A recent report by Salt Security shows that 91% of organizations suffered an API-related problem in the last year, and more than half (54%) reported finding vulnerabilities in their APIs, 46% pointed to authentication issues, and 20% described problems caused by bots and data scraping tools.
Here, Inon Shkedy, Head of Security Research for Traceable, who also serves as the API Security Project Lead at OWASP and co-authored the OWASP API Top 10, talks to Security magazine about API security risks.
Security: What is your background? What are your current responsibilities in your role?
Shkedy: My background is in security research, but more specifically I have done extensive work in identifying and analyzing APIs and their security risks. Currently, I am the Head of Security Research at Traceable.
For the past two and a half years, I have also served as the API Security Project Leader at the OWASP (The Open Web Application Security Project) Foundation. At OWASP, we aim to improve software security through open source and community education. I lead the analysis and compilation of the top 10 API security risks for OWAS.
Security: What is API security?
Shkedy: API security sounds simple - keeping the applications and microservices that businesses rely on safe from cybercriminals and without vulnerabilities. But it is much more complicated than that in practice. Especially in the past year as traditionally brick and mortar businesses flocked to virtual environments, the sheer number of APIs in operation vastly increased - often to the point where it is difficult for a business to truly know and have visibility into every API that interacts with their organization.
API security starts with a clear view and understanding of every API communicating to or accessing an enterprise’s applications and data. From there, it’s understanding the DNA of every API - who are the users, what groups do they belong to, which are risky and more likely to be exploited (for example: unauthenticated APIs). Another critical aspect of API security is understanding user behavior and identifying anomalous behavior in order to catch bad actors before they cause any harm.
Security: Why should enterprise security teams be concerned with APIs?
Shkedy: APIs have become the backbone of the modern internet infrastructure and increased the speed of software development simply because of the sheer number of industries and companies that have digitally transformed operations.
But as more companies move to the cloud and adopt microservices, these applications, the APIs and the data associated with them are increasingly vulnerable if not protected properly. APIs are relatively new as an infrastructure and can interact with a variety of users and applications, making them hard to keep track of. And because they are so important to corporate infrastructure and access significant amounts of data, they are the perfect target.
Security: What are some of the most common vulnerabilities in API security? What do these vulnerabilities reveal about the security landscape?
Shkedy: There are many vulnerabilities associated with APIs, but some of the most common include broken authorization, whether for objects, or functions; excessive data exposure, through generic implementations or relying on the client to filter out sensitive information; security misconfigurations, usage of vulnerable 3rd party libraries, and more; and mass assignment, which occurs when provided data is bound to data models without proper filtering.
Most of the API breaches that happened in the last few years are related to authentication and authorization problems. The process of validating that a user is accessing only information he is supposed to access becomes very challenging in modern applications, as a result of complex user hierarchies and policies.
Security: What are some of the best ways to mitigate these vulnerabilities?
Shkedy: There are three best practices that are absolutely critical to keep APIs secure. It is important to have an API inventory and make sure you know where your APIs are. This includes APIs that belong to older versions and different environments. On top of that, it’s important to have proper documentation that can tell you which endpoints each API host exposes, which endpoints are public (don’t require authentication) and which ones can be accessed from the internet.
Organizations also need to encourage developers to use secure coding practices - most API vulnerabilities start within the code. Make sure your developers are aware of best practices for secure coding in the production phase. Lastly, businesses should review their authorization policies and mechanisms - authorization is a very sensitive mechanism, and I would recommend letting only the most experienced engineer make changes in it.