Issue 185: Three trends in API security, GraphQL securing risks, the importance of API discovery

This week, we have a podcast from Stoplight on three trends in API security; an article on whether GraphQL introduces new security risks; views on the importance of API discovery and inventories; and a report from Cloudflare on the rise of API attacks. We also have news of an upcoming panel discussion at the RSA conference.

Podcast: Three trends on starting with API security

Stoplight recently featured an interview with Travis Spencer (CEO of Curity) on their API Intersection podcast where Spencer discussed key trends in the API security industry: more openness, more regulation, and higher levels of security.

The first trend is toward the adoption of technologies such as OpenID Connect (OIDC) which enables developers outside financial services to add strong identity to their products. OIDC is an identity layer on top of the OAuth2 protocol, allowing the exchange of identity information in a standard format. OIDC is destined to become the standard on which strong identities are established.

The second highlighted trend is the continued adoption and growth of the open banking initiative. Already popular in Europe, Australia, and Brazil, Spencer believes it is set for expansion into the USA, Middle East, and APAC. Spencer believes the open banking trend will drive growth in other open initiatives in government, manufacturing, and other industries. This in turn will drive the demand for APIs that must be designed to conform to high levels of security.

Finally, Spencer highlights the emergence of new identity standards such as GAIN, intended to provide stronger identity assurances on the internet. As ever, there is a balance to be struck between adherence to such standards and the user experience.

For anyone wishing to understand OIDC, Spencer recommends resources on the OpenID Foundation website or the Curity website.

Article: Does GraphQL introduce new security risks? has featured an interview with Mike Benjamin (VP of security research at Fastly) on the topic of GraphQL adoption and the potential security implications.

GraphQL is increasingly popular with developers, because it allows API queries to be constructed dynamically on the client and sent within a single API call, as opposed to REST APIs which may require more complex, nested queries to compose a single client operation. Whilst GraphQL offers greater flexibility to developers, this comes at the expense of latent vulnerabilities and an increased attack surface.

Benjamin highlights four common GraphQL security vulnerabilities:

  • Introspection: GraphQL allows clients to query the entire underlying schema to identify entities — in the hands of attackers this could allow them to map out the entire attack surface and discover potentially vulnerable endpoints. The recommendation is to avoid overexposing documentation for public API consumers.
  • Field suggestions: Another feature open to abuse is the automatic suggestion of field names. This is a great help for a developer trying to understand a new API, however, it allows attackers to easily enumerate the entire API. The recommendation is to switch this feature off in production.
  • Denial-of-Service-Oriented attacks: Due to the nature of dynamically constructed queries, it is possible for attackers to construct resource-intensive queries that may lead to denial-0f-service (DoS) attacks. This attack vector can be mitigated simply by limiting either the query execution time or the query depth.
  • Lack of Object-Level authorization: Since all authorization is routed through a single API endpoint, it becomes more difficult to implement fine-grained access control to data objects. As with REST APIs, the best practice is to enforce authorization closer to the objects and data.

Our newsletter has previously covered GraphQL attack vectors and why GraphQL should not be exposed to the internet — anyone implementing GraphQL solutions should be mindful of potential security risks.

Opinion: API security starts with discovery, not gateways

Speaking this week at Gartner’s Application Innovation and Business Solutions Summit, VP Analyst Mark O’Neill discussed three key strategies for securing APIs: discovery, testing, and protection.

O’Neill’s key recommendation is not to focus initially on the implementation of API gateways and other security products, but rather to begin with building an inventory of APIs by using a range of techniques, such as examining Git code repositories or inspecting API management platforms.

Unsurprisingly, O’Neill emphasizes the importance of both static and active API security testing. Static testing is important to ensure the API is fully defined and locked down in terms of data constraints and endpoint definitions, while active testing ensures that the implemented API behaves exactly as specified in its OpenAPI definition. Once testing has been completed, O’Neill suggests prioritizing findings to ensure they are addressed in timely fashion.

Finally, O’Neill stresses the importance of fine-grained access to deployed APIs: edge protection is important in API gateways, but so is internal API traffic right in front of the backend service. Using dedicated access control in close proximity to the backend ensures a layered defense-in-depth approach, and removes the reliance on the backend code implementation for critical security controls, such as rate limiting and token validation.

Report: Cloudfare reports API attacks increasing significantly

Readers of this newsletter are unlikely to be surprised at the findings from recent research from Cloudflare which reveals an increase in API traffic as well as a rise in bot traffic. Cloudflare reverse-proxies handle approximately a fifth of internet traffic, so their findings are highly indicative of overall trends.

The first observation from the report is an approximately 20% rise in API traffic in 2021, accounting for 55% of overall traffic. In particular, Cloudflare noticed that API endpoints received more malicious traffic than other web endpoints, suggesting that attackers are specifically targeting API endpoints.

The most interesting observation from the report is the rise in bot traffic which now accounts for 38% of all HTTP requests, with 10% of this bot traffic accessing API endpoints. While not all bots are malicious (like search engine indexers), the report identified specific bot strategies, such as HTTP method and path manipulations, that can identify vulnerabilities in API backends.

The most important recommendation from the report is not to be overly reliant on IP addresses as a means of determining request validity because these can easily be cloned or spoofed. Rather, a zero-trust approach should be adopted.

Event: “Spreading Application Security Ownership Across the Entire Organization” at RSA Conference

The annual RSA conference is taking place in early June, and Daniel Garcia (security researcher at 42Crunch) will be participating in a panel discussion on the topic of “Spreading Application Security Ownership Across the Entire Organization” at 12:15 PM PT on Tuesday, Jun. 7, 2022.

If you’re in town, be sure to join Daniel and the illustrious panel to learn how AppSec professional uses persuasion and negotiation skills to get buy-in from R&D and management, and how Q&A teams can use off-the-shelf DAST tools to improve testing coverage and provide practical tools and methodologies aimed at non-specialized security people to demystify API security.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy