API Security: Is Authorization the Biggest Threat?
As API usage continues to grow, so too does the need to secure APIs to prevent incidents, leakages, and outages. Authorization schemes have begun to gather attention from industry consortiums and vendors, with many seeking to address this longstanding and worsening set of API risks.
Recently OWASP announced the 2023 update to the OWASP API Security Top 10, keeping up with the rapid pace of change,
The update took center stage at a keynote at API Days NY last month as Erez Yalon of CheckMarx and Inon Shkedy of OWASP highlighted the increased focus on authorization controls.
Much Improved
Jeremy Snyder, founder and CEO of FireTail, an API security company at the conference, said he thinks the new release is much better for that reason. “Authorization issues are the cause of more than 50% of API security problems,” he said. “It’s not only about who can see what, but also about what I can do.”
It’s necessary to protect APIs not only against improper access to sensitive data but also to protect them against improper execution of restricted functions and programs, he added.
For this to work, both the resources and programs being accessed need a list of permissions attached to them that can be matched to the list of policies attached to the API’s ID. A match means access is ok; no match means no access.
“The task of building an infrastructure and setting up permissions, while seemingly simple at the onset, becomes exponentially complex as a company expands and as internal and external requirements evolve. Such complexity, coupled with any misconfiguration, can lead to potentially catastrophic consequences,“ said Emre Baran, co-founder and CEO of authorization specialist Cerbos. In this context specialized solutions such as Cerbos become indispensable, he added.
Without central management and governance, it’s difficult to eliminate risks and maintain security for new IDs, resources, and programs. But plenty of vendors were on hand at the conference to offer their products and services in this area, underscoring the trend toward an API security specialization in the industry.
Finding the Right Approach
At the conference, Gartner spent a lot of time on API security. Gartner analyst Mark O’Neill highlighted the lack of security on API response messages, for example. Many tend to forget about securing the response messages, even when the invocation messages are protected, he said.
O’Neill listed five steps to ensuring your APIs are secure:
- Inventory — list all APIs: internal, external, SaaS-based, etc.
- Use the OWASP API Security Top 10 to calculate your security posture.
- Ensure adequate testing, including SaaS APIs.
- Ensure runtime protection is in place, including WAFs and API Gateways.
- Implement fine-grained access control.
In developing an approach to API security, the first thing to do is figure out how many APIs you have, and what type of APIs you have (internal, external, third-party, SaaS, etc.).
Once you have created an inventory, next you have to check whether each of the APIs is secured against the most common API security threats and vulnerabilities, such as those listed on the OWASP API Security Top 10.
Secure Beyond the API Gateway
API gateways provide basic security by authenticating users of the API, checking any security policies configured for that API, and generating JWT tokens for passing IDs and associated policies to the next API in the call chain, if any.
Gateways can also implement rate-limiting policies to guard against DDOS attacks. They can require encrypted communication between the API client and the API. And finally, they can encrypt communication between the gateway and the program that implements the API.
Authentication and rate limiting are basic requirements. But they are only the beginning of the story. Security professionals have to assume that someone will break in through the gateway and recommend establishing additional defenses — especially to prevent unauthorized access to data and programs.
Credential stuffing, or username/password theft, is a common problem for APIs and typically needs the protection of an anti-bot software system with AI capabilities that are able to distinguish good traffic from bad. And block the bad without blocking the good.
Good monitoring and alerting tools are needed to detect API vulnerabilities and if possible automated remediation with guardrails.
API Security in the Cloud
One of the biggest challenges, especially for cloud security, is to match up the privileges associated with an ID to the permissions and policies on resources and functions. In the cloud operations are executed using APIs that can change security policies, for example changing an AWS S3 bucket permission from private to internet accessible is done via an API call.
Unauthorized API calls create an over-privileged account vulnerability, however, and is part of what happened in the famous Capital One breach.
Of course, APIs must be thoroughly tested before being put into production, especially externally facing ones.
Largest Vulnerability Area
As the type and usage of APIs continue to explode, and as the software industry trend continues toward smaller API gateways complemented by specialized API tools, API security has become a major focus area for a wide variety of new startups that follow the Gartner recommendations for approaching API security and align to the new OWASP API Security Top 10.
Authorization is the largest vulnerability area that is not protected well and represents the biggest current risk for API security. Although many new startups are jumping in to close this gap, it’s fair to say that authorization remains a largely unsolved industry problem.
Eric Newcomer is CTO at Intellyx. He has been a CTO for leading integration vendors WSO2 and IONA Technologies, and Chief Architect for major enterprises such as Citibank and Credit Suisse. He has created some of the best-known industry standards and university textbooks in use today.