API security is on everyone’s mind: After all, APIs always opens up network-accessible interfaces that previously may not have been exposed. Making sure that this is not creating new risks means that securing APIs is an essential aspect of API management.
API security has always also been a technical issue, but it starts much earlier than when just “securing an API.” It needs to be part of the general API mindset and of how an organization manages APIs throughout its lifecycle.
API security problems can create a huge risk and can be very costly, but there is still a constant stream of news about API-related security issues. Starting the API security journey by looking at typical problems is an educational exercise.
The Top Ten
In order to help with identifying common issues, the Open Web Application Security Project (OWASP) initiated the OWASP API Security Project which created the API Security Top Ten. These top ten represents the most common security issues with APIs:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API4:2019 Lack of Resources & Rate Limiting
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- API8:2019 Injection
- API9:2019 Improper Asset Management
- API10:2019 Insufficient Logging & Monitoring
API designers and developers should have at least a brief look at the top ten to understand what typical mistakes look like. This will help with avoiding these mistakes. But it also can help to have a little more structured look at the categories of mistakes that are typically being made.
Categorizing the Top Ten
To make the issues a little easier to understand, they can be grouped. The following categories can be created, and they show which issues are part of each category:
- Authentication and Authorization (API1, API2, API4, API5)
- Data Protection (API3, API6, API8)
- Governance and Operations (API7, API9, API10)
Most API security breaches have more than one category and issue associated with them. For example, the Parler API breach had six of the top ten issues (they covered all three categories), generally showing that these breaches often are caused by a general lack of awareness of API security and the OWASP top ten issues specifically.
Managing API Security
Isabelle Mauny explains that security starts much earlier than when “securing an API” is relatively late in the development process. It should be part of the API design (for example, making sure that problematic data is not even exposed in the API) and therefore must be part of the general mindset and the process of how APIs are designed and developed.
To that end, “API First” can help with better API security practices. By developing API contracts and discussing these early on in the design and development process, API security issues can be uncovered and addressed early on.
Treating security as an important aspect throughout the API lifecycle will help with making sure that it’s not just an afterthought, and that from the very beginning security is part of the picture for every API.
If you want to learn more about how to manage API security as part of your general API management practices, check out the following video where Isabelle Mauny talks about the OWASP top ten, about the three categories, about the Parler API breach, and about how to improve the way in which organizations are approaching API security.
If you liked this video, why don’t you check out my YouTube channel for more “Getting APIs to Work” content?