The API Security Newsletter - Issue #15

In the collective unconscious, API governance often rhymes with API police. Reducing API governance to the need for order caused by the chaos of an organization’s myriad APIs is too reductive, and it risks not looking at the problem at hand from the right angle. Why not define API governance relatively to IT governance, corporate governance, and governance to better understand what it is?

For example, defining security, API design or API cataloging policies, having an API design review process, or creating an API center of enablement are part of API governance. These elements aim to facilitate, guide, and standardize the creation of the right APIs in the right way to help the organization to achieve its goals (and bring order to the API chaos in the making).

A new survey highlights the widespread nature of API security incidents and the lack of full inventories of potentially dangerous APIs.

More than three out of four senior cybersecurity professionals in the US and UK said that their organization had experienced at least one API-related security incident within the last 12 months.

Cloud companies that wish to do business with the United States federal government can only do so if they receive authorization under the Federal Risk and Authorization Management Program (FedRAMP). For a cloud service or product to get authorized through FedRAMP, its maker must demonstrate that it meets certain security standards. Given the importance and predominance of Application Programming Interfaces (APIs) in cloud computing, API security is a critical factor in achieving FedRAMP authorization. This article explores why this is the case and looks at ways API security measures can help a cloud service become FedRAMP authorized. 

APIs are relevant to FedRAMP authorization because APIs represent a source of risk to cloud products. A cloud product needs to show that its API security aligns with relevant controls in NIST 800-53. There are over 300 controls in the framework, grouped into “families” or control groups that apply to the “Moderate” level of FedRAMP authorization. For example, under the Access Control (AC) family, NIST 800-53 specifies 25 separate controls. These include AC-17, which deals with remote access, AC-12, which covers session termination, and so forth. 

Learn how API keys and tokens are being baked into mobile apps, and how you can win on #redteam because of this oversight.

Combining misuse of API keys with ad hoc configurations and insufficient logging, API security is at huge risk when session tokens become trivial to capture or steal. It’s not uncommon to find leaked keys or other forms of authentication tokens right in configuration files that might get checked into source control like GitHub. We all know how easy it is to search through GitHub for API keys. And this is where we as API security testers can really win big. By taking advantage of these security misconfigurations, we can easily gain access to API endpoints, cloud storage, and other services that should be protected.

Postman v10 provides a boost in productivity, governance, and quality among a community of API developers.

With APIs as the building blocks of modern software, business users are increasingly embracing APIs. Investments into APIs will increase or remain the same at organizations over the coming 12 months, according to 89% of respondents in Postman’s 2022 State of the API Report, which surveyed more than 37,000 API professionals.

IT security teams are struggling with burnout as the changing nature and complexity of cyberthreats are taking their toll, according to a new VMware report.

Emerging threats including deepfakes and attacks on APIs are adding to organizations' security woes, while geopolitically motivated attacks and lateral movement inside networks are on the rise. These were among the findings in VMware's eighth annual Global Incident Response Threat Report, which discovered lateral movement across a quarter of all attacks.

Code reviews and software supply chain analysis could turn things around by warning of hardcoded API keys and suggesting superior solutions.

In the early stages of software development it can be tempting to write API keys into the code – for example, to quickly test an app idea, or prototype different solutions. These keys (which are unique and allow servers to identify the application making the request) provide authorization for software on a remote device to read values stored in a database hosted in the cloud. API keys, in themselves, work well and can help servers in other ways too – for example, by allowing them to rate-limit requests; quenching denial of service (DoS) attacks. But keys are keys, and like the real world versions in your pocket or bag, you wouldn’t want everyone to have access to them, while they remain valid.

API (security) related videos

How to secure APIs and perform API Security testing for threats and OWASP API Security Top 10 conversation with the author of Hacking APIs - Corey Ball

At the API Academy Workshop done in conjunction with Apidays NYC 2022, Francois and Skip Hovsmith take a deep dive on API security as well as API client attestation.

Brenton House presents DeveloperWeek Cloud Keynote on Sherlock Holmes vs The Cybersecurity Hacker.

One more thing...

Another Lex Fridman podcast recommendation, this time featuring the Botez sisters.

They don't get into the Hans vs Magnus controversy but they do cover; Chess tournaments, Chess strategies, King's Indian Defense, Chess training, Losing, Street chess and trash talk, Passion and study, Loneliness and depression, Andrew Tate, The Greatest chess player of all time, Magnus Carlsen, Advice for young people, Chess boxing, The Meaning of life, and Love.

Disclaimer: The author of this newsletter is employed by Noname Security, but this is not an official Nonane Security publication, the newsletter is meant to provide independent API Security News. I encourage you to reach out with comments and/or suggestions for the newsletter via https://twitter.com/filipv (DM’s are open).