Issue 193: Five API security best practices, AppSec tools for APIs

This week, we have five best practices from SoftwareAGGov for API security, and views from Jeff Williams at Contrast Security on the suitability (or not) of application security (AppSec) testing tools for API security. We also feature guides on how to secure partner API integrations with OAuth mTLS and on what to look for in selecting API tools.

Article: Five best practices for API security

First up this week is an article from the team at SoftwareAGGov on their suggestions for five best practices for API security. Whilst we have covered many best-practice lists previously, I liked the slightly more strategic view that the authors take in their guidance.

Their five best practices are:

  • Understanding your data: APIs are primarily a conduit for data transfer and API security should start with a focus on the data: what data do you own, how sensitive is that data, and who should have access to iy?ย  Beware of accidentally leaking private data from excessively verbose logging or API responses (this is API3:2019 โ€” Excessive data exposure, a frequently encountered API vulnerability)
  • Understanding your APIs: As the authors state,ย “You must know what you have in order to know what to protect.” A complete and accurate API inventory is essential to being able to address API security. In particular, be aware of your shadow APIs (hidden APIs) or zombie APIs (deprecated or unsupported APIs) which present an unquantified risk.
  • Understanding your users: Robust authentication is vital to ensure that users are who they say they are, and that they only have access to their own resources. Regularly test your authentication framework and ensure that granular access control is applied.
  • Knowing your tools: Good API security relies on selecting and using various API security tools, including API management platforms and API gateways. Ensure that the security features are fully utilized, and beware of gaps in your coverage. A defense-in-depth strategy is a key to good security.
  • Securing everything: Again, take a multi-pronged approach to API security by applying controls and measures at various levels.

Some solid, basic advice here โ€” there’s no silver bullet for API security.

Article: Using AppSec tools for APIs

Jeff Williams, the founder and CTO of Contrast Security, is also one of the founders of OWASP and has over two decades in the software security industry, so it’s always worth listening to what he has to say on the topic of API security. In his most recent blog post, he explores the somewhat contentious topic of the suitability and effectiveness of using traditional AppSec tools, such as static application security testing (SAST) and dynamic application security testing (DAST), for API security.

He starts by taking a look into the suitability of DAST for testing APIs. The first problem here is that DAST tools lack knowledge of how to interpret HTTP responses: if an injection attack is made, how does the scanner know if the attack succeeded or failed? If an HTTP 500 error is returned, did the injection attack happen, or did the API fail before it due to malformed input? The other problem relates to the inability of DAST scanners to create valid API input to fully exercise (and exploit) the API adequately. This leads to high false negatives โ€” DAST tends not to find much when scanning APIs.

Secondly, he takes a dim view of the ability of SAST to find meaningful and actionable findings in API source code. SAST does not have the context of data flows within the source code and often fails to detect API entry points, thereby missing possible attack vectors. SAST often highlights issues in source code that prove to be false positives in the context of the application.

I’ve previously written on the same topic and find myself in general agreement with Jeff โ€” a very interesting read.

Guide: Securing partner API integrations with OAuth mTLS

Next, we have an in-depth technical article from Cloudentity on securing partner API integrations with OAuth mTLS using their platform.

The authors explore two common approaches to secure API integrations: bearer tokens and certificates in mTLS mode. Bearer tokens can be used to authorize a client to access an API, but they have the obvious problem that whoever has access to that bearer token has access to the API. The use of certificates on the other hand provides strong authentication but lacks the ability to provide more fine-grained authorization, like access tokens with scopes can do.

To overcome the weaknesses inherent in each of these methods, the authors suggest a combination of the two, namely OAuth client authentication using mutual TLS, either by self-signed certificates or public key infrastructure (PKI). This approach provides two key benefits:

  • An mTLS token endpoint with mTLS/self-signed client authentication methods for access tokens
  • Certificate-bound access tokens with scoped access

The authors conclude that “itโ€™s all our responsibility to keep the data traveling across the wire safe from misuse”.

Article: What to look for in API security tools

To round up this week, we haveย an article from DZone on what to look for in API security tools. Before even starting to evaluate tools, the organization should begin with the question of what is their ultimate goal. Do they want to achieve compliance, reduce risk, or meet contractual obligations? Understanding the goal will inform the decision-making process.

The next key consideration is how the tool will be operated and deployed. Will you build a team internally, use external specialists, or use vendor resources? This factor can have a significant impact on the total cost of ownership.

Specific to API security, the author suggests the following criteria:

  • OWASP API Security Top 10 detection
  • Runtime protection
  • API inventory
  • Fuzzing
  • Reporting

Finally, the author makes the same point made in the first article today: there is no single tool that will fix everything, so finding the combination of tools best suited for your needs is the key.

Webinar: Review of API Breaches in H1 2022: Episode two โ€” Remediation and Prevention

Last month, I presented a webinar on a dozen of API breaches covered in this newsletter so far this year and next week, on the 21st July, I’ll be hosting the second part of this popular webinar.

In this webinar, I’ll be getting into practical guidance on how to prevent and remediate some of these types of breaches. In particular, we’ll focus on the following topics:

  • Applying defensive coding practices to secure APIs.
  • Practical demonstration of how 42Crunch can detect and protect APIs from such vulnerabilities.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy