5 min read time

Growing Concern Over API Security

by in Cybersecurity

The dialogue around application and service security often misses a critical component: the interface. Application Programmable Interfaces (APIs), the threads that weave through cloud applications and services, are prone to becoming significant vulnerabilities. The complexity of modern IT infrastructures, including cloud services, microservices architectures, and mobile applications, further elevates the importance of API security. For more about this risk, see my article “APIs: Securing the Stitching Connecting Applications.”

 Source: Developer Guide to the 2023 OWASP Top 10 for API Security

Cybersecurity experts have been raising alarms about the increasing vulnerability posed by APIs, marking them as a significant source of concern. Despite this awareness, findings from the "API Security 2024" study by Fastly reveal a disconcerting lack of investment by organizations in measures to safeguard them. This oversight is especially glaring as organizations lean more heavily on multi-cloud environments, within which APIs play a crucial role. They serve as the conduits through which applications and services interact, both among themselves and with cloud services.

The Real Impact of API Security Breaches

The stakes of API security are high, with a staggering 79% of businesses acknowledging its critical importance, according to the study. The same study also sheds light on the pervasiveness of API security incidents, with 95% of respondents reporting breaches within the last year. For examples of real world API related breaches, see my blog “Emerging Challenges: The Rising Risk of API-Based Cyberattacks.” Such incidents have tangible repercussions, including delayed project rollouts and significant operational disruptions.

The problem is so serious that the US National Security Agency (NSA) teamed up with the Australian Cyber Security Centre (ACSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release the Cybersecurity Advisory (CSA), “Preventing Web Application Access Control Abuse,” to offer guidance on API security issues, especially the most common, known as insecure direct object reference (IDOR) vulnerabilities. Read the full report here.

The Gap Between Concern and Action

Despite the recognized risks, most organizations remain ill-prepared to defend against API threats, with 84% lacking advanced security protections. The primary barriers to bolstering API security include limited budgets and a scarcity of specialized knowledge. This gap is a bit of a surprise given the long-term costs of breaches compared to the investment in comprehensive security solutions.

OWASP API Security Top 10

The Open Web Application Security Project (OWASP) updated their API Security Top 10 last year, pinpointing the most critical security threats to APIs. This list reflects the evolving landscape of API security, emphasizing the need for robust defense mechanisms against these vulnerabilities. OpenText Cybersecurity is well-positioned to address these challenges head-on.

Source: https://appsentinels.ai/blog/owasp-api-top-10-2023-what-changed-and-why-its-important/

The OWASP API Security Top 10 for 2023 includes threats like Broken Object Level Authorization, Broken Authentication, and Security Misconfiguration, among others. These vulnerabilities highlight the myriad ways attackers can exploit APIs to compromise data integrity, privacy, and system functionality. For instance, Broken Object Level Authorization can lead to unauthorized data access, while Security Misconfiguration can leave systems vulnerable to attacks due to improper setup.

Fortify’s application security testing solutions along with NetIQ’s Secure API Manager offers a layered defense strategy against API vulnerabilities. By leveraging Fortify SAST and DAST, developers can identify and remediate security flaws early in the development cycle, ensuring APIs are secure. As outlined on this API Security Web page, Fortify can provide detailed insights into potential vulnerabilities, enabling teams to prioritize and address security risks effectively.

Furthermore, Fortify's approach to API security aligns with the OWASP recommendations, offering solutions tailored to the specific challenges presented in the 2023 Top 10 list. For more, see the Developer Guide to the 2023 OWASP Top 10 for API Security white paper

Beyond the OWASP API Security Top 10

For developers immersed in the cloud-native ecosystem, crafting APIs for wide-ranging applications, from internal systems to global platforms, the OWASP API Security Top 10 offers invaluable insights. It serves as a foundational guide to understanding and mitigating security risks in API development. Yet, it's crucial to recognize that this list is just a starting point in the journey toward securing APIs.

The landscape of cybersecurity is vast and varied, necessitating a broader perspective beyond the API Security Top 10. Developers must incorporate additional security practices and guidelines, such as those outlined in the broader OWASP Top 10, to ensure a comprehensive defense strategy. Vulnerabilities like SQL injection, data exposure, and security misconfigurations persist as significant threats, requiring prompt and effective remediation.

Moreover, the unique security considerations of API-driven applications—ranging from mobile apps to IoT devices—demand specialized approaches to security. These scenarios call for tailored security measures that extend beyond the scope of standard web applications.

In essence, while the OWASP API Security Top 10 is an essential tool for developers, it just shouldn’t be viewed as a standalone document that’s sufficient to address all API security issues. To achieve a truly secure APIs effectively, this resource should be integrated with other standards and best practices tailored to the specific needs of your project. Embracing this holistic approach to security will fortify your applications against the ever-evolving threats of the digital world.

Conclusion

The security of APIs is not just a technical issue but a strategic one, affecting every facet of an organization's digital presence. As companies continue to navigate the complexities of the digital age, understanding and implementing effective API security measures will be paramount. The shift towards combined API and web security solutions offers a glimpse of the future, where comprehensive strategies will provide a bulwark against the ever-evolving landscape of cyber threats.

Learn more:

Here are the products mentioned in this blog:

 Additional Resources

Labels:

Application security