The OWASP API Security Top Ten in a Nutshell
Why is API security a problem?
Let’s talk about the pervasiveness of APIs by discussing a real-life scenario most of us can relate to: hailing a trip on a rideshare app.
First, you open up the app using your phone and request a ride to your location. That sends a request from your phone to the rideshare app’s servers.
If the rideshare app’s backend is running a microservices architecture, then it’s likely that this will trigger a series of API calls between the loosely coupled backend services, which can sometimes be within a single network (such as within the AWS cloud), and other times over the internet (multi cloud, hybrid cloud).
Next, the rideshare app pings drivers in your area, again, over an API, to check who’s available to come pick you up. Your designated driver responds through their app, and the rideshare service again receives this request, processes it, and sends you a new notification letting you know someone is on their way to pick you up.
Assuming a simple architecture for the backend of the app, we’re already at a minimum of four API calls for a single transaction that was only just started.
We don’t need to go through the full scenario, suffice to say that there are at least a few more occasions for API calls to be made: at pick up time, drop off time, and even after the ride when reviews or gratuities can be made.
The point here is that APIs are everywhere, and they help transmit valuable data over business-critical functions where it’s stored, processed, and used.
Whenever there’s value, there’s someone looking to exploit it. It’s not a niche thing, either. Our friends over at Gartner predicted that this year (2022) will be the year APIs become the number one source of enterprise data breaches.
This makes sense. The previous top attack vector for cloud-based applications, asset misconfigurations (e.g. leaky AWS S3 buckets), caused quite a few headaches during the early stages of cloud computing. The cloud service providers have gotten better at helping customers configure their assets more securely, and those same customers have either gotten more skilled at using the cloud, or adopted tools like cloud security posture management software that make compliance with security best practices a lot easier.
So okay, cloud infrastructure is getting easier to build securely. What about APIs? What’s the state-of-the-art here?
Let’s again turn to our friends over at Gartner who’ve summarized what is being offered in the “Cloud Web Application and API Protection” market. There’s a recurring acronym “WAF” that pretty much every vendor seems to be pushing as the solution to API security.
There’s a major problem with this approach. Web application firewalls haven’t stopped API data breaches.
Why is this the case?
It’s the nature of the attacks. Attacks against APIs generally look like normal API traffic, but contain queries designed to evade security controls through exploitation of the application logic. WAFs are not designed to handle problems in applications or API logic. WAFs are designed to block specific IP addresses, ranges, functional endpoints on an API, or some combination thereof.
We’ll go over this in this presentation: the way APIs have been breached is through flaws in application logic, something a WAF cannot stop.
In 2019, the Open Web Application Security Project (OWASP), a leading authority on internet security, published a top ten list of API vulnerabilities. In this presentation, we’ll review all of them.