API security

Extracted Attributes

• Adoption Rate

  54% of organizations prioritize OWASP API Security Top 10 as of Q1 2023

• Core Components

  Authentication (AuthN) and Authorization (AuthZ)

• Industry Standard

  OWASP API Security Top 10

• Encryption Protocols

  SSL, TLS, and HTTPS

• Authentication Methods

  Token-based authentication, OAuth, and API keys (though keys are discouraged for high security)

• Most Common Vulnerability

  Broken Object Level Authorization (BOLA), representing 40% of API attacks

Timeline

• OWASP releases the first-ever API Security Top 10 list to help the industry understand common API attacks. (Source: Web search results)

  2019-01-01

• The State of API Security Report Q1 2023 reveals that 62% of attempted attacks leverage at least one method from the OWASP Top 10. (Source: Web search results)

  2023-01-01

• OWASP updates the API Security Top 10 list to address the most significant current vulnerabilities. (Source: Web search results)

  2023-06-01

Web API security

Web API security entails authenticating programs or users who are invoking a web API. Along with the ease of API integrations come the difficulties of ensuring proper authentication (AuthN) and authorization (AuthZ). In a multitenant environment, security controls based on proper AuthN and AuthZ can help ensure that API access is limited to those who need (and are entitled to) it. Appropriate AuthN schemes enable producers (APIs or services) to properly identify consumers (clients or calling programs), and to evaluate their access level (AuthZ). In other words, may a consumer invoke a particular method (business logic) based on the credentials presented? "Interface design flaws are widespread, from the world of crypto processors through sundry embedded systems right through to antivirus software and the operating system itself."

Web Search Results

• What is API Security? - Fundamental Strategies

  Use the right network security controls: Some network controls can help with API security. For example, encrypt the data APIs are sending. You can also use dynamic rate limiting and IP address allow and deny lists (assuming the number of API users is small). Continuously authenticate and authorize: Make access controls and identity stores external. Include API gateways, identity stores, IAM, key management, public key infrastructure, and secrets management in this step. Avoid using API keys for authentication. Deploy runtime protection: Make sure your runtime protection can identify configuration issues in API infrastructure. It should also detect behavior anomalies such as credential stuffing, brute forcing, or scraping attempts. [...] According to the State of API Security Report Q1 2023, only 54% of respondents prioritize the OWASP API Security Top 10 as part of their security programs, even though 62% of attempted attacks against organizations leverage at least one of those methods. ## What makes API security different? Traditional security solutions including WAFs, API gateways, API management tools, and identity and access management (IAM) tools weren’t designed to prevent attacks on APIs. That’s because securing APIs offers unique challenges: ### API sprawl: a constantly changing landscape [...] ## OWASP API Security Top 10 To help the API security industry gain a deeper understanding of the most common API attacks, the Open Web Application Security Project (OWASP) released its first-ever API Security Top 10 list of vulnerabilities in 2019. The list has been updated in 2023 and lists the ten more significant API vulnerabilities. Of these, the most common are: ### API1:2023 broken object level authorization Broken object level authorization (BOLA) represents around 40% of API attacks and is the most common API threat.

• What Is API Security?

  ## REST API Security Representational state transfer (REST) API security is one of the most common API securities available. With REST API security, you have a Hypertext Transfer Protocol (HTTP) Uniform Resource Identifier (URI), which controls which data the API accesses as it operates. REST API security can therefore prevent attacks involving malicious data an attacker is trying to introduce using an API. ### How to secure REST API REST API supports secure sockets layer (SSL), transport layer security (TLS), and Hypertext Transfer Protocol Secure (HTTPS) protocols, which provide security by encrypting data during the transfer process. You can also secure REST APIs with tokens used to make sure communications are valid before allowing them to go through. [...] FL FL ## What Is API Security? Application programming interface (API) security refers to the practice of preventing or mitigating attacks on APIs. APIs work as the backend framework for mobile and web applications. Therefore, it is critical to protect the sensitive data they transfer. An API is an interface that defines how different software interacts. It controls the types of requests that occur between programs, how these requests are made, and the kinds of data formats that are used. APIs are used in Internet of Things (IoT) applications and on websites. They often gather and process data or allow the user to input information that gets processed within the environment housing the API.

• What Is API Security? Main Types and Use Cases

  ### Secure API Design Designing secure APIs requires robust security controls, including implementing strong authentication mechanisms to verify the identity of users and systems interacting with the API. Use authorization controls to define and enforce access rights, ensuring that only authorized entities can perform specific actions. Follow the principle of least privilege by granting users and systems the minimum permissions required to perform their tasks. Avoid excessive privileges, as they can lead to misuse or exploitation of the API. Use strong encryption, such as SSL/TLS, to protect data transmitted over the network. Validate and sanitize all input received from clients and other sources to prevent common security vulnerabilities like injection attacks. [...] Open Authorization (OAuth) protocols are a key component of strong authentication and authorization practices. OAuth eliminates the need for users to share their usernames and passwords directly with third-party applications. Instead, OAuth grants access tokens that represent limited and scoped permissions, reducing the risk of credential theft and misuse. It allows API providers to define fine-grained access controls through scopes and permissions, ensuring that third-party applications can only access the specific resources and actions authorized by the user, reducing the risk of unauthorized access. Improper implementation of authentication and authorization mechanisms can lead to multiple threats to API security, including: [...] Broken object property level authorization. This threat occurs when an API fails to properly enforce access controls and authorization checks at the object property level. An API endpoint is vulnerable to these attacks if it exposes properties of an object that are considered sensitive and should not be read by the user, an exploit sometimes referred to as excessive data exposure. An API endpoint is also vulnerable to these attacks if it allows a user to change, add, or delete the value of a sensitive object's property, an exploit sometimes called mass assignment.

• What Is API Security?

  ### REST API Security The architecture of representational state transfer APIs, or REST APIs, relies on JSON data transfer and HTTP/S transfer protocol, both of which simplify REST API development compared to other API architectures. RESTful APIs use HTTP requests to POST (create), PUT (update), GET (read), and DELETE (delete) data. Lacking built-in security provisions, REST API security hinges on the API design. Data transmission, deployment and client interaction services must incorporate security considerations. Most RESTful APIs will rely on transport layer security (such as HTTPS) and token-based authentication. [...] API security testing can involve dynamic or static security testing as well as software composition analysis (SCA). SCA checks code in an application against CVE databases. When issues are identified, the SCA tool alerts developers that the application or API is using a library or framework with a known vulnerability. Given the widespread use of open source in API development, software composition analysis plays a critical part in API and application security testing. What is an API gateway? [...] What is API security testing? Best integrated into the DevOps pipeline, API security testing is a practice that challenges the security of an API’s endpoints to verify compliance with security best practices. To evaluate authentication, encryption, conditions of user access, for example, the API is subjected to deliberate input challenges designed to emulate the attack vectors of bad actors to flush out undefined behaviors, bugs and other vulnerabilities. Findings of API testing could include authorization or authentication bypasses, security misconfigurations, SQL and OS command injections, and open-source code vulnerabilities.

• API Security

  App & API Protector discovers and mitigates API threats for all your web apps and APIs that are run through Akamai Cloud. It is capable of blocking any in-line traffic containing potential threats to your business. API Security is platform-agnostic and provides comprehensive discovery and visibility to all API endpoints enterprise-wide. It provides real-time traffic analysis of API activity and determines specific responses that you should take to mitigate newly exploited API traffic. [...] With API security, you can prevent vulnerable and misconfigured APIs from exposing your enterprise to API attacks by promptly notifying security, developer, and API teams of potential risks, configuration errors, and vulnerabilities. You can also easily determine if a partner has set up your API incorrectly or if there are vulnerabilities in the code. Contextual and conditional alerts work seamlessly within your existing workflows, such as by automatically creating a Jira ticket, enabling you to swiftly resolve any issues. #### Monitor API abuse ### Monitor API abuse APIs are designed to be used programmatically, which makes differentiating legitimate usage from attacks and abuse extremely challenging. While API attack methods vary, some of the most common approaches include: [...] When deployed together, App & API Protector and API Security work in-line and offer the most comprehensive and continuous visibility into APIs. They allow you to discover, audit, detect, and respond to API concerns across your full estate. Moreover, the integration between the two solutions will enable the most robust and simple implementation of API Security.