easy-accordion-free
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114zoho-flow
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114wordpress-seo
domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init
action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/mother99/jacksonholdingcompany.com/wp-includes/functions.php on line 6114Major data breaches are on the rise, and APIs are increasingly being used to gain access to sensitive data. The reasons for this are twofold: APIs are the first line of defense into an application\u2026 Read more on Cisco Blogs<\/a><\/p>\n \u200b[[{“value”:”<\/p>\n Major data breaches are on the rise, and APIs are increasingly being used to gain access to sensitive data. The reasons for this are twofold: APIs are the first line of defense into an application (and it\u2019s data), and more and more applications are accessible via the cloud and APIs. Everything from non-critical functionality, like music streaming and social media, to extremely critical data, such as financial accounts and healthcare, is accessible 24\u00d77 through APIs.<\/p>\n
<\/p>\n Why is it so desirable to breach API security? There are many nefarious reasons, but here are just a few:<\/p>\n
The list goes on. The availability of data and the dangers of breaches make it critical to get API security right.<\/p>\n
<\/p>\n Each year, the Open Worldwide <\/a>Application Security Project (OWASP)<\/a> comes up with a list of the Top 10 API Security Risks<\/a>. We\u2019ll take a quick look at the current list, with examples of data breaches caused by each type of risk.<\/p>\n
<\/p>\n After that, we\u2019ll talk about the API pipeline and ways to prevent common API security issues across the pipeline.<\/p>\n
<\/p>\n
<\/p>\n Let\u2019s take a look at the OWASP Top 10 API Security Risks, ranked in order of prevalence (from highest to lowest).<\/p>\n
<\/p>\n
<\/p>\n In a BOLA attack, object IDs for application data are leaked in API responses and used to gain unauthorized access to sensitive data.<\/p>\n
<\/p>\n The large Twitter (now X) API breach<\/a> was a BOLA attack, where an API that could be used to find users ended up leaking PII.<\/p>\n
<\/p>\n
<\/p>\n With broken authentication, an attacker compromises weak authentication methods and gains access to an application (and ultimately, data).<\/p>\n
<\/p>\n Many security breaches <\/a>are caused by broken authentication.<\/p>\n
<\/p>\n
<\/p>\n This is similar to BOLA, where an attacker is able to gain unauthorized access to data.<\/p>\n
<\/p>\n
<\/p>\n In this scenario, the attacker is able to get unrestricted access to an application and its resources. This type of attack can cause application instability or even outages. If large amounts of application resources are consumed without restriction, the result could be very costly (e.g. paid-tier cloud resources)<\/p>\n
<\/p>\n An example of this would be a Denial of Service<\/a> (or DoS) attack, where an application is so overwhelmed with traffic, it can no longer function.<\/p>\n
<\/p>\n
<\/p>\n With BFLA, unauthorized access to application functionality is allowed. This includes authorization issues between microservices.<\/p>\n
<\/p>\n An insurance company<\/a> was the victim of a BFLA attack due to customer data being available to the public via a \u201cprotected part\u201d of the application.<\/p>\n
<\/p>\n
<\/p>\n This threat involves vulnerability to automated abuse of application transactions, for example ticket sales or thread comments. For example, \u201cBad bots\u201d could be used to overwhelm an application and circumvent security.<\/p>\n
<\/p>\n This happened with the Taylor Swift concert ticket snafu <\/a>in November 2022. Scalper bots were used to buy limited release tickets for verified fans, which were then sold at a huge profit.<\/p>\n
<\/p>\n
<\/p>\n Also known as \u201cURL spoofing\u201d, this involves a server using an input URL to a remote resource without validating the given URL, which could allow attackers to get around a VPN or firewall and potentially gain access to sensitive data. The attacker uses the server to make the request appear legitimate.<\/p>\n
<\/p>\n The huge Capital One data breach<\/a> in 2019 was an SSRF attack, and resulted in PII for 100 million credit card holders to be stolen. More recently, a class action lawsuit was filed.<\/p>\n
<\/p>\n
<\/p>\n Any weak or misconfigured security in an application opens attack surfaces.<\/p>\n
<\/p>\n In May 2023, Toyota revealed a big data breach due to insufficient cloud configurations<\/a>.<\/p>\n
<\/p>\n
<\/p>\n Improper API inventory management includes undocumented (shadow) APIs, deprecated (zombie) APIs and unauthorized (rogue) APIs.<\/p>\n
<\/p>\n Shadow and zombie APIs are risks because they may not have sufficient security scrutiny. A rogue API can mean the same thing as a shadow API, but it can also be the result of malicious code injection opening up a backdoor into an application.<\/p>\n
<\/p>\n
<\/p>\n Weak security in 3rd party APIs used by an application can allow access to data.<\/p>\n
<\/p>\n An example of this threat is an insecure AWS S3 bucket<\/a> with access to data, which seems to be responsible for many recent data leaks. Even if the application which hosts the data is very secure, the data could still be accessible through S3 APIs.<\/p>\n
<\/p>\n
<\/p>\n We hear about \u201cpipelines\u201d and \u201cmoving towards the left\u201d all the time in software development. But what do these concepts mean in the context of APIs?<\/p>\n
<\/p>\n The API pipeline spans the entire API lifecycle, from initial development (\u201con the left\u201d) to deployment into production (\u201con the right\u201d). This is illustrated below.<\/p>\n
<\/p>\n
<\/p>\n
Let\u2019s discuss the various stages of the API pipeline.<\/p>\n
<\/p>\n
<\/p>\n APIs are born in development, ideally by first crafting an OpenAPI specification (OAS spec) to formalize the API, specify parameters, identify possible return parameters and codes, etc.<\/p>\n
<\/p>\n Many developers use Integrated Development Environments (IDEs) to organize the environment, such as VSCode<\/a> (open source), PyCharm<\/a> (community and paid-tier) or GoLand<\/a> (paid-tier).<\/p>\n
<\/p>\n Depending on the IDE, there may be extensions to help as you write your OAS specs. For example, VSCode has several OAS spec linter extensions that can statically flag issues with the spec, such as Spectral<\/a> (open source), and Postman<\/a> (free and paid-tier). The Spectral extension even has an OWASP Top 10 API Security Risks ruleset<\/a>. Panoptica<\/a> (free trial and paid-tier) can run different OAS spec linters<\/a> from the command line.<\/p>\n
<\/p>\n AI copilots are all the rage now, and can be used to develop the API client\/server code. Popular AI copilots include GitHub Copilot <\/a>(paid-tier) and others<\/a>.<\/p>\n
<\/p>\n Note that not all API security issues can be detected statically. Many issues can only be detected in a dynamic environment, where API calls are actually being acted upon.<\/p>\n
<\/p>\n After the API code is finished, it is ready for unit testing.<\/p>\n
<\/p>\n
<\/p>\n Once development is complete, the API code undergoes unit testing, where \u201cmock\u201d API calls are made to verify that the APIs are behaving correctly. A unit test environment is still static because, although calls can be made to client and server functions, the application isn\u2019t running as a whole.<\/p>\n
<\/p>\n There are many tools to auto-generate mock API code and run mock API servers, including WireMock<\/a> (open source), Mockoon<\/a> (open source), Microcks<\/a> (open source), Postman<\/a> (free and paid-tier), RestAssured<\/a> (open source) and SoapUI<\/a> (open source).<\/p>\n
<\/p>\n Once unit tests are written and passing, the API code is ready for CI\/CD.<\/p>\n
<\/p>\n
<\/p>\n In CI\/CD, the code is submitted for code review, the image is built and some gating tests are run automagically. The gating tests include static tests, such as unit tests and OAS spec linters, and dynamic tests like end-to-end functional tests, where the code is actually installed and basic functionality can be tested in an automated way.<\/p>\n
<\/p>\n If the CI\/CD tests all pass, the code is ready to be merged into the code repository and tested in staging.<\/p>\n
<\/p>\n
<\/p>\n A staging environment is similar to an actual production environment, but is isolated for internal testing. In staging, the application is installed and a quality assurance team can verify the functionality.<\/p>\n
<\/p>\n High availability and performance tests can also be run in staging. High availability testing involves verifying that no single points of failure exist in your application. Performance testing verifies that your application performs at scale, which includes a high volume of API traffic.<\/p>\n
<\/p>\n Tools for API performance and load testing include Locust<\/a> (open source), SoapUI and Postman.<\/p>\n
<\/p>\n Another type of tool that is helpful during staging is a fuzzer. A fuzzer passes bad data into API endpoints in your application and tries to negatively affect the application (e.g. make it stop responding, make it crash, leak data, etc.). Examples of fuzz testing tools are RESTler<\/a> (open source) and Panoptica.<\/p>\n
<\/p>\n
<\/p>\n The first time an application is deployed to production, it\u2019s called a \u201cgreenfield deployment.\u201d In greenfield, since there are no existing artifacts, there aren\u2019t any versioning or upgrade concerns.<\/p>\n
<\/p>\n In a production environment, you can dynamically scan real-time API traffic for security risks to protect your application. The Panoptica CNAPP platform<\/a> has a full suite of API security functionality, which we\u2019ll discuss below.<\/p>\n
<\/p>\n
<\/p>\n Brownfield deployment is when the application is upgraded in an existing production environment.<\/p>\n
<\/p>\n With brownfield, things like API backwards compatibility and versioning come into play. For example, API clients could continue to use a prior OAS spec version after the application has been upgraded with a new one. Multiple API versions must be supported.<\/p>\n
<\/p>\n A canary deployment is a brownfield deployment where different versions of the application are running simultaneously in order to reduce risk with a new version. The canary deployment manages only a subset of the total API traffic. Here again, API backwards compatibility and versioning are important considerations.<\/p>\n
<\/p>\n
<\/p>\n Now that we\u2019ve talked about the OWASP Top 10 API Security risks and the full API pipeline, let\u2019s take a look at some common API security issues and how to prevent them across the pipeline.<\/p>\n
<\/p>\n
<\/p>\n BOLAs were the most prevalent kind of API security issue in 2023, according to OWASP. They are included in issues API1:2023 (Broken Object Level Authorization) and API3:2023 (Broken Object Property Level Authorization).<\/p>\n
<\/p>\n As previously mentioned, in a BOLA attack, an end user is able to access data that they don\u2019t have the authorization to access, usually because metadata is leaked in API responses from the application.<\/p>\n
<\/p>\n Since data, especially PII, is a major target of breaches, any unauthorized access is a huge security problem.<\/p>\n
<\/p>\n How can BOLAs be prevented across the API pipeline?<\/p>\n
<\/p>\n BFLAs occur when application functionality is accessed without the proper authorization, either by an end user calling into the application or between application microservices. BOLA (above) is about accessing data<\/em>, BFLA is about accessing functionality<\/em>. Gaining unauthorized access to functionality can ultimately lead to data breaches. BFLAs are OWASP issue API5:2023 (Broken Function Level Authorization).<\/p>\n
<\/p>\n How can BFLAs be prevented across the API pipeline?<\/p>\n
<\/p>\n Weak authentication into an application is easier for an attacker to compromise. It could give threat actors access to user accounts and data. Weak (or broken) authentication is included in OWASP issues API2:2023 (Broken Authentication) and API8:2023 (Security Misconfiguration).<\/p>\n
<\/p>\n One form of this is basic authentication, which requires a username and password, where the password itself is \u201cweak.\u201d This includes short passwords, passwords that are too common (e.g. can be found in a dictionary search), or passwords that are reused across accounts.<\/p>\n
<\/p>\n Weak authentication can also be due to weak endpoint security, for example using HTTP instead of HTTPs.<\/p>\n
<\/p>\n Finally, encryption issues fall into this category. Having endpoints with no encryption or weak encryption can open attack surfaces into your application. If there isn\u2019t any encryption, all API traffic is \u201cin the clear\u201d meaning it can be tapped and easily read. Weak encryption could involve shorter encryption keys that can be easily compromised.<\/p>\n
<\/p>\n How can weak authentication be prevented across the API pipeline?<\/p>\n
<\/p>\n OWASP issue API9:2023 (Improper Inventory Management) includes shadow APIs. Shadow APIs are not documented in an OAS spec. They are a security risk you may not even know you have.<\/p>\n
<\/p>\n As your application evolves, it\u2019s unlikely that the security of shadow APIs will also evolve. They may even be forgotten entirely, exposing an ongoing security loophole or backdoor into your application.<\/p>\n
<\/p>\n How can shadow APIs be prevented across the API pipeline?<\/p>\n
<\/p>\n OWASP issue API9:2023 (Improper Inventory Management) also includes zombie APIs. Zombies APIs are APIs that are deprecated in the OAS spec but are still active within the application. They occur in brownfield and canary production environments, where multiple API versions may be in use. Like shadow APIs, zombie APIs are unlikely to evolve with your application and could receive less scrutiny from a security standpoint, thus leaving a backdoor into your application.<\/p>\n
<\/p>\n How can zombie APIs be prevented across the API pipeline?<\/p>\n
<\/p>\n Even if your application data access is really secure, weak 3rd party authentication could still expose your data to threats. 3rd party access to your data includes databases, S3 buckets, etc. Weak 3rd party authentication is included in OWASP issues API8:2023 (Security Misconfiguration) and API10:2023 (Unsafe Consumption of APIs).<\/p>\n
<\/p>\n How can weak 3rd party authentication be prevented across the API pipeline?<\/p>\n
<\/p>\n Unrestricted resource consumption is OWASP issue API4:2023. If an application is inundated with many API calls within a short period of time, it can have negative consequences. For example, application resources such as CPU, RAM and storage can be rapidly consumed or exhausted, leading to potentially higher operational costs, slower response time or even application failure and outages.<\/p>\n
<\/p>\n How can unrestricted resource consumption be prevented across the API pipeline?<\/p>\n
OWASP issue API6:2023 (Unrestricted Access to Sensitive Business Flows) is related to unrestricted resource consumption, but it implies that automation, bad bots or AI are involved in the API abuse, compounding the resource consumption.<\/p>\n
<\/p>\n
<\/p>\n With a URL spoofing attack, an invalid or malicious URL is passed into an API request, and the server proxies the URL without validating it. The suspicious URL could be a fake site or a webhook. This could allow access to sensitive data and PII. This type of vulnerability is covered in OWASP issue API7:2023 (Server Side Request Forgery).<\/p>\n
<\/p>\n How can URL spoofing be prevented across the API pipeline? Defending against this type of attack can be complex. This<\/a> is a good resource to get started. The high-level gist of prevention measures is:<\/p>\n
<\/p>\n Data injection can allow threat actors to pass malicious data, configurations or programs into an application via APIs. This could allow access to data (e.g. BOLA) or make an application unstable.<\/p>\n
<\/p>\n How can data injection be prevented across the API pipeline?<\/p>\n
<\/p>\n Code injection is where undesirable code is added to an application. As IDE plugins and AI copilots are increasingly used to generate API client and server code, there\u2019s a risk that \u201cbad\u201d code could be injected into your application. This could have unintended or even malicious side effects. For example, a rogue (malicious) API could be injected into your application creating backdoor access. Rogue APIs fall under OWASP issue API9:2023 (Improper Inventory Management).<\/p>\n
<\/p>\n How can code injection be prevented across the API pipeline?<\/p>\n
<\/p>\n From the OWASP Top 10 API Security Risks, through the API pipeline and on to common API security issues and how to prevent them, we\u2019ve covered a lot of ground, with lots of tool suggestions along the way.<\/p>\n
<\/p>\n Wishing you and your applications the very best in API security!<\/p>\n
<\/p>\n
<\/p>\n
\n<\/p><\/div>\n
\u00a0<\/p>\n
<\/p>\n “}]]\u00a0\u00a0Everything is accessible 24×7 through APIs – from non-critical functionality (music streaming and social media) to extremely critical data (financial accounts and healthcare profiles). Here are some ideas to make APIs your first line of defense for an application (and it’s data).\u00a0\u00a0Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>","protected":false},"excerpt":{"rendered":" <\/p>\n Major data breaches are on the rise, and APIs are increasingly being used to gain access to sensitive data. The reasons for this are twofold: APIs are the first line of defense into an application\u2026 Read more on Cisco Blogs<\/a><\/p>\n \u200b[[{“value”:”<\/p>\n Major data breaches are on the rise, and APIs are increasingly being used to gain access to sensitive data. The reasons for this are twofold: APIs are the first line of defense into an application (and it\u2019s data), and more and more applications are accessible via the cloud and APIs. Everything from non-critical functionality, like music streaming and social media, to extremely critical data, such as financial accounts and healthcare, is accessible 24\u00d77 through APIs.<\/p>\n
<\/p>\n Why is it so desirable to breach API security? There are many nefarious reasons, but here are just a few:<\/p>\n
The list goes on. The availability of data and the dangers of breaches make it critical to get API security right.<\/p>\n
<\/p>\n Each year, the Open Worldwide <\/a>Application Security Project (OWASP)<\/a> comes up with a list of the Top 10 API Security Risks<\/a>. We\u2019ll take a quick look at the current list, with examples of data breaches caused by each type of risk.<\/p>\n
<\/p>\n After that, we\u2019ll talk about the API pipeline and ways to prevent common API security issues across the pipeline.<\/p>\n
<\/p>\n
<\/p>\n Let\u2019s take a look at the OWASP Top 10 API Security Risks, ranked in order of prevalence (from highest to lowest).<\/p>\n
<\/p>\n
<\/p>\n In a BOLA attack, object IDs for application data are leaked in API responses and used to gain unauthorized access to sensitive data.<\/p>\n
<\/p>\n The large Twitter (now X) API breach<\/a> was a BOLA attack, where an API that could be used to find users ended up leaking PII.<\/p>\n
<\/p>\n
<\/p>\n With broken authentication, an attacker compromises weak authentication methods and gains access to an application (and ultimately, data).<\/p>\n
<\/p>\n Many security breaches <\/a>are caused by broken authentication.<\/p>\n
<\/p>\n
<\/p>\n This is similar to BOLA, where an attacker is able to gain unauthorized access to data.<\/p>\n
<\/p>\n
<\/p>\n In this scenario, the attacker is able to get unrestricted access to an application and its resources. This type of attack can cause application instability or even outages. If large amounts of application resources are consumed without restriction, the result could be very costly (e.g. paid-tier cloud resources)<\/p>\n
<\/p>\n An example of this would be a Denial of Service<\/a> (or DoS) attack, where an application is so overwhelmed with traffic, it can no longer function.<\/p>\n
<\/p>\n
<\/p>\n With BFLA, unauthorized access to application functionality is allowed. This includes authorization issues between microservices.<\/p>\n
<\/p>\n An insurance company<\/a> was the victim of a BFLA attack due to customer data being available to the public via a \u201cprotected part\u201d of the application.<\/p>\n
<\/p>\n
<\/p>\n This threat involves vulnerability to automated abuse of application transactions, for example ticket sales or thread comments. For example, \u201cBad bots\u201d could be used to overwhelm an application and circumvent security.<\/p>\n
<\/p>\n This happened with the Taylor Swift concert ticket snafu <\/a>in November 2022. Scalper bots were used to buy limited release tickets for verified fans, which were then sold at a huge profit.<\/p>\n
<\/p>\n
<\/p>\n Also known as \u201cURL spoofing\u201d, this involves a server using an input URL to a remote resource without validating the given URL, which could allow attackers to get around a VPN or firewall and potentially gain access to sensitive data. The attacker uses the server to make the request appear legitimate.<\/p>\n
<\/p>\n The huge Capital One data breach<\/a> in 2019 was an SSRF attack, and resulted in PII for 100 million credit card holders to be stolen. More recently, a class action lawsuit was filed.<\/p>\n
<\/p>\n
<\/p>\n Any weak or misconfigured security in an application opens attack surfaces.<\/p>\n
<\/p>\n In May 2023, Toyota revealed a big data breach due to insufficient cloud configurations<\/a>.<\/p>\n
<\/p>\n
<\/p>\n Improper API inventory management includes undocumented (shadow) APIs, deprecated (zombie) APIs and unauthorized (rogue) APIs.<\/p>\n
<\/p>\n Shadow and zombie APIs are risks because they may not have sufficient security scrutiny. A rogue API can mean the same thing as a shadow API, but it can also be the result of malicious code injection opening up a backdoor into an application.<\/p>\n
<\/p>\n
<\/p>\n Weak security in 3rd party APIs used by an application can allow access to data.<\/p>\n
<\/p>\n An example of this threat is an
\nStealing Personally Identifiable Information (PII) and selling it on the dark web or for identity theft
\nFor asset theft, extortion or ransom
\nCausing application instability or unavailability
\nEspionage (corporate or political)
\nElection interference
\nPolitical instability<\/p>\nOWASP Top 10 API Security Risks (2023)<\/strong><\/h2>\n
API1:2023 \u2013 Broken Object Level Authorization (BOLA)<\/strong><\/a><\/h3>\n
API2:2023 \u2013 Broken Authentication<\/strong><\/a><\/h3>\n
API3:2023 \u2013 Broken Object Property Level Authorization<\/strong><\/a><\/h3>\n
API4:2023 \u2013 Unrestricted Resource Consumption<\/strong><\/a><\/h3>\n
API5:2023 \u2013 Broken Function Level Authorization (BFLA)<\/strong><\/a><\/h3>\n
API6:2023 \u2013 Unrestricted Access to Sensitive Business Flows<\/strong><\/a><\/h3>\n
API7:2023 \u2013<\/strong> Server Side Request Forgery (SSRF)<\/strong><\/a><\/h3>\n
API8:2023 \u2013 Security Misconfiguration<\/strong><\/a><\/h3>\n
API9:2023 \u2013 Improper Inventory Management<\/strong><\/a><\/h3>\n
API10:2023 \u2013 Unsafe Consumption of APIs<\/strong><\/a><\/h3>\n
The API Pipeline<\/strong><\/h2>\n
\n
<\/p>\nDevelopment\/Coding<\/strong><\/h3>\n
Unit Testing<\/strong><\/h3>\n
Continuous Integration\/Continuous Delivery (CI\/CD)<\/strong><\/h3>\n
Staging<\/strong><\/h3>\n
Greenfield Deployment<\/strong><\/h3>\n
Brownfield Deployment<\/strong><\/h3>\n
Prevent Common API Security Issues Across the Pipeline<\/strong><\/h2>\n
BOLA<\/strong><\/h3>\n
\nDuring development, make sure you have a strong authorization model<\/strong> in your application that doesn\u2019t allow access to data without authorization, and make sure no data is leaked in API responses.
