The API Security Newsletter - Issue #14
U.S. executives now consider cyberattacks the No. 1 risk companies are confronting, according to a PwC Pulse survey released Thursday. The study shows 40% of top business executives consider cyberattack risk their top concern, followed by talent acquisition at 38%. Cybersecurity concerns have moved well beyond the office of the CISO or cyber risk officer, as the entire C-suite and corporate boards are focused on the risks of cyberattack.
This is a very common vulnerability that is present in the APIs; the severity of the vulnerability is determined by the information that is being disclosed as a result of the vulnerability. For example, if the information contains personally identifiable information (PII) data such as Social Security numbers or credit card information, then the severity of the vulnerability should be considered to be critical.
CISOs need to pursue a least-privileged access approach to API security that limits sprawl and is consistent with their zero-trust framework. “When considering API strategy, work with the dev team to understand the overall API strategy first. Get API discovery in place. Understand how existing app sec tools are or are not supporting API use cases. You will likely find overlaps and gaps. But it’s important to assess your environment for what you already have in place before running out to buy a bunch of new tools,” said Sandy Carielli, principal analyst at Forrester, during a recent interview with VentureBeat.
Initially, they mainly existed in the background, hidden from end-users and bad actors. However, as microservices, containers, and cloud-based services have become commonplace, the number of exposed APIs—and attacks against them—has exploded as modern applications can have thousands of components that communicate via APIs: API calls represent 83% of all web traffic.
McLean pointed out that while there is a growing understanding of security in the pipeline with DevSecOps, it’s not enough. “This is particularly true, for example, in the case of APIs. Because APIs aren’t just straight code, you must see them being exercised to spot logic flaws,” she said. “You need the ability to monitor them in runtime in order to spot anomalies and find areas where APIs might be exposing critical data. Although developers write APIs, their testing often falls short for security.” To accurately see what’s going on with APIs, developers need to exercise the API–even in pre-production.
Zombie APIs are a problem. Zombie APIs, and shadow APIs in general, are one of the most significant vulnerabilities to your network. Hackers love to exploit these forgotten endpoints since they’re often exposed and unprotected.
Broken Access Controls are very common to find in web apps implementing role-based functionalities. It is so common that it holds the first position in the OWASP TOP 10 List, 2021.
"So now any external entity can actually control their smart devices by using the service APIs and going through the 4G or 5G core network," Shaik said, citing a Vodafone test of drones in Germany. "This exposure layer provides APIs and shares information for the drone control center."
API (Security) related videos
Elizabeth Barnitt joins Scott Hanselman to discuss and demo GraphQL support in Azure API Management, which allows you to import, validate, secure, and augment GraphQL APIs in Azure. Azure API Management enables you to both govern your existing GraphQL servers and build one from scratch with Synthetic GraphQL so that you can combine your existing REST and SOAP endpoints into a single, easy to query endpoint.
One more thing...
“10 free websites that are so valuable they feel illegal to know:”