API Security

Due to the growing popularity of APIs by developers and hackers alike, OWASP issued top 10 API security threats which are slightly different than the typical OWASP top 10 web application threats: https://owasp.org/www-project-api-security/

API security solutions should be able to monitor traffic and seamlessly discover, map and learn the different APIs, their method, input parameters, traffic pattern and what is the normal use of them. Then apply ML/AI capabilities to alert when there is an abnormal use or attack on API endpoints.

Pros: the API solution can block API requests in real-time when it’s implemented inline.
Cons: in order to minimize false positives, the API security solution should be able to learn what’s a normal use of an API endpoint is and what’s considered an anomaly and suspected attack. In order to reach that level of context and accuracy, an offline analysis should be done based on an adequate amount of API traffic data, which is typical for an API security solution that is not deployed inline.

An API (Application Programming Interface) is a set of rules that allows different software systems to communicate with each other. It acts like a bridge (or a contract) that lets applications share data and functionality, making it easier for developers to build software that can integrate or interact with other services. APIs define how requests are made, data is exchanged, and responses are formatted. An example of an API is when you use a travel website to search for flights. The site interacts with APIs from different airlines to access flight schedules, ticket prices, and availability. Instead of you visiting multiple airline sites, the API acts as a translator, gathering the data and presenting it to you in a unified way. This allows the travel site to show you various options in a single interface, thanks to the exposed APIs of each airline.

APIs enable seamless integration between systems, automating data sharing and reducing manual work. Furthermore, APIs allow for modular growth by integrating new functionalities or services without major code changes and, if properly designed, they are able to enforce authentication, authorization, and data validation.

Definitely, APIs can be a security risk if not properly managed. Since APIs expose application logic and sensitive data, they become an attractive target for attackers. Implementing strong security measures, such as authentication, encryption, and threat monitoring, is crucial to mitigate these risks. The OWASP API Security Top10 reflects the evolving API landscape, highlighting the need for stricter authorization, improved configuration management, and awareness of new attack vectors such as SSRF and sensitive business flow abuse​.

The 2023 version of the OWASP API Security Top 10 is:

• Broken Object Level Authorization: APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
• Broken Authentication:  Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising a system’s ability to identify the client/user, compromises API security overall.
• Broken Object Property Level Authorization: Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties.
• Unrestricted Resource Consumption: Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
• Broken Function Level Authorization: Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers can gain access to other users’ resources and/or administrative functions.
• Unrestricted Access to Sensitive Business Flows: APIs vulnerable to this risk expose a business flow – such as buying a ticket, or posting a comment – without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn’t necessarily come from implementation bugs.
• Server Side Request Forgery: Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN.
• Security Misconfiguration: APIs and the systems supporting them typically contain complex configurations, meant to make the APIs more customizable. Software and DevOps engineers can miss these configurations, or don’t follow security best practices when it comes to configuration, opening the door for different types of attacks.
• Improper Inventory Management: APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. A proper inventory of hosts and deployed API versions also are important to mitigate issues such as deprecated API versions and exposed debug endpoints.
• Unsafe Consumption of APIs:  Developers tend to trust data received from third-party APIs more than user input, and so tend to adopt weaker security standards. In order to compromise APIs, attackers go after integrated third-party services instead of trying to compromise the target API directly.

The following layered security measures are the minimum steps to protect your API:

• Authentication & Authorization: Use strong methods like OAuth 2.0 and JWT to verify users and limit access.
• Input Validation: Ensure data received by the API is sanitized and validated.
• Rate Limiting & Throttling: Limit the number of requests to prevent abuse.
• Encryption: Use HTTPS/TLS to secure data in transit.
• Monitoring & Logging: Track API usage for anomalies and potential attacks.
• Implement WAF & API Gateways: Use specialized tools for additional protection and visibility.

An API Security Platform is a specialized solution designed to provide comprehensive protection for APIs throughout their lifecycle. It typically includes features like API discovery, threat detection, runtime monitoring, and vulnerability management. The platform helps prevent attacks by identifying misconfigurations, enforcing security policies, and detecting abnormal behavior. Advanced platforms also leverage AI/ML to identify zero-day threats and API-specific risks, such as broken object level authorization (BOLA) or data scraping.

These platforms help secure complex API ecosystems, ensuring safe integrations and data exchange.

An API Security Platform typically offers a set of advanced features designed to protect APIs from attacks, detect vulnerabilities, and ensure compliance. Here are the primary features commonly found in API security platforms:

• API Discovery and Inventory Management: Automatically scans and discovers all APIs in use, both managed and shadow APIs, providing a complete inventor. Monitors for changes in existing APIs, new endpoints, and undocumented APIs that can pose security risks.
• Threat Detection and Behavior Analysis: Leverages AI and Machine Learning to establish normal API usage patterns and identify anomalous behaviors, such as bot attacks, data exfiltration, or abusive use. Detects sophisticated attacks like Broken Object Level Authorization (BOLA) or mass assignment vulnerabilities.
• Runtime Protection and Attack Prevention: Offers real-time monitoring and protection capabilities, including blocking malicious API requests, rate limiting, and implementing fine-grained access controls. Enforces rules against common threats, such as SQL Injection, DDoS attacks, and cross-site scripting (XSS).
• Authorization and Access Control: Provides mechanisms for robust authentication and authorization, such a JWT validation. Implements policies to protect against Broken Function Level Authorization and excessive data exposure.
• Security Testing and Vulnerability Management: Performs automated API security testing during development and deployment to identify misconfigurations, missing authorizations, and coding vulnerabilities. Continuously scans for OWASP API Top 10 vulnerabilities, such as insecure direct object references and improper asset management.
• Data Loss Prevention and Sensitive Data Masking: Monitors API traffic for sensitive data exposure, such as credit card numbers, PII, or health data. Provides mechanisms to redact or mask sensitive data in responses to prevent inadvertent data leaks.
• API Gateway Integration: Integrates with existing API gateways to provide an additional layer of security, including authentication enforcement, API rate limiting, and caching.
• Compliance and Reporting: Offers detailed logging, monitoring, and compliance reporting features to meet regulatory requirements such as GDPR, HIPAA, and PCI-DSS.Provides comprehensive audit logs and security event dashboards for continuous monitoring.
• IIntegration with Security Information and Event Management (SIEM) Systems: API security platforms often integrate with SIEM solutions for consolidated alerting and event management, enabling a holistic security posture across the organization.