What is API Security?

An application programming interface (API) allows for communication between and connectivity among applications while sharing data and enabling the integration of application software and services. Web-based APIs ultimately make the development of applications and services easier and more innovative by streamlining the delivery of requests and responses but leave several potential entry points to the backend services susceptible to attack. Furthermore, with this transferring of data, some API endpoints may be vulnerable to exposing sensitive information such as personal, medical, and financial information, making them a great target for compromising data and systems.

With the fast-growing implementation of APIs, API Security is becoming more and more prevalent. This focuses on mitigating the risks associated with utilizing APIs and protecting the information being communicated.

What is the OWASP API Security Top 10?

The Open Web Application Security Project (OWASP) API Security Project is a generated list of the Top 10 vulnerabilities associated with APIs. See the following table for the identified vulnerabilities and a corresponding description.

API1Broken Object Level AuthorizationThough a legitimate API call may be made to view or access a data source, some may fail to validate whether the user requesting the resource has authorization to access it. Performing object-level authorization checks on each call that accesses data is a minimum requirement.
API2Broken AuthenticationThis vulnerability can allow adversaries to bypass or take control of the authentication methods and compromise user accounts. Inadequate authentication can be mitigated by enforcing the use of access tokens and implementing lockout mechanisms, to name a few.
API3Excessive Data ExposureAPIs may expose more data than required by the user, thus exposing potentially sensitive information. Applications should never rely on clients to perform data filtering before displaying it to the user.
API4Lack of Resources & Rate LimitingAPIs often don’t enforce protection against excessive requests for resources or payload sizes. Attackers can exploit this for Denial of Service (DoS) attacks, hinder API server performance, and can lead to brute force attacks.
API5Broken Function Level AuthorizationAuthorization flaws due to lack of separation of roles and functions can be exploited to view other users’ data and gain access to higher-privileged functions. It is important to ensure that operations are restricted based on the appropriate group or role.
API6Mass AssignmentAttackers can attempt to modify data objects they aren’t permitted to by abusing lack of proper data filtering; for example, by guessing object properties and searching for other API endpoints. Define and whitelist parameters that are to be included within object properties.
API7Security MisconfigurationInsecure configurations, unpatched systems, missing CORS policy, error messages with excess/sensitive information disclosed, etc. provide more avenues of vulnerabilities to be exploited by attackers.
API8InjectionAttackers can manipulate API calls that include SQL, OS, or other commands/queries that are sent to the backend and thus execute the untrusted data and malicious commands issued by the attacker.
API9Improper Assets ManagementMigrating to production-ready APIs and removing previously deployed, vulnerable API endpoints ensures attackers can’t attempt to exploit these pre-existing ones. This can be supported by providing sufficient documentation and monitoring of deprecated API versions.
API10Insufficient Logging & MonitoringLack of proper logging and monitoring can allow for breaches to go undetected, especially if there are missing incident detection mechanisms. This can further permit attackers to maintain persistence within systems and extract critical company data.

How to Strengthen Your API Security

Since APIs are widely used, securing their implementation is critical to your overall security. There are multiple ways to help further strengthen your API security and mitigate some of the vulnerabilities that may exist in your application development, some of which have been mentioned above. However, the following are an overview of a few controls you can put in place to harden your API security:

  • Implement authorization tokens and enforce strict access controls as well as a strong authentication mechanism.
  • Filter data being transferred and ensure encryption is being employed.
  • Keep up to date on your overall security and stay informed about potential vulnerabilities within your business.
  • Make use of API gateways which help to organize and control data by establishing rules for traffic.
  • Limit the number and size of requests based on what is required.

If your company or business is interested in learning more about whether your applications are vulnerable, please contact us for more information.