API Security - 4 Quick Steps to Lockdown

API Security is complex! Vendors like Forum Systems, IBM, CA and Axway have invested almost 2 decades of engineering effort and significant capital in building API Security stacks to lockdown APIs. The API Security stack diagram shown below is essential for rapidly locking down APIs. In the article, we review "The Four Pillars of API Security" --- SSL, Identity, Content Validation and Architecture.

API Security Stack

Before addressing the Four Pillars of API Security, it is essential to recognize that a robust PKI is a must of enterprise-grade API Security. Without proper key life-cycle management, the API Security Pillars cannot be built. Once a solid PKI foundation is in place, the following API Security four pillars should be built to ensure that an enterprise API attack surface area is significantly reduced. To implement API Security:

API Security - vendors look to develop NG-WAFs

API security is now a central concern for Web Application Firewalls (WAF).  For over a decade, WAFs have been  a necessary component of most web-based applications deployments. WAFs typically sit inline and protect inbound and outbound corporate traffic against vulnerabilities. These vulnerabilities have been cataloged by OWASP Top 10 for over 15 years. 2017, marks the first year where API security has made it in the OWASP Top 10 RC1.

Radware, a WAF solution provider has published an interesting article titled "Why there is no API security" where they make the following key points:

No single part of the application, nor any part of normal Internet filtering firewall defense, has enough visibility into the context to stop business exploits. Some examples of business logic exploits are:

• Modification of authentication flags and privilege escalations Business constraint exploitation/modification or business logic bypass to generate fraudulent transactions

• Requested parameter modification Developer’s cookie tampering and business process/logic bypass 

• Exploiting clients’ side business routines embedded in JavaScript, Flash, or Silverlight Identity or profile extraction 

• LDAP parameter identification and critical infrastructure access 

Business logic attacks are not trivial in their consequences and are successful on even the largest organizations. A few of the large organizations that fell victim to business logic flaws are Facebook, Nokia, and Vimeo.

Radware's perspective clearly shows that WAFs have to extend their world-view to address API security. It's not just about protecting websites - with APIs becoming a connective tissue of all portal, device, and cloud communications, corporations are looking at Next Generation WAFs to now include significant API-awareness and API-borne threat mitigation capabilities.

API Security - SD Times Review of OWASP Top 10 - RC1

API Security has finally made it into mainstream security consciousness. The premiere web application security OWASP Top 10 Threats has published its Release Candidate 1 (RC 1). SD Times provided a comprehensive overview on the implications of including API Security as a part of OWASP Top 10 2017 - RC1. Here's an excerpt for SD Times article:

The next major addition is Underprotected APIs, since the use of APIs has exploded in modern software, said Williams. There are a variety of protocols and data formats used by these APIs, including SOAP/XML, REST/JSON, RPC, GWT, and others. It’s important to note that these APIs are often unprotected, and they contain numerous vulnerabilities, said Williams. He also added that these APIs represent a “major blind spot” for security programs in organizations, and OWASP is helping to refocus teams on this expanding problem.

“To me, T10-2017 reflects the move towards modern, high-speed software development that we’ve seen explode across the industry since the last version of the T10 in 2013,” said Williams. “While many of the vulnerabilities remain the same, the addition of APIs and attack protection in this version is designed to focus organizations on the key issues for modern software.”

A10 - Unprotected APIs snapshot is presented below:

Relevant sources:

• OWASP Top 10 2017 - RC1
• Forum Systems - API Security 
• SD Magazine Article