Securing APIs From Left to Proper (and In all places in Between)

Main knowledge breaches are on the rise, and APIs are more and more getting used to achieve entry to delicate knowledge. The explanations for this are twofold: APIs are the primary line of protection into an software (and it’s knowledge), and an increasing number of purposes are accessible through the cloud and APIs. All the things from non-critical performance, like music streaming and social media, to extraordinarily essential knowledge, resembling monetary accounts and healthcare, is accessible 24×7 by means of APIs.

Why is it so fascinating to breach API safety? There are lots of nefarious causes, however listed below are only a few:

• Stealing Personally Identifiable Info (PII) and promoting it on the darkish internet or for identification theft
• For asset theft, extortion or ransom
• Inflicting software instability or unavailability
• Espionage (company or political)
• Election interference
• Political instability

The listing goes on. The provision of information and the hazards of breaches make it essential to get API safety proper.

Annually, the Open Worldwide Utility Safety Undertaking (OWASP) comes up with a listing of the Prime 10 API Safety Dangers. We’ll take a fast take a look at the present listing, with examples of information breaches attributable to every sort of threat.

After that, we’ll discuss in regards to the API pipeline and methods to stop frequent API safety points throughout the pipeline.

OWASP Prime 10 API Safety Dangers (2023)

Let’s check out the OWASP Prime 10 API Safety Dangers, ranked so as of prevalence (from highest to lowest).

API1:2023 – Damaged Object Degree Authorization (BOLA)

In a BOLA assault, object IDs for software knowledge are leaked in API responses and used to achieve unauthorized entry to delicate knowledge.

The massive Twitter (now X) API breach was a BOLA assault, the place an API that may very well be used to search out customers ended up leaking PII.

API2:2023 – Damaged Authentication

With damaged authentication, an attacker compromises weak authentication strategies and features entry to an software (and finally, knowledge).

Many safety breaches are attributable to damaged authentication.

API3:2023 – Damaged Object Property Degree Authorization

That is just like BOLA, the place an attacker is ready to achieve unauthorized entry to knowledge.

API4:2023 – Unrestricted Useful resource Consumption

On this situation, the attacker is ready to get unrestricted entry to an software and its sources. This sort of assault may cause software instability and even outages. If giant quantities of software sources are consumed with out restriction, the outcome may very well be very expensive (e.g. paid-tier cloud sources)

An instance of this might be a Denial of Service (or DoS) assault, the place an software is so overwhelmed with site visitors, it could possibly now not operate.

API5:2023 – Damaged Perform Degree Authorization (BFLA)

With BFLA, unauthorized entry to software performance is allowed. This consists of authorization points between microservices.

An insurance coverage firm was the sufferer of a BFLA assault attributable to buyer knowledge being out there to the general public through a “protected half” of the appliance.

API6:2023 – Unrestricted Entry to Delicate Enterprise Flows

This menace entails vulnerability to automated abuse of software transactions, for instance ticket gross sales or thread feedback. For instance, “Dangerous bots” may very well be used to overwhelm an software and circumvent safety.

This occurred with the Taylor Swift live performance ticket snafu in November 2022. Scalper bots had been used to purchase restricted launch tickets for verified followers, which had been then bought at an enormous revenue.

API7:2023 – Server Aspect Request Forgery (SSRF)

Also referred to as “URL spoofing”, this entails a server utilizing an enter URL to a distant useful resource with out validating the given URL, which may permit attackers to get round a VPN or firewall and doubtlessly achieve entry to delicate knowledge. The attacker makes use of the server to make the request seem legit.

The massive Capital One knowledge breach in 2019 was an SSRF assault, and resulted in PII for 100 million bank card holders to be stolen. Extra just lately, a category motion lawsuit was filed.

API8:2023 – Safety Misconfiguration

Any weak or misconfigured safety in an software opens assault surfaces.

In Could 2023, Toyota revealed a giant knowledge breach attributable to inadequate cloud configurations.

API9:2023 – Improper Stock Administration

Improper API stock administration consists of undocumented (shadow) APIs, deprecated (zombie) APIs and unauthorized (rogue) APIs.

Shadow and zombie APIs are dangers as a result of they might not have enough safety scrutiny. A rogue API can imply the identical factor as a shadow API, however it will also be the results of malicious code injection opening up a backdoor into an software.

API10:2023 – Unsafe Consumption of APIs

Weak safety in 3^rd celebration APIs utilized by an software can permit entry to knowledge.

An instance of this menace is an insecure AWS S3 bucket with entry to knowledge, which appears to be liable for many current knowledge leaks. Even when the appliance which hosts the information could be very safe, the information may nonetheless be accessible by means of S3 APIs.

The API Pipeline

We hear about “pipelines” and “shifting in direction of the left” on a regular basis in software program improvement. However what do these ideas imply within the context of APIs?

The API pipeline spans all the API lifecycle, from preliminary improvement (“on the left”) to deployment into manufacturing (“on the fitting”). That is illustrated beneath.

Let’s focus on the assorted levels of the API pipeline.

Growth/Coding

APIs are born in improvement, ideally by first crafting an OpenAPI specification (OAS spec) to formalize the API, specify parameters, determine attainable return parameters and codes, and many others.

Many builders use Built-in Growth Environments (IDEs) to arrange the surroundings, resembling VSCode (open supply), PyCharm (group and paid-tier) or GoLand (paid-tier).

Relying on the IDE, there could also be extensions to assist as you write your OAS specs. For instance, VSCode has a number of OAS spec linter extensions that may statically flag points with the spec, resembling Spectral (open supply), and Postman (free and paid-tier). The Spectral extension even has an OWASP Prime 10 API Safety Dangers ruleset. Panoptica (free trial and paid-tier) can run totally different OAS spec linters from the command line.

AI copilots are all the fad now, and can be utilized to develop the API consumer/server code. Standard AI copilots embrace GitHub Copilot (paid-tier) and others.

Word that not all API safety points will be detected statically. Many points can solely be detected in a dynamic surroundings, the place API calls are literally being acted upon.

After the API code is completed, it’s prepared for unit testing.

Unit Testing

As soon as improvement is full, the API code undergoes unit testing, the place “mock” API calls are made to confirm that the APIs are behaving appropriately. A unit take a look at surroundings remains to be static as a result of, though calls will be made to consumer and server capabilities, the appliance isn’t operating as a complete.

There are lots of instruments to auto-generate mock API code and run mock API servers, together with WireMock (open supply), Mockoon (open supply), Microcks (open supply), Postman (free and paid-tier), RestAssured (open supply) and SoapUI (open supply).

As soon as unit checks are written and passing, the API code is prepared for CI/CD.

Steady Integration/Steady Supply (CI/CD)

In CI/CD, the code is submitted for code assessment, the picture is constructed and a few gating checks are run automagically. The gating checks embrace static checks, resembling unit checks and OAS spec linters, and dynamic checks like end-to-end practical checks, the place the code is definitely put in and primary performance will be examined in an automatic means.

If the CI/CD checks all move, the code is able to be merged into the code repository and examined in staging.

Staging

A staging surroundings is just like an precise manufacturing surroundings, however is remoted for inner testing. In staging, the appliance is put in and a top quality assurance workforce can confirm the performance.

Excessive availability and efficiency checks will also be run in staging. Excessive availability testing entails verifying that no single factors of failure exist in your software. Efficiency testing verifies that your software performs at scale, which features a excessive quantity of API site visitors.

Instruments for API efficiency and cargo testing embrace Locust (open supply), SoapUI and Postman.

One other sort of device that’s useful throughout staging is a fuzzer. A fuzzer passes unhealthy knowledge into API endpoints in your software and tries to negatively have an effect on the appliance (e.g. make it cease responding, make it crash, leak knowledge, and many others.). Examples of fuzz testing instruments are RESTler (open supply) and Panoptica.

Greenfield Deployment

The primary time an software is deployed to manufacturing, it’s known as a “greenfield deployment.” In greenfield, since there aren’t any present artifacts, there aren’t any versioning or improve issues.

In a manufacturing surroundings, you may dynamically scan real-time API site visitors for safety dangers to guard your software. The Panoptica CNAPP platform has a full suite of API safety performance, which we’ll focus on beneath.

Brownfield Deployment

Brownfield deployment is when the appliance is upgraded in an present manufacturing surroundings.

With brownfield, issues like API backwards compatibility and versioning come into play. For instance, API purchasers may proceed to make use of a previous OAS spec model after the appliance has been upgraded with a brand new one. A number of API variations should be supported.

A canary deployment is a brownfield deployment the place totally different variations of the appliance are operating concurrently to be able to cut back threat with a brand new model. The canary deployment manages solely a subset of the overall API site visitors. Right here once more, API backwards compatibility and versioning are vital concerns.

Stop Widespread API Safety Points Throughout the Pipeline

Now that we’ve talked in regards to the OWASP Prime 10 API Safety dangers and the complete API pipeline, let’s check out some frequent API safety points and the best way to stop them throughout the pipeline.

BOLA

BOLAs had been essentially the most prevalent type of API safety problem in 2023, in accordance with OWASP. They’re included in points API1:2023 (Damaged Object Degree Authorization) and API3:2023 (Damaged Object Property Degree Authorization).

As beforehand talked about, in a BOLA assault, an finish person is ready to entry knowledge that they don’t have the authorization to entry, often as a result of metadata is leaked in API responses from the appliance.

Since knowledge, particularly PII, is a significant goal of breaches, any unauthorized entry is a big safety downside.

How can BOLAs be prevented throughout the API pipeline?

• Throughout improvement, be sure to have a robust authorization mannequin in your software that doesn’t permit entry to knowledge with out authorization, and ensure no knowledge is leaked in API responses.
• In improvement and CI/CD, use OAS spec linters (mentioned earlier) to flag potential authorization points.
• Throughout unit testing and CI/CD, run mock API site visitors that tries to entry knowledge with out authorization.
• In CI/CD and staging, run a fuzzer in opposition to your API endpoints that can ship unhealthy enter into the APIs and flag any sudden entry to knowledge.
• In staging and manufacturing, run dynamic API safety instruments to examine API site visitors and flag potential BOLA points. Panoptica has BOLA detection capabilities.

BFLAs

BFLAs happen when software performance is accessed with out the right authorization, both by an finish person calling into the appliance or between software microservices. BOLA (above) is about accessing knowledge, BFLA is about accessing performance. Gaining unauthorized entry to performance can finally result in knowledge breaches. BFLAs are OWASP problem API5:2023 (Damaged Perform Degree Authorization).

How can BFLAs be prevented throughout the API pipeline?

• Throughout improvement, be sure to have a robust authorization mannequin for accessing software performance from finish customers and between microservices.
• In unit testing and CI/CD, run mock API site visitors that tries to entry software performance with out authorization.
• In staging and manufacturing, run dynamic API safety instruments to examine API site visitors and flag potential BFLA points. Panoptica has the power to study the BFLA authorization mannequin after which detect any potential violations in real-time site visitors.

Weak Authentication

Weak authentication into an software is simpler for an attacker to compromise. It may give menace actors entry to person accounts and knowledge. Weak (or damaged) authentication is included in OWASP points API2:2023 (Damaged Authentication) and API8:2023 (Safety Misconfiguration).

One type of that is primary authentication, which requires a username and password, the place the password itself is “weak.” This consists of brief passwords, passwords which might be too frequent (e.g. will be present in a dictionary search), or passwords which might be reused throughout accounts.

Weak authentication will also be attributable to weak endpoint safety, for instance utilizing HTTP as an alternative of HTTPs.

Lastly, encryption points fall into this class. Having endpoints with no encryption or weak encryption can open assault surfaces into your software. If there isn’t any encryption, all API site visitors is “within the clear” that means it may be tapped and simply learn. Weak encryption may contain shorter encryption keys that may be simply compromised.

How can weak authentication be prevented throughout the API pipeline?

• Develop safe endpoints (e.g. HTTPs) with robust encryption enabled.
• For primary auth, require robust passwords and multi-factor authentication (MFA).
• In improvement and CI/CD, use OAS spec linters (significantly with the OWASP Prime 10 ruleset) to flag insecure endpoint points.
• In unit testing and CI/CD, run mock API site visitors that makes use of weak authentication and tries to achieve entry.
• In staging and manufacturing, run dynamic API safety instruments to flag weak authentication in real-time API site visitors. Panoptica can detect many types of weak authentication.

Shadow APIs

OWASP problem API9:2023 (Improper Stock Administration) consists of shadow APIs. Shadow APIs will not be documented in an OAS spec. They’re a safety threat you might not even know you could have.

As your software evolves, it’s unlikely that the safety of shadow APIs will even evolve. They might even be forgotten totally, exposing an ongoing safety loophole or backdoor into your software.

How can shadow APIs be prevented throughout the API pipeline?

• Throughout improvement, make certain to take an stock of all APIs and doc every of them in an OAS spec.
• In staging and manufacturing, run dynamic API safety instruments that may detect shadow APIs in real-time site visitors and reconstruct an OAS spec for them to doc them correctly. Panoptica has these capabilities.

Zombie APIs

OWASP problem API9:2023 (Improper Stock Administration) additionally consists of zombie APIs. Zombies APIs are APIs which might be deprecated within the OAS spec however are nonetheless energetic inside the software. They happen in brownfield and canary manufacturing environments, the place a number of API variations could also be in use.
Like shadow APIs, zombie APIs are unlikely to evolve together with your software and will obtain much less scrutiny from a safety standpoint, thus leaving a backdoor into your software.

How can zombie APIs be prevented throughout the API pipeline?

• Take away assist for zombie (deprecated) APIs as quickly as attainable.
• In staging and manufacturing, run dynamic API safety instruments that may detect zombie APIs in real-time site visitors, resembling Panoptica.

Weak 3^rd Social gathering Authentication

Even when your software knowledge entry is admittedly safe, weak 3^rd celebration authentication may nonetheless expose your knowledge to threats. 3^rd celebration entry to your knowledge consists of databases, S3 buckets, and many others. Weak third celebration authentication is included in OWASP points API8:2023 (Safety Misconfiguration) and API10:2023 (Unsafe Consumption of APIs).

How can weak 3^rd celebration authentication be prevented throughout the API pipeline?

• Throughout improvement, hold an stock of all 3^rd celebration APIs and providers which might be being utilized by your software.
• Confirm that 3^rd celebration entry is safe.
• In CI/CD and staging, use a device to assess the safety of three^rd celebration API calls. The Panoptica CLI has this performance.
• In staging and manufacturing, use cloud safety scanners to detect weak 3^rd celebration authentication. Examples of cloud safety scanning instruments are AWS Config (paid service), Azure Automation and Management (free and paid-tier), GCP Cloud Asset Stock (free) and CloudQuery (open supply and paid-tier).

Useful resource Consumption

Unrestricted useful resource consumption is OWASP problem API4:2023. If an software is inundated with many API calls inside a brief time frame, it could possibly have adverse penalties. For instance, software sources resembling CPU, RAM and storage will be quickly consumed or exhausted, resulting in doubtlessly larger operational prices, slower response time and even software failure and outages.

How can unrestricted useful resource consumption be prevented throughout the API pipeline?

• Throughout improvement, add rate-limiting to the API processing in your software, together with a most price of API requests and an inexpensive timeout.
• In staging, use efficiency testing that exceeds the allowed price of API requests and verifies that the appliance remains to be functioning as anticipated.
• In staging and manufacturing, use an API gateway in entrance of your software to throttle and rate-limit API requests. Some widespread API gateways are AWS API Gateway (free and paid-tier), GCP API Gateway (free and paid-tier), Kong (open supply and paid-tier), Tyk (open supply) and Azure API Administration (free and paid-tier). Word that the appliance nonetheless wants it’s personal rate-limiting performance when utilizing an API gateway.

OWASP problem API6:2023 (Unrestricted Entry to Delicate Enterprise Flows) is expounded to unrestricted useful resource consumption, however it implies that automation, unhealthy bots or AI are concerned within the API abuse, compounding the useful resource consumption.

URL Spoofing

With a URL spoofing assault, an invalid or malicious URL is handed into an API request, and the server proxies the URL with out validating it. The suspicious URL may very well be a pretend web site or a webhook. This might permit entry to delicate knowledge and PII. This sort of vulnerability is roofed in OWASP problem API7:2023 (Server Aspect Request Forgery).

How can URL spoofing be prevented throughout the API pipeline? Defending in opposition to the sort of assault will be advanced. This is an efficient useful resource to get began. The high-level gist of prevention measures is:

• Throughout improvement, carry out validation on the given URL, together with the IP deal with and area identify (see above useful resource hyperlink).
• Create a listing of allowed URLs, if attainable, and validate the given URL in opposition to the listing (see above useful resource hyperlink).
• In unit testing and CI/CD, run mock API site visitors that makes an attempt to move an invalid URL into the API.

Knowledge Injection

Knowledge injection can permit menace actors to move malicious knowledge, configurations or packages into an software through APIs. This might permit entry to knowledge (e.g. BOLA) or make an software unstable.

How can knowledge injection be prevented throughout the API pipeline?

• Throughout improvement, embrace strict sort checking (i.e. test for proper sort of information in a request, don’t permit sudden knowledge varieties) and enter validation in API processing.
• Set up an higher restrict on measurement and amount of information that may be enter in a request. For instance, have a most measurement for a string enter.
• In improvement and CI/CD, use OAS spec linters to detect points with knowledge enter.
• In unit testing and CI/CD, run mock API site visitors that tries to inject invalid knowledge.
• In CI/CD and staging, run a fuzzer in opposition to your API endpoints that sends invalid or malformed knowledge into your API. The Panoptica CLI consists of fuzzing capabilities.
• In staging and manufacturing, run dynamic API safety instruments that may evaluate API site visitors in opposition to the OAS spec and flag knowledge discrepancies (together with spec drift). The Panoptica CNAPP platform has this performance.

Code Injection

Code injection is the place undesirable code is added to an software. As IDE plugins and AI copilots are more and more used to generate API consumer and server code, there’s a threat that “unhealthy” code may very well be injected into your software. This might have unintended and even malicious negative effects. For instance, a rogue (malicious) API may very well be injected into your software creating backdoor entry. Rogue APIs fall below OWASP problem API9:2023 (Improper Stock Administration).

How can code injection be prevented throughout the API pipeline?

• Throughout improvement, it’s vital to confirm any generated code with thorough code opinions.
• In CI/CD, staging and manufacturing, picture scans can seek for any Widespread Vulnerabilities and Exposures (CVEs) within the software. Panoptica can scan each Kubernetes container photographs and digital machine photographs for points.
• In staging and manufacturing, run dynamic API safety instruments to scan for any rogue APIs. Panoptica has this functionality.

Conclusion

From the OWASP Prime 10 API Safety Dangers, by means of the API pipeline and on to frequent API safety points and the best way to stop them, we’ve coated numerous floor, with plenty of device recommendations alongside the way in which.

Should you’d wish to study extra in regards to the Panoptica CNAPP platform and it’s API safety capabilities, go right here and likewise attempt a Cisco DevNet Studying Lab.

Wishing you and your purposes the easiest in API safety!

Featured picture courtesy of @ZinetroN / Shutterstock.com

Share: