OWASP 2017 A10 – Underprotected APIs

A10 – Underprotected APIs is one of two new additions to the OWASP Top 10 list of threats to web applications. The other new addition is A7 – Insufficient Attack Protection, which we discuss in a separate post.

What is the Threat?

Modern applications use APIs from many sources either directly or as sub-components of 3rd party libraries linked in when building an application. All of these APIs can have unprotected vulnerabilities and, more worryingly, they can be opaque to standard security scanning tools used to highlight risks.

All the APIs used to build an application need to be tested for vulnerabilities just like all other components used to deliver web-based applications. The testing needs to encompass all of the common types of vulnerabilities like:

• Injection attacks
• Authentication issues
• Access control issues
• Encryption issues
• Misconfiguration of settings

This list is not exhaustive and other types of vulnerabilities could exist in APIs. As also mentioned in our post about the A7 – Insufficient Attack Protection, this new addition to the OWASP 2017 top 10 list has the feel of a catchall category. The vulnerabilities are well known but the focus of the new categories seems to be to get developers and system administrators to focus on the internal building blocks of applications and platforms. Rather than just relying on existing security tools like network and web application firewalls.

Given the nature of APIs and the fact that they are mostly used via calls in code, there are usually no human-friendly UI’s that can be used to check for vulnerabilities. The UI to most APIs is the accompanying documentation, and this won’t highlight any unknown bugs or vulnerabilities. As a result, it can be difficult to check APIs, making their use a risk.

How to Protect Against the Threat?

Ensuring that all the APIs that are in use in applications are risk-free means using a diverse strategy that will highlight and protect against any inherent vulnerabilities. Steps to take include:

• Secure traffic between clients and APIs, and between applications and any APIs on third party services. KEMP LoadMaster can assist with this by taking on the burden of SSL/TLS encryption via the SSL Offloading feature.
• Make sure that there are robust authentication schemes in place and that they use secured credentials, keys, and tokens.
• Perform on access authorization & control and don’t just allow access to all APIs after successful authentication.
• Ensure that requests sent to APIs are in a secure format that can’t be hijacked or spoofed.
• Make sure there is comprehensive checking for, and protection against, injection attacks as these forms of vulnerability are open via API calls just like they are via web interfaces.
• Deploy other network monitoring tools, that can inspect for suspicious activity at multiple layers of the network stack, upstream from your applications. KEMP LoadMaster with Edge Security Pack (ESP) and
• Web Application Firewall (WAF) can provide this upstream protection with blocking and alerting on suspicious activity. This should be seen as an addition to applications also doing attack detection as each application will know its expected usage patterns.

Conclusion

The focus of this addition to the new OWASP top 10 list seems to be focused on getting developers to think more about built-in security in their applications and the third party APIs they use. Which is no bad thing in itself. The use of off the shelf APIs to quickly build and deploy new applications will only increase in the future. Fast Agile and DevOps based workflows will mandate it. The actual vulnerabilities developers will need to consider are included in the current