traditional approach to API security is overly reliant on protection afforded by API gateways and content delivery networks (CDNs). Whilst these methods offer some level of protection, they are insufficient against some of the more sophisticated attack methods, such as broken object level authorization (BOLA/IDOR) or authentication and authorization attacks.
Dooley describes how customer-facing APIs (the “north—south” APIs) need to be thoroughly and continuously secured. The internal APIs (the “east—west” APIs) are also vulnerable to attack if deployed in a cloud environment. Basically, assume all APIs are equally valuable and attractive to attackers.
By using a DevSecOps approach, API developers can leverage a number of advantages:
- Security experts can make ongoing risk-based decisions on issues as they arise, rather than catching issues post-deployment.
- CI/CD systems enable automated testing of APIs throughout their construction and deployment.
- APIs can be deployed with active protection and continuous reporting, to ensure that emerging API threats are detected in real-time.
- When an incident occurs, all teams involved can have an informed view of the affected components and their risks, and make appropriate decisions to remediate and redeploy.
Vulnerability: F5 fixes high-risk vulnerabilities
The Daily Swig featured details of a pair of high-risk vulnerabilities affecting network technology provider F5. Details of them were provided in F5’s quarterly patch notice, which addressed a total of 15 high severity vulnerabilities.
The first issue affected the NGINX Controller API Management product, which allows DevOps teams to control the API lifecycle, security included. Somewhat ironically, the product itself had an API vulnerability that allowed an injection attack using an admin
role against an undisclosed API. An attacker could have used this endpoint to inject malicious JavaScript which could then execute within the target data planes — a great example of API5:2019 — Broken function level authorization. The vulnerability (CVE-2022-23008) was given a CVSS score of 8.7, and has now been patched in version 3.19.1.
The second vulnerability affects the BIG-IP load balancer. This configuration utility was vulnerable to cross-site scripting (XSS) attacks that allowed injecting JavaScript into the context of the current logged-in user. The vulnerability (CVE-2022-23013) was given a CVSS score of 7.5 and has also now been patched.
Opinion: Ten API integration trends
We also have our regular contributor to the newsletter, Brenton House, who discusses ten hot API integration trends for 2022. In his view they are, :
- API cybersecurity
- Seamless integration solutions
- Adaptive API management
- API and integration automation
- Industry-specific breakouts
- API best practices
- OpenAPI standards
- API and integration experience
- API-led modernization
- API economy growth
Readers of this newsletter are unlikely to be surprised to see API security featuring at the top of the list. House highlights that APIs are likely to become the most frequently used attack vector, which — coupled with the exponential growth of APIs — leads to API security becoming a very hot topic.
House emphasizes the value of the “shift-left, shield-right” approach (covered in the first article in this newsletter), and highlights the importance of the related topics of encryption and privacy when considering the overall API security strategy.
Article: Bot attacks on APIs increasing
Next up, we have an article on the rise of bot attacks against APIs. It highlights the challenges that bots present to APIs, primarily that they are hard to detect and therefore hard to defend against. Bot sophistication has increased rapidly and can now mimic the behavior of a human user quite accurately.
Typically, adversaries use a a combination of the following tactics:
- Automate bot attacks.
- Access a wide pool of account information and credentials to attempt account takeovers (ATO).
- Use clusters of mobile devices all grouped together to avoid device detection.
Defenders have two options in reducing the effectiveness of bot attacks: firstly, they can reduce the efficiency of bot attacks, for example, with rate-limiting, and secondly, they can increase attacker costs by using better protection methods on their APIs.
Webinar: OWASP API Security Top 10 Challenges
Last week, I was joined by Dr. Philippe De Ryck, Web Security Expert with Pragmatic Web Security, as we discussed OWASP API Security Top 10 issues in the first of a three-part webinar series.
On Thursday, 17 February at 11 AM (EST) / 4 PM (GMT), Philippe returns to discuss the key topics in authentication and authorization. This promises to be a very useful session for anyone tasked with API development, as Philippe once again brings his considerable expertise and experience to the audience.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy