Issue 188: API security for smart cars, ownership of the API lifecycle, APIs a top CISO concern

This week, we have articles on API security considerations for smart cars, and an exploration of API ownership and its impacts on security. We also have a report surveying CISOs on their top security concerns (no surprise that API security tops the list), and finally, a beginner’s guide to API security focusing on testing.

Article: API security for smart cars

The first article this week comes from on the topic of API security for smart cars. API adoption has helped fuel the innovation in smart, connected cars, but with this adoption come additional security concerns caused by the value and criticality of the vehicles and the impact of breaches that could allow remote access or control. Recently in this newsletter, we featured news of a recent remote takeover exploit in the Tesla vehicle range that took advantage of a vulnerability in a 3rd-party integrated application that exposed vehicle access tokens.

The article discusses three key topics to ensure more secure APIs. Firstly, always use a token-based architecture to protect car APIs which are demonstrably more secure than legacy solutions, such as password or key-based authentication. As demonstrated in the example of Tesla, it is important to be able to easily revoke access in the event of a compromise or leaked credential. If fixed keys are used, this becomes a logistical challenge possibly even requiring manual intervention. A token-based solution (typically OAuth2) allows a robust mechanism for the distribution of tokens, including the ability to manage more complex access control through restricted token scope and lifetime.

The second recommendation is to adopt smart token validation to prevent breaches or data loss. JSON web tokens (JWTs) allow a client to present a set of claims to a backend API which is then responsible for validating the token and allowing (or denying) access according to the claims. This validation can be performed in the API itself, or โ€“ as recommended in the article โ€“ in an API gateway which offers several advantages, such as:

  • It can use complex architectural patterns to provide even more robust security, particularly to prevent leaks.
  • It can offload the tasks of token validation from the API itself to improve performance and robustness.
  • It reduces the likelihood of unauthorized calls to APIs.

The third recommendation is to use a developer portal to empower developers to understand the organization’s APIs, track their usage, and monitor who is accessing the API.

Article: Ownership of the API lifecycle

The second article this week covers the important topic of API ownership. From a security point of view, API ownership is important throughout the API lifecycle, particularly in the operation stage to ensure timely response in the event of incidents.

The author describes the three common models for API ownership model as follows:

  • IT API owner: A technical or IT owner is responsible for developing and operating APIs according to organizational policies and standards.
  • Business API owner: This model is focused on the API consumer and manages the lifecycle according to their requirements.
  • Shared ownership: This model allows the business to focus on the API strategy from the consumer and business viewpoint, while the IT owner manages technical aspects of development and deployment.

Finally, the author makes some recommendations for API ownership best practices:

  • Follow an API security checklist: Using a checklist (such as the OWASP ASVS) ensures that API security best practices are addressed at all stages of the lifecycle.
  • Assign ownership based on purpose: Ownership should be based on the function of the API to ensure a timely response to incidents or outages.
  • Prioritize security: Unsurprisingly, the author recommends prioritizing security throughout all phases of the API lifecycle, specifically the use of dedicated API security tools.
  • Use external API visibility tools: Using external API visibility tools allows detecting exposed APIs and assessing them for vulnerabilities. Use threat protection features in API gateways.
  • Implement a layered security approach: API vulnerabilities must be addressed at multiple levels, ensuring that common vulnerability categories are addressed.

Whilst security is everyone’s responsibility, it is vital that APIs have a designated owner.

Report: APIs and cloud applications are top CISO concern

A recently published report titled “The CISOs Report, Perspectives, Challenges and Plans for 2022 and Beyond” reveals that CISOs are increasingly faced with challenges related to the adoption of cloud-based applications and APIs. The report is based on a survey of over 400 CISOs and reflects their concerns arising from the changing IT landscape due to remote work, cloud adoption, and evolving development practices.

CISOs ranked their top priorities as follows:

  • APIs: 42%
  • Cloud applications (SaaS): 41%
  • Cloud infrastructure (IaaS): 38%

The report highlighted the importance of data discovery and classification, and of DevSecOps. Other topics included the growing adoption of zero-trust (although still immature) and supply-chain or 3rd party risks.

These findings come as little surprise to readers of this newsletter.

Guide: Complete guide to API security

Finally this week, we have a guide to API security by Bright Security. This guide gives a basic overview of the OWASP API Security Top 10 and covers REST, SOAP, and GraphQL security at a high level.

The guide will be of particular interest to API testers because it provides good coverage of that topic, including common methods of API testing and an overview of the top open-source API testing tools. It also offers recommendations for API security best practices, like:

  • Identify vulnerabilities.
  • Leverage OAuth2.
  • Encrypt data.
  • Use rate limiting and throttling.
  • Use a service mesh.
  • Adopt a zero-trust philosophy.
  • Test your APIs with dynamic application security testing (DAST) tools.

An easy read for anyone new to API security โ€“ thanks for the contribution.

Webinar: API Breaches from H1 2022

Another reminder on my upcoming webinar on API breaches from H1 2022 in which I will outline the root causes of some recent API vulnerabilities that have been making the news.

This practical and interactive webinar gives an illuminating insight into how easily APIs can be compromised, leading to a potentially devastating impact on organizations. The topics covered include:

  • Understanding how the vulnerability occurred, and the potential impact.
  • A detailed look at the underlying OWASP API Security Top 10 vulnerability.
  • Practical demonstration of how 42Crunch can detect and protect your APIs from such vulnerabilities.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy