Application SecurityInfrastructure

API Security in Application Security

Do you want to have a better understanding of the importance of API Security in Application Security?

To understand how API Security affects risk exposure to your application is important to know the way if is connected to the internet as well as on other resources in development. 

Although it brings risks, APIs are fundamental to improve the application, and we all know that.

To avoid vulnerabilities in the development or even in the software being produced, the security approach must happen in a broader way rather than just focused on security tests and web exposures.

Keep reading to see how internet access exposes directly your business rules and on how to approach API Security in a more mature way.

API Security in Application Security – why so much visibility?

In a constant search to enlight the application security community with good material and content, OWASP has just launched last September 12th the first version of OWASP API Security Top 10.

OWASP’s idea about APIs is justified when we realize that on most software solutions, in a variable usage, APIs are more present. 

With the objective to know more about how these tools are being developed and how we keep them secure we have worked on some articles, such as the one approaching API Security.

Therefore, in this new article, our analysis is upon the OWASP document, and the aim is to improve the level of application security used in this type of solution. 

According to a report by Akamai, an incredible 83% of traffic that goes through servers are APIs, against only 17% of HTML.

It is evident that nowadays the biggest data consumer on the internet are not human users, in a direct way, but are consumed but systems that search for information to deliver a result (bots).

Now imagine how this will increase when the 5G technology is at its full power. Think about the amount of IoT connected and using APIs resources!

Protection against risks and API Security

Thus, we need to understand this movement and improve the way we can protect these resources.

A sentence that shows a greater dependence on APIs today is: author unknown.
“If I were to advise a hostile nation-state on how to incapacitate the United States, I’d tell them to go after the APIs first.”

This sentence shows incredible importance on the topic and on how it can affect many services available today.

We’ve seen many problems lately regarding API and it is not the reality of low-budget companies. 

There are also big enterprises facing this kind of difficulty, such as Google, Samsung, Verizon, Apple among others.

So let’s move on with our article and evaluate better this new project by OWASP.

What are the OWASP API Security Top 10?

The OWASP API Security Top 10, recently launched, brings known vulnerabilities to the majority of developers that have a legit worry about security.

Vulnerabilities such as “Authentication and Authorization Breach”, “Failure to Identify Traffic and Attack Limits” and even “Over Exposure Data” could be used to exploit applications.

These vulnerabilities are among those on the list created by OWASP and could serve as a starting point for improving application security.

We talk about the starting point because, as the list of web vulnerabilities, these cannot be understood as a finite list.

The aim of this report is to create an initial path to help structure improvements in the development process.

Unlike the OWASP TOP 10 report, clearly more concerned with online applications and web systems, this new report has a clear and defined focus on APIs.

API Security and business rules Exposure

The major concern with this type of solution, APIs, is that today the vast majority is created directly with access from the Internet, and this directly exposes the business rules.

Exposing these rules can be a much bigger problem than it seems.

Old Vulnerabilities

A quick reading of the list of vulnerabilities brought by the project, still classified as “incubated”, makes us realize that its basis is in recent events and that the vulnerabilities identified and listed in the report were used.

Of course, not only vulnerabilities used are listed: others that were not used in attacks are also present. However, the vulnerabilities already exploited in practice stand out more.

Interestingly, much of what we have been following on the list is already known to most professionals and should come as no surprise.

API Security and User’s Privacy

It is normal that when talking about API failure, the first point to be raised is related to privacy. This will become even more evident with the arrival of legislation that has a strong appeal to this theme.

However, it is not difficult to realize that structural API failures can even allow full control over a resource. 

This was made clear when CISCO addressed a number of vulnerabilities that could allow control of network equipment and big data by sending malformed requests to the web manager APIs of those devices.

It’s not hard to see the importance of APIs in simple conversations with developers or even managers of large companies.

For them, APIs are key points for improving their applications.

It is evident that the proliferation of modern architectural concepts such as mobile development, IoT, microservices, and cloud storage systems are strongly API based. Therefore, they should receive greater attention in their development.

API Security on Application Security: understanding the risks

But sometimes we find ourselves thinking that this problem can’t be that big, right?

Not quite. In a survey of 100 IT and Security professionals from large companies, it was found that 60% of them have an average of 400 APIs. This in a simple way means that there are at least 400 points of potential vulnerability.

It is frightening!

Other worrying data, not even half of these companies have mechanisms to validate or even identify when malicious requests are sent to these APIs.

It is clear, then, with all this data, that we will have some sectors being viewed more than others, by the large number of APIs used.

To reinforce this thinking, also in the survey cited, 40% of IT and Security professionals and managers believe that the most affected sector will be financial institutions and companies.

One of the biggest problems encountered, and which reinforces the concern with API security, is that we are seeing more and more businesses being structured with a large number of connections and information exchanges through the API.

On the other hand, the concern with the security of these resources is less and less present. Or, at the very least, this concern does not keep pace with growth.

API Security and Data leakage

Even though there is concern about API security, in some cases the flaws are in small detail, such as token and credential leaks.

These leaks often happen in processes that are not directly related to the API, but to other support processes – such as backup ones.

Although they may seem like a problem of the past, token and credential leaks are happening more often: a company that is now a subsidiary of Microsoft claimed that in just one year it had access to over one billion – that’s right, with B – authentication tokens.

The importance of API Security in Application Security

In this sense, it is clear that the need to create inventory and documentation about these APIs is an important point that deserves proper attention.

Clearly, we need to adjust our development processes to reflect changes. keeping up with the speed with which application security needs: seeking to improve within this vision will only have benefits.

New call-to-action
About author

Articles

Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Is your software supply chain secure?

When we think of a supply chain, a company in the industrial area and its factory receiving its raw…
Read more
Application Security

The Importance of Metrics in Application Security

Peter Drucker once said, “That which is not measured, is not improved.” He’s right…
Read more
Application Security

Security Testing - applying it to the pipeline

In the first part of our article, we talk about the basic concepts of security testing. In this…
Read more

Deixe um comentário