\nIn development and CI\/CD, use OAS spec linters<\/strong> (discussed earlier) to flag potential authorization issues.
\nDuring unit testing and CI\/CD, run mock API traffic<\/strong> that tries to access data without authorization.
\nIn CI\/CD and staging, run a fuzzer<\/strong> against your API endpoints that will send bad input into the APIs and flag any unexpected access to data.
\nIn staging and production, run dynamic API security tools<\/strong> to inspect API traffic and flag potential BOLA issues. Panoptica has BOLA detection capabilities.<\/p>\nBFLAs<\/strong><\/h3>\n
\nDuring development, make sure you have a strong authorization model<\/strong> for accessing application functionality from end users and between microservices.
\nIn unit testing and CI\/CD, run mock API traffic<\/strong> that tries to access application functionality without authorization.
\nIn staging and production, run dynamic API security tools<\/strong> to inspect API traffic and flag potential BFLA issues. Panoptica has the ability to learn the BFLA authorization model and then detect any potential violations in real-time traffic.<\/p>\nWeak Authentication<\/strong><\/h3>\n
\nDevelop secure endpoints<\/strong> (e.g. HTTPs) with strong encryption<\/strong> enabled.
\nFor basic auth, require strong passwords<\/strong> and multi-factor authentication<\/strong> (MFA).
\nIn development and CI\/CD, use OAS spec linters<\/strong> (particularly with the OWASP Top 10 ruleset) to flag insecure endpoint issues.
\nIn unit testing and CI\/CD, run mock API traffic<\/strong> that uses weak authentication and tries to gain access.
\nIn staging and production, run dynamic API security tools<\/strong> to flag weak authentication in real-time API traffic. Panoptica can detect many forms of weak authentication.<\/p>\nShadow APIs<\/strong><\/h3>\n
\nDuring development, make sure to take an inventory<\/strong> of all APIs and document<\/strong> each of them in an OAS spec.
\nIn staging and production, run dynamic API security tools<\/strong> that can detect<\/strong> shadow APIs in real-time traffic and reconstruct<\/strong> an OAS spec for them to document them properly. Panoptica has these capabilities.<\/p>\nZombie APIs<\/strong><\/h3>\n
\nRemove support<\/strong> for zombie (deprecated) APIs as soon as possible.
\nIn staging and production, run dynamic API security tools<\/strong> that can detect zombie APIs in real-time traffic, such as Panoptica.<\/p>\nWeak 3rd Party Authentication<\/strong><\/h3>\n
\nDuring development, keep an inventory<\/strong> of all 3rd party APIs and services that are being used by your application.
\nVerify that 3rd party access is secure<\/strong>.
\nIn CI\/CD and staging, use a tool to assess the security<\/strong> of 3rd party API calls. The Panoptica CLI has this functionality.
\nIn staging and production, use cloud security scanners<\/strong> to detect weak 3rd party authentication. Examples of cloud security scanning tools are AWS Config<\/a> (paid service), Azure Automation and Control<\/a> (free and paid-tier), GCP Cloud Asset Inventory<\/a> (free) and CloudQuery<\/a> (open source and paid-tier).<\/p>\nResource Consumption<\/strong><\/h3>\n
\nDuring development, add rate-limiting<\/a><\/strong> to the API processing in your application, including a maximum rate of API requests and a reasonable timeout<\/strong>.
