This week, we have a report from Akamai focusing on APIs which they describe as “the attack surface that connects us all”. We also feature an API security checklist that covers seven of the most important requirements, and an article on the dangers of API security overconfidence. Finally, we round off with a video from Neil Madden on self-contained tokens and JWTs.
Report: Akamai’s report on API: the attack surface that connects us all
First up this week we have the latest State of the Internet report from Akamai. This year’s report focuses on APIs – which they describe as “the attack surface that connects us all” – and surveys the state of API security in 2022.
The report focuses on a number of high-profile API breaches and pays particular attention to the research into FIHR APIs by Alissa Knight, which found that the majority of FIHR APIs had security vulnerabilities. With the cooperation of static analysis vendor Veracode, the authors conducted assessments of over 5000 SpringBoot applications and discovered that all of them had at least one serious vulnerability, and many exhibited serious flaws in the OWASP Top 10, including SQL injection and cross-site-scripting (XSS).
The authors provide some interesting insight into why API vulnerabilities exist in the first place, suggesting that API security is experiencing many of the early pains that were also there with web application security. The most frequently cited reason for vulnerable APIs was the pressure of deadlines for delivery which led to vulnerabilities being ignored or simply not being detected. In many cases, the development team decided that detected vulnerabilities were low risk and did not warrant remediation – this is a frequently encountered attitude that can have dire consequences. Other reasons included the use of vulnerable open source code or a lack of specific security knowledge. The report also found that distributed denial-of-service (DDoS) attacks were rising and credential abuse is becoming the number one attack vector.
The report concludes with some best practices for API security, such as:
- Discover your APIs and track them in your inventory.
- After the APIs have been discovered, ensure they are tested and that any vulnerabilities found are tracked and addressed.
- Leverage existing WAF infrastructure, and identity management and data protection solutions.
- Use broad brush policies that use safe defaults.
- Create awareness of the specific API security risks amongst stakeholders.
Article: API security checklist
Guides for improving API security are always popular with readers of this newsletter, and in this issue we have a checklist of the top seven requirements for API security.
The author suggests the following seven focus areas:
- API discovery and inventorying: You cannot secure what you cannot see, so use continuous discovery and inventorying to understand your API estate. Use automated scanners or traffic analysis to build a view of your estate, and perform traffic analysis to discover unused, shadow, or zombie APIs.
- Securing APIs with instant threat detection and protection: Use advanced traffic monitoring techniques based on machine learning or AI to automate API protection. Actively monitor your APIs and ensure that systems are patched and that vulnerabilities are addressed.
- API access control and authentication: Rugged methods for authentication and authorization should be employed throughout the API ecosystems to mitigate key attack vectors. Use zero-trust principles, minimum privilege levels, limited token lifetimes, and token expiration to prevent replay attacks.
- API design and development: The design and development process should include security as a key element from design through to testing. Use appropriate API security tooling to assist developers in producing secure APIs.
- API security testing: Perform continuous security testing throughout the lifecycle, including specialist penetration tests.
- API logging and monitoring: Logging and monitoring of APIs and their traffic are vital to detect abnormal behavior and possible attacks.
- Incidence response: Ensure that your organization has an incident response plan in the event of an API breach or incident.
A great checklist covering the full API development lifecycle – definitely one to bookmark.
Article: The dangers of API security overconfidence
Recently, Radware produced a survey of the state of API security in 2022, and four key takeaways from it are covered in this article from Security Boulevard.
The article highlights the fact that over 92% of organizations reported a growth in their API usage in the last year, yet showed over-confidence in their API protection approaches. In fact, nearly half of the respondents indicated they felt their protections were very effective. In light of the frequency that API breaches are covered in this newsletter, this might suggest such confidence to be misplaced.
The four key takeaways affecting API security are:
- The threat of undocumented APIs: As discussed in the previous article, the lack of visibility into the API estate presents an unquantified risk. Over 60% of respondents felt a third of their APIs were undocumented.
- API attacks are flying under the radar: Many existing tools are simply unable to detect and protect against API threats and attacks.
- Open source contributes to the security myth: Many respondents believed that open source code may be more secure than proprietary code. High-profile incidents, such as Log4j and Heartbleed, indicate this perception may be misplaced.
- Bot attacks remain a threat: Bot attacks continue to rise, with over a third of respondents stating that bot attacks are their number one attack vector. Additionally, commonly used protections, such as WAFs and API gateways, are ineffective at protecting against bot attacks.
There’s no place for complacency when it comes to API security.
Video: Neil Madden on self-contained tokens and JWTs
This is an absolutely vital topic for anyone involved with building APIs, and Neil is an expert in this space. The video takes the viewer through Java code samples that show the key concepts, including in-depth coverage of JWT validation.
Eagle-eyed readers may spot a discount code for Neil’s book, which I can certainly recommend for anyone’s library.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy