Risk Management

Key takeaways on mitigating the OWASP® API Top 10 threats (webinar)

OWASP® API Top 10 threats

Have you been wondering how to combat API security threats? Paul McCann, Security Architect at Axway, and Colin McGovern, Product Manager, talk you through the best recommendations on how organizations can kick cybersecurity threats to the curb with the best API strategy.

OWASP® API Top 10 threats: key takeaways

  • OWASP: What is it and why care?
  • Real industry stories of cyberthreats.
  • What customers need to know to stay secure with Axway’s API strategy.

OWASP, the nitty-gritty

You may have heard of OWASP? If not, OWASP is a non-profit foundation that works to improve the security of your software.

As a community of open-source software with hundreds of chapters globally, members get together (virtually these days) to build and share pertinent information about security and the internet.

Why care about OWASP?

OWASP is an effective non-profit for several reasons:

  • They provide a Top-10 list of security threats (this acts as an awareness document, not the Holy Grail of answers).
  • Tools and resources to utilize
  • A terrific networking community
  • Education and training

The end result? OWASP aids developers and technologists to secure the web from cyber threats.

Real stories with security threats

Facts! Too many companies are running into security breaches. In October 2020, the NHS contact tracing COVID-19 app for England and Wales didn’t validate JWT signatures properly.

The real problem was anyone could have forged a venue QR code, a mistake in the JWT implementation which is notoriously difficult to get right.

Since it’s flexible by nature, it’s easy to make a mistake and the data was too easy to manipulate. Luckily, it had a quick-fix turnaround within one day.

Parler app

On January 12, 2021, Parler, a Twitter-like social site that operates out of WordPress was hacked and over 70 TB of data was exposed.

The problem? Not just one, but several, flaws in Parler’s API implementation. The main issue being authorization giving anyone access to its user data.

Additionally, there was content that was marked as deleted. Yet, in fact, it was simply hidden from the client.

There was no rate limiting, so they were vulnerable. Another issue was metadata was kept in its media files, e.g., pictures and videos.

What can be done?

Implementation of proper authorization is needed. In this case,, it’s a good idea to randomize URLs. Also, do not simply hide data from the client as this leads to excessive data exposure.

Starbucks

Another big hack was Starbucks back in June 2020.

Over 100 million customer records were exposed — a lot of coffee on the floor! The hackers managed to get around the firewall, not to mention security misconfiguration while getting access to an internal endpoint that exposed the data.

What was done?

Thanks to prompt action, the relationship between the front-end APIs on the backend APIs was analyzed and in one day it was fixed!

No more arbitrary data could be inserted. More than likely the firewall’s rules were also updated to add defense-in-depth.

Staying secure with Axway’s API strategy

Security can be challenging but with Axway’s API strategy, we have you covered.

Performance is key. Additionally, within Axway, we have put in place a Secure Software Development Lifecycle (SSDLC).

This defines the secure development procedures and security gates to be achieved before Axway software is released to customers.

Within Axway’s application security ecosystem:

  • Security contacts that have ongoing communications in place
  • A top-notch development team with support
  • Security procedures to follow
  • Axway software for best-in-class results

Additionally, the Secure Software Development Lifecycle (SSDLC) has new models in place via security communication protocols and OWASPS best practices.

With DevOps, security is shifted everywhere having security at every spot.

Threat Modeling and training taking center stage as proactive measures. In terms of reactive, we have in the mix:

  • Third-Party Software Component Analysis (SCA)
  • Attack Surface analysis
  • Dynamic application security testing (DAST)
  • Static application security testing (SAST)
  • Container security analysis
  • Manual pentesting
  • We go from Shift Left to Shift Everywhere

Wrap up

Bottom line: Get security on people’s minds. Use the OWASP API Top 10 list as your starting point. Try attacking your own APIs and Threat Model your APIs.

Security is everyone’s responsibility!

Missed the webinar? Don’t worry. Watch it on-demand today.