Wherever customers go, malicious hackers will follow

OWASP has compiled a list of the 10 biggest security threats facing the API ecosystem

The Open Source Web Application Security Project (OWASP) has compiled a list of the 10 biggest security threats facing organizations and companies that make use of application programming interfaces (API).

APIs are an integral part of today’s app ecosystem: every modern computer architecture concept – including mobile, IoT, microservices, cloud environments, and single-page applications – deeply rely on APIs for client-server communication.

But just like any other computing trend, wherever customers go, malicious hackers follow.

“While API-based applications have immense benefits, they also increase the attack surface for adversaries,” Erez Yalon, director of security at Checkmarx and project lead at the OWASP API Security Top 10, told The Daily Swig via email.

“By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII), so organizations need to prioritize this security accordingly.

“We can no longer look at APIs as just protocols to move data, as they are the main component of modern applications.”

Digital transformation

According to recent survey by Gartner, while 70% of enterprises consider APIs to be important to digital transformation, they also admit that security remains a key challenge.

The release of the OWASP API Security Top 10 (PDF) is aimed at helping organizations better navigate how to protect their data, applications, employees, and customers.

Broken object level authorization comes top of the list of threats, followed by broken authentication and excessive data exposure.

The OWASP API Security Top 10

1. Broken object level authorization
2. Broken authentication
3. Excessive data exposure
4. Lack of resources and rate limiting
5. Broken function level authorization
6. Mass assignment
7. Security misconfiguration
8. Injection
9. Improper assets management
10. Insufficient logging and monitoring

“Traditional vulnerabilities like SQLi, CSRF, and XSS are becoming less common in APIs,” explained Yalon, who led the OWASP API Security Top 10 project with Inon Shkedy, head of security research at Traceable.ai.

“At the same time, there’s been an increase in vulnerabilities that are either specific to APIs or present a bigger risk, which many developers are unaware of.”

API-specific security concerns

According to Yalon, authorization and improper asset management are two areas of special concern when dealing with API security.

“Authorization mechanisms are complex because they are not implemented in one place, but in many different components like configuration files, code, and API gateways,” Yalon said, adding that modern apps contain many roles and users, which makes it challenging to implement safe object-level and function-level authorization mechanisms.

In terms of asset management, Yalon observes that lack of proper documentation for APIs can pave the way for the emergence of security vulnerabilities.

“Even though this sometimes may look like simple housekeeping, having a very clear understanding of the APIs, with well-maintained inventory, and documentation (we whole-heartedly recommend Open API Specification) is very critical in the world of APIs,” he said.

“It helps developers prevent shadow APIs and excessive data exposure.”

Growing pains

As API usage continues to grow, more data breaches and cyber-attacks may be on the horizon.

Last year, a security researcher was able to scrape millions of transactions from payment processor Venmo by exploiting its API.

In another case, vulnerabilities in various Cisco APIs allowed hackers to send malicious requests to the web management interfaces of its switches.

“All signs indicate that the exponential growth of APIs will continue well into the future,” Yalon said.

“Since this is the case, attackers are certain to concentrate their exploitation campaigns on this new green-field opportunity due to the highly-specific vulnerabilities found in this domain.”

The API Security Top 10 will be discussed in more detail at Global AppSec in Amsterdam this week.

RELATED OWASP: Weak passwords are biggest threat to IoT security