API’s – new attack sweet spot

The threat landscape is in continuous turmoil, with new attack surfaces rapidly gaining popularity. If you’re into cloud security, security architecture, governance, secure application development or into cyber security in general as a CISO