Practical API Security: The OWASP API Security Top Ten

OWASP API Security Top Ten

API security is on everyone’s mind: After all, APIs always opens up network-accessible interfaces that previously may not have been exposed. Making sure that this is not creating new risks means that securing APIs is an essential aspect of API management.

API security has always also been a technical issue, but it starts much earlier than when just “securing an API.” It needs to be part of the general API mindset and of how an organization manages APIs throughout its lifecycle.

API security problems can create a huge risk and can be very costly, but there is still a constant stream of news about API-related security issues. Starting the API security journey by looking at typical problems is an educational exercise.

The Top Ten

In order to help with identifying common issues, the Open Web Application Security Project (OWASP) initiated the OWASP API Security Project which created the API Security Top Ten. These top ten represents the most common security issues with APIs:

  • API1:2019 Broken Object Level Authorization
  • API2:2019 Broken User Authentication
  • API3:2019 Excessive Data Exposure
  • API4:2019 Lack of Resources & Rate Limiting
  • API5:2019 Broken Function Level Authorization
  • API6:2019 Mass Assignment
  • API7:2019 Security Misconfiguration
  • API8:2019 Injection
  • API9:2019 Improper Asset Management
  • API10:2019 Insufficient Logging & Monitoring

API designers and developers should have at least a brief look at the top ten to understand what typical mistakes look like. This will help with avoiding these mistakes. But it also can help to have a little more structured look at the categories of mistakes that are typically being made.

Categorizing the Top Ten

Isabelle Mauny, Field CTO and co-founder of 42Crunch, frequently talks about the top ten and via apisecurity.io provides an overview of all top ten issues.

To make the issues a little easier to understand, they can be grouped. The following categories can be created, and they show which issues are part of each category:

  • Authentication and Authorization (API1, API2, API4, API5)
  • Data Protection (API3, API6, API8)
  • Governance and Operations (API7, API9, API10)

Most API security breaches have more than one category and issue associated with them. For example, the Parler API breach had six of the top ten issues (they covered all three categories), generally showing that these breaches often are caused by a general lack of awareness of API security and the OWASP top ten issues specifically.

Managing API Security

Isabelle Mauny explains that security starts much earlier than when “securing an API” is relatively late in the development process. It should be part of the API design (for example, making sure that problematic data is not even exposed in the API) and therefore must be part of the general mindset and the process of how APIs are designed and developed.

To that end, “API First” can help with better API security practices. By developing API contracts and discussing these early on in the design and development process, API security issues can be uncovered and addressed early on.

Treating security as an important aspect throughout the API lifecycle will help with making sure that it’s not just an afterthought, and that from the very beginning security is part of the picture for every API.

If you want to learn more about how to manage API security as part of your general API management practices, check out the following video where Isabelle Mauny talks about the OWASP top ten, about the three categories, about the Parler API breach, and about how to improve the way in which organizations are approaching API security.

If you liked this video, why don’t you check out my YouTube channel for more “Getting APIs to Work” content?

Previous articleTransform IT Forward: What’s on the horizon for the events industry? Daphne Hoppenot of the Vendry explains
Next articleHong Kong telco is accelerating service innovation with the Amplify API Management Platform
Digital Catalyst, Erik works in the Axway Catalyst team and focuses on API strategy, API programs, and API platforms. His main goal is to make sure that organizations make the right decisions for using APIs as the foundation of their digital transformation initiatives. Erik has a Ph.D. from ETH Zurich, is the author of many articles, papers, and books. He is a frequent speaker at global API events and contributes to standardization activities to help improve the way APIs are designed, managed, and used."

LEAVE A REPLY

Please enter your comment!
Please enter your name here