\nIn staging, use performance testing<\/strong> that exceeds the allowed rate of API requests and verifies that the application is still functioning as expected.
\nIn staging and production, use an API gateway<\/strong> in front of your application to throttle and rate-limit API requests. Some popular API gateways are AWS API Gateway<\/a> (free and paid-tier), GCP API Gateway<\/a> (free and paid-tier), Kong<\/a> (open source and paid-tier), Tyk<\/a> (open source) and Azure API Management<\/a> (free and paid-tier). Note that the application still needs it\u2019s own rate-limiting functionality when using an API gateway.<\/p>\nURL Spoofing<\/strong><\/h3>\n
\nDuring development, perform validation<\/strong> on the given URL, including the IP address and domain name (see above resource link).
\nCreate a list of allowed URLs<\/strong>, if possible, and validate the given URL against the list (see above resource link).
\nIn unit testing and CI\/CD, run mock API traffic<\/strong> that attempts to pass an invalid URL into the API.<\/p>\nData Injection<\/strong><\/h3>\n
\nDuring development, include strict type checking<\/strong> (i.e. check for correct type of data in a request, don\u2019t allow unexpected data types) and input validation<\/strong> in API processing.
\nEstablish an upper limit<\/strong> on size and quantity of data that can be input in a request. For example, have a maximum size for a string input.
\nIn development and CI\/CD, use OAS spec linters<\/strong> to detect issues with data input.
\nIn unit testing and CI\/CD, run mock API traffic<\/strong> that tries to inject invalid data.
\nIn CI\/CD and staging, run a fuzzer<\/strong> against your API endpoints that sends invalid or malformed data into your API. The Panoptica CLI includes fuzzing capabilities.
\nIn staging and production, run dynamic API security tools<\/strong> that can compare API traffic against the OAS spec and flag data discrepancies<\/strong> (including spec drift). The Panoptica CNAPP platform has this functionality.<\/p>\nCode Injection<\/strong><\/h3>\n
\nDuring development, it\u2019s important to verify<\/strong> any generated code with thorough code reviews<\/strong>.
\nIn CI\/CD, staging and production, image scans<\/strong> can search for any Common Vulnerabilities and Exposures (CVEs) in the application. Panoptica can scan both Kubernetes container images and virtual machine images for issues.
\nIn staging and production, run dynamic API security tools<\/strong> to scan for any rogue APIs. Panoptica has this capability.<\/p>\nConclusion<\/strong><\/h2>\n
Learn more about the Panoptica CNAPP platform<\/a> and it\u2019s API security capabilities. <\/strong><\/h3>\n
Try a Cisco DevNet Learning Lab<\/a>.<\/strong><\/h3>\n
\n
\n
\n
<\/p>\n
\nStealing Personally Identifiable Information (PII) and selling it on the dark web or for identity theft
\nFor asset theft, extortion or ransom
\nCausing application instability or unavailability
\nEspionage (corporate or political)
\nElection interference
\nPolitical instability<\/p>\nOWASP Top 10 API Security Risks (2023)<\/strong><\/h2>\n
API1:2023 \u2013 Broken Object Level Authorization (BOLA)<\/strong><\/a><\/h3>\n
API2:2023 \u2013 Broken Authentication<\/strong><\/a><\/h3>\n
API3:2023 \u2013 Broken Object Property Level Authorization<\/strong><\/a><\/h3>\n
API4:2023 \u2013 Unrestricted Resource Consumption<\/strong><\/a><\/h3>\n
API5:2023 \u2013 Broken Function Level Authorization (BFLA)<\/strong><\/a><\/h3>\n
API6:2023 \u2013 Unrestricted Access to Sensitive Business Flows<\/strong><\/a><\/h3>\n
API7:2023 \u2013<\/strong> Server Side Request Forgery (SSRF)<\/strong><\/a><\/h3>\n
API8:2023 \u2013 Security Misconfiguration<\/strong><\/a><\/h3>\n
API9:2023 \u2013 Improper Inventory Management<\/strong><\/a><\/h3>\n
API10:2023 \u2013 Unsafe Consumption of APIs<\/strong><\/a><\/h3>\n