Issue 234: Sumo Logic breach leads to key reset, risk of RBAC vulnerabilities, automated API contracts

This week, we have news of another API key leak, this time affecting users of Sumo Logic, who have been advised to rotate their keys out of caution. We also have articles on the risk of RBAC vulnerabilities for APIs and why CFOs should prioritize API security as a cost-saver and business enabler. We also have a book review, a report on the size of the API market, and, finally, news of a new tool from 42Crunch.

Breach: Sumo Logic advises customers to reset API keys

Sumo Logic confirmed it had discovered evidence of a potential security incident on the 3rd of November. It has since locked down the exposed infrastructure and rotated every potentially exposed credential “out of an abundance of caution.”

Although Sumo Logic insisted there was no indication of a compromise or a breach of customer data, they advised customers to rotate both keys used to access Sumo Logic or that were provided to Sumo Logic for accessing other systems. The attack was believed to have involved third-party access to a Sumo Logic AWS account.

Although Sumo Logic declined to comment further on the details of the incident, it assured customers that they were committed to “a safe and secure digital experience,”

This is another in a recent spate of API key leakage incidents coming on the back of the OpenSea and JumpCloud incidents reported in this newsletter.

Article: The risk of RBAC vulnerabilities

The first article this week is from GBHackers and discusses the risk of role-based access control (RBAC) vulnerabilities in systems built-up APIs. Most people, I am sure, are familiar with the principle of RBAC — a user is assigned rights on a system based on their role, and when they no longer hold that role, those rights fall away. This paradigm is a popular choice for API authorization too, where frameworks such as Casbin and Oso HQ provide good implementations of RBAC engines.

The article describes typical usage of RBAC in certain industries such as healthcare, financial services, eCommerce, and government. It then goes on to describe some common RBAC vulnerabilities encountered in the real world:

  • Excessive Permissions: This is the most obvious vulnerability and simply occurs when a role is given excessive permissions to accomplish the given tasks. The principle of least privilege should be employed to ensure only the necessary permissions are assigned.
  • Stale Roles: Often a user will be assigned a role that they no longer need after some time. This results in maintaining access, which is no longer necessary.
  • Permission Creep: Similar to stale roles, this is when a user changes roles frequently and accumulates more roles than they need.
  • Inadequate Auditing: The previous two vulnerabilities can be identified by regular audits; failing to perform these regularly is another common failure pattern.
  • Insecure APIs: These can be an entry point for attackers to manipulate permissions or gain unauthorized access to sensitive data.

The guide ends with some rather generic but useful advice on how to prevent RBAC vulnerabilities, namely:

  • Least Privilege Principle: This is the obvious solution for many RBAC issues and relies on only assigning the absolute minimum set of permissions to complete a role. The challenge comes in identifying those permissions in the first instance.
  • Time-Based Roles: This is a failsafe method to prevent permission creep and that is to periodically revalidate the role access, or to forcibly remove the role entirely.
  • Multi-Factor Authentication (MFA): Sensitive roles (such as admin roles) should employ MFA to prevent unauthorized access.

This is a quick, easy read for anyone implementing RBAC in their systems.

Article: Why CFOs should prioritize API security

The next article from Security Boulevard provides a really interesting perspective on the need to prioritize API security looking at it from the view of the Chief Financial Officer (CFO). Frequently in this newsletter, we consider API security from a technical or security viewpoint, so it’s interesting to understand the financial motivators behind producing secure APIs. 

The first obvious benefit is simply avoiding the cost of breaches in the first instance. Breaches can lead to fines due to failings in regulatory, GDPR, CCPA, or HIPAA compliance. In many cases, these fines can be crippling, being a significant portion of revenue. Large-scale breaches also undoubtedly lead to brand damage and a tarnished reputation, leading to a loss in consumer confidence, particularly if those consumers are entrusting you with their data. 

Consumers are becoming more security savvy and are paying attention to news of large-scale breaches. Once a reputation is tarnished the brand may never recover from the damage inflicted. For a CFO, this has to be a strong and compelling driver.

As security practitioners among our readers will know only too well, a breach can be extremely costly in terms of operation cost in recovering from the breach and the loss of revenue resulting from the downtime incurred. Obviously, handling the breach will distract security teams from addressing other security activities, such as proactively improving API security, in the first instance.

Another obvious financial benefit to a robust API security regimen is the likely reduction in cybersecurity insurance. By being proactive about security, in particular about API security, and being able to demonstrate proactivity can allow a savvy CFO to negotiate better rates and terms with insurance providers.

APIs are a vital part of the modern supply chain and by ensuring the APIs you consume and provide are secure, you can minimize the risk of inheriting risk from your providers or passing risk on to your consumers. 

Finally, if your teams are not reactive and dealing with ongoing API security breaches and incidents, they can be freed up to drive innovation by building new products and integrations or by ensuring even greater security. 

This is a useful guide for those wishing to justify upcoming budgets for API security projects.

Book: Automating API delivery

A friend of the newsletter Ikenna Nwaiwu, has recently published his book with Manning on the topic of “Automating API delivery”. The book focuses on how to use DevOps approaches in your API design and delivery phase and covers the following topics:

  • Enforce API design standards with linting
  • Automate breaking-change checks to control design creep
  • Ensure the accuracy of API reference documents
  • Centralize API definition consistency checks
  • Automate API configuration deployment
  • Conduct effective API design reviews

I particularly enjoyed the sections on automating API linting, using GitHub Actions and the section on OpenAPI Generator, which shows great promise. The book is in early access from Manning and has only three more chapters to go. Good luck to Ikenna getting this over the line, and with the upcoming launch and promotion.

Report: API market set to continue to grow

If anyone doubted the size of the API market, then the latest research from Kong should prove to be a real eye-opener. The headline figure is quite startling, with the global economic impact expected to rise from approximately £7.17 trillion in 2023 to about £9.33 trillion over the next four years. Unsurprisingly, much of this growth will come from the artificial intelligence market estimated at around £4.41 trillion in 2027, indicating a substantial 76% increase from 2023 estimates.

The report does make the obvious and crucial point that security risks arising from such exponential growth should not be underestimated. 

Tools: Automated API contract generation

Recently, 42Crunch released their new automatic API contract generation tool API Capture, which will enable organizations to automate the generation of OpenAPI contracts (aka. Swagger files), which can be used to facilitate security auditing and testing. The tool analyzes network traffic and also imports Postman collections to auto-generate the API contract definitions. ​​ This innovative approach expedites testing timelines, minimizes manual effort, and ensures highly secure and scalable APIs.  

Further information is available on the 42Crunch website

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy