This week, we have an article on the value of using a developer portal for APIs, a guide from Dana Epp in finding “dark data” in an API, and an update from PortSwigger on their Web Security Academy resources for learning more about API security. We also have an update on the API vulnerabilities reported in the Ray AI framework last week and news on the latest webinar from 42Crunch. Finally, as it is the season for such things, I make a few predictions for API security in 2024.
This is the final APISecurity.io newsletter for 2023. We wish all subscribers happy holidays and a prosperous New Year and look forward to welcoming you back with issue 237 on the 11th of January 2024!
Article: Using a developer portal for APIs
The first article this week comes courtesy of The New Stack and covers the important topic of developer portals for APIs. A developer portal can be thought of as a library where you, your developers, and your customers can find and use your organization’s APIs. Without a developer portal, it can be challenging to keep track of your APIs, and this can lead to a duplication in effort as teams recreate existing APIs or a lack of control and governance over your API inventory.
From an API security perspective, most readers will be aware of the challenges an unmanaged inventory poses. Knowing your complete inventory is necessary to quantify the risk presented by your APIs. Many organizations typically have two or three times more APIs than they realize. By using a developer portal as an inventory tracking tool, security teams can keep track of their API assets, introduce governance over the introduction of new APIs, and gracefully manage the deprecation of obsolete APIs.
The author identifies several other benefits of API developer portals, namely:
- Troubleshooting and maintenance: a comprehensive catalog can help developers and operations teams understand the connectivity of coupled APIs and aid in troubleshooting in the event of outages or performance issues.
- Support: the catalog can be useful to support teams in identifying APIs and their respective owners, which is important when allocating support teams to support an incident.
- Onboarding and training: help onboarding new team members understand the overall API topology during their onboarding and induction.
- Ongoing development: provides information to developers about the existence of APIs already available in their organization.
- Strategic planning: allows the leadership teams to consolidate their inventory and plan their strategy going forward regarding new APIs and deprecation of obsolete APIs.
This article features an in-depth look at the Port developer portal platform, which looks very comprehensive and offers a totally free tier.
Guide: Finding “dark data” in an API
Our top contributor in 2023 is undoubtedly Dana Epp, and it’s appropriate that we feature him in our Christmas issue. This time, he’s discussing the critical topic of “dark data” within APIs.
Dana’s working definition of “dark data” is “as any data collected and stored by an organization but not generally used for any practical purpose.” This data can be any from internal storage systems such as databases or various analytics and business intelligence tools. Think of it as metadata that may leak confidential information about your primary data assets, allowing an attacker to infer various useful insights.
Dana calls out the significant concerns around the leakage of such dark data, namely:
- Security risks: data may include sensitive information such as usernames or other PII.
- Compliance issues: many industries have very strict data protection and privacy requirements, and even such seemingly innocuous data may constitute a violation.
- Insights and opportunities: dark data can provide an attacker with insights into how to attack your organization via its business logic or application flows.
The impacts of dark data leakage (and, more generally, excessive information exposure) are captured in the OWASP API Security Top 10 as the third most significant concern affecting APIs in the category API3:2023 Broken Object Property Level Authorization.
The recommendation for an API builder or defender is to use a tightly constrained OpenAPI definition that specifies the minimum data to satisfy the API’s functionality. Use continuous testing to ensure that your APIs meet this contract, and use runtime protection to ensure APIs do not leak additional data in production.
Tools: Web Security Academy resources for API security
PortSwigger’s Web Security Academy is an evergreen resource for learning about web application security and API security. The academy provides excellent guided lessons and hands-on laboratories to allow users to explore topics of interest. In my opinion, their academy is one of the best learning resources for security topics.
Recently, they have published guidance on learning resources specific to the OWASP API Security Top 10. This resource is great for anyone (attacker or defender) wanting to learn more about API security.
Vulnerability: API vulnerability found in Ray AI framework
In summary, the status is as follows:
- 4 of the 5 reported CVEs (CVE-2023-6019, CVE-2023-6020, CVE-2023-6021, CVE-2023-48023) are fixed in the master and will be released as part of Ray 2.8.1.
- The remaining CVE (CVE-2023-48022) – that Ray does not have authentication built-in – is a long-standing design decision based on how Ray’s security boundaries are drawn.
According to their post, the 5th CVE (the lack of authentication built into Ray) has not been addressed, and that is why it is not, in their opinion, a vulnerability or a bug.
Webinar: Top Things You Need to Know About API Security
The flipside of the exponential adoption of APIs over the past decade has been the upsurge in the sheer volume of API attacks. Stories of API security breaches are everywhere which shines a harsh spotlight on the ease of API abuse and the complexities of robust API security. Join this webinar as two of the industry’s leading experts guide you through some real-world cases of API security attacks and also share some best practices for securing your APIs.
They dive into crucial vulnerabilities highlighted in the OWASP API Security Top 10, such as enforcing authorization, protecting authentication endpoints and preventing SSRF, a new entry in the 2023 version of the OWASP Top10 for APIs. They also bring the threats to life with several demos, providing a practical look at how these vulnerabilities can be exploited, but also how they can be prevented through a combination of design-time and run-time protection.
At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs in the face of a number of identified threats.
Predictions for API security in 2024
Finally, I am compelled to make some predictions of my own for API security in 2024. I think API security will remain an important topic in 2024 and continue to receive significant attention at various levels. Based on what I have seen recently in the newsletter, I predict:
- We will see more so-called mega-breaches where organizations lose all of their customer or private data to API breaches or exploits (see examples here and here)
- Vendors (seemingly most often cryptocurrency portals) will continue to experience key leakage or loss (see here, here, and here for examples)
- Attackers will continue to shift their attacks toward more subtle vectors that exploit the business logic of the API rather than specific implementation flaws. A good example is the recent Twitter mass account information leakage incident, which occurred without detection over 18 months.
- I think we will see the occurrence of the first batch of API supply chain vulnerabilities where an upstream API flaw is instrumental in a breach in a downstream API, as predicted by OWASP with the new API10:2023 Unsafe Consumption of APIs.
- And finally, the role of the developer in implementing API security at design time will only continue to rise. As I alluded to over a year ago, empathy for the API developer with tools designed to secure code at design time can only help improve API security in general.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy