The API Security Newsletter - Issue #7

Although software development groups at many companies have the tools, processes and permission to use APIs to enhance their apps, ops and security teams lack a systematic way to spot, prevent and respond to API-based attacks.

Most of us understand that our iPhone can be hacked. The same is true for our email and for the websites and apps we use. But there’s an invisible common denominator to many of these attacks, and it’s becoming a much bigger problem. I’m talking about API-based attacks.

Firewall isn't a made-up word from the Hackers movie, people

Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

Some of us have used them for decades, some are seeing them for the first time on marketing slides

It's striking to remember that they have been around for about as long as we've had programming languages, and that while the "API economy" might be a relatively recent term, APIs have been enabling innovation for decades. But how to best describe them to someone for whom application programming interfaces mean little or nothing?

The principle of least privilege has been around for some time. Here's how the new world of APIs can adopt a least privilege approach.

The idea of Least Privilege takes on a new level of importance when it comes to APIs because there are more sources of data and more developers in play. While tools like the OpenAPI Specification are helpful for standardization, they don’t really help when it comes to assigning appropriate permissions and privileges.

For banks looking to offer API services, there are several key factors that will ensure your API ranks well among your competitors.

Bank API connectivity provides critical access to enhanced, enriched balance and transaction data, and the banks that truly invest in testing will be best positioned with technology that seamlessly delivers this critical service to corporate treasury teams.

Dozens of bugs reported with a backlog containing hundreds more

Swagger-UI allows users to provide a URL for an API specification, such as a YAML or JSON file. To view and render them, you add a query parameter. It would be possible to trigger an XSS attack by loading a malicious specification file and accessing the React function at this point, but an attacker would have to bypass the sanitizer.

This article will touch on all the learnings I've had, what I've seen from my peers learned from my peers, and what you should be thinking about when you're writing your first endpoint. You might find this insightful if you're writing that first endpoint and first API. This article will be about the product, process, and business.

Nowadays, there are many compliance requirements. So, every layer needs to be checked. OAuth and TLS are not secure enough. Look at all possible layers to check for a security breach. If you have access to a security team, use them at the start, do not wait till the end. If you do not have one, please ensure you get one at the earliest.

An API key is a secret code that gets you inside. Yeah it does!

An API key is the standard security mechanism for any application that provides a service to other applications. While they are not the only method (APIs can use JWT, which we wrote about here: API keys vs JWT auth), API keys are the most-often used method of securing an API.

Discover how the newly revised Network and Information Security (NIS) directive ,”NIS2”, aims to strengthen cybersecurity efforts in the European Union.

Now dubbed “NIS2”, the legislation seeks to embed the importance of ICT into the minds of governments and large organizations. It aims to increase collaboration, facilitate information exchange and notification of breaches, as well as implement cybersecurity best practices. Fines can also be levied for failure to comply with risk management recommendations. Ultimately these tactics are planned to strengthen cybersecurity efforts for both the private and public sectors in the European Union. 

API (security) Videos

A discussion about APIs (Application Programming Interfaces) and why they matter, not just from a technology perspective, but for businesses. We expand on some of the themes in our recent blog post https://bit.ly/API_Coffee which was inspired by some challenges Tim had encountered among business leaders at large financial firms.

GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bounties! In this video, I cover everything GraphQL, from how it works to what kind of bugs are common.

API (security) Podcasts

Filip Verloy, Technical Evangelist at Noname Security discusses the difference between IT infrastructure API usage and business API usage, some of the

Play Threat Modeling using the Force with Adam Shostack - OWASP Podcast e001 by The OWASP Podcast Series on desktop and mobile. Play over 265 million tracks for free on SoundCloud.

Closing Thought

"Try measuring what you’re doing in your day and if you think that something’s not working, cut it. If it isn’t moving your life forward, if it’s not helping you write that paper or finish that project at work, stop doing it. There’s so much cool stuff to be done, to be read, to be built, to be fixed for you to spend your limited time on things that don’t matter." - Scott Hanselman

Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).