OWASP Top 10 API Risks
The exponential growth of API usage in today’s digital world brings the risk of those APIs being vulnerable to attacks. Cyberattacks have become commonplace in today’s news, with multinational corporations making headlines for the wrong reasons due to a lack of API protection.
These data breaches can bring fines, litigation, and – possibly worst of all – damage to your reputation. It only takes one data leak for your brand to suffer irreparable damage. That’s why a comprehensive policy and process for securing your APIs, and the promotional process through the API lifecycle itself, is paramount to protect against threats and attacks.
To make sure that you are protected, here are the most common API and IT security risks.
OWASP Top 10
The most common security risks are compiled annually by the Open Web Application Security Project (OWASP). Their most recognized resource, the OWASP Top 10 vulnerabilities, is a list produced by security experts around the globe to highlight the web application and API security risks that are deemed the most critical.
In the most recent list, the OWASP top ten vulnerabilities are as follows:
- Broken Object Level Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of Resources and Rate Limiting
- Broken Function Level Authorization
- Mass Assignment
- Security Misconfiguration
- Improper Asses Management
- Insufficient Logging and Monitoring
What is the OWASP Top 10?
In a series of blog posts, we will cover each of these ten vulnerabilities in detail and how the Akana API Management solution specifically addresses them.
For starters, below is a brief overview of what each of these common security risks entails.
Broken Object Level Authorization
A characteristic of APIs is the exposure of endpoints that handle object identifiers. This creates a wide attack surface Level Access Control issue.
When authentication mechanisms are implemented incorrectly, attackers can compromise authentication tokens or exploit implementation flaws to assume the identity of another user. This compromises the security to that particular user, as well as the overall API security.
Excessive Data Exposure
Developers may expose all their object properties without taking into consideration these properties’ individual sensitivities, and instead rely on the clients for data filtering before displaying it to the user.
Lack of Resources and Rate Limiting
If an API does not impose a restriction on the size or number of resources that a user/client can request, server performance can suffer, as well as lead to a Denial of Service (DoS). This also creates an opportunity for authentication flaws such as brute force.
Broken Function Level Authorization
Authorization flaws can arise from complex access control polices, different hierarchies/groups/roles, and a blurred distinction between administrative and regular functions. These issues allow attackers to gain access to other users’ resources and/or administrative functions.
When client-provided data (JSON, for example) is bound to data models without applying proper filtering properties, attackers are able to modify object properties they are not supposed to. This can be done by exploring API endpoints, guessing object properties, reading documentation, or using request payloads to provide additional object properties.
Misconfiguration can result from a number of common issues: insecure default configurations, open cloud storage, incomplete or ad-hoc configurations, misconfigured HTTP headers, and more.
Injection flaws occur when a command or query causes untrusted data to be sent to an interpreter. Malicious data from an attacker can trick an interpreter into accessing data without proper authorization or executing unintended commands.
Related blog:Mitigating Malicious Code Injection
Improper Assets Management
Composing proper and updated documentation is critically important for APIs as they tend to expose more endpoints than traditional web applications. An inventory of deployed API versions and proper hosts can help mitigate common IT security risks like deprecated API versions and exposed debug endpoints.
Insufficient Logging and Monitoring
Perhaps the most exploited security vulnerability, hackers rely on a lack of logging and monitoring to compromise data unnoticed. By the time the breach is detected, it is often too late.
Mitigating API Security Risks With Akana
Forrester Wave evaluated 15 API management vendors across 26 criteria – with Akana coming out on top in API security as the only vendor with a perfect score for the category.
Find out what they have to say about the strength of Akana’s security and policy capabilities in the full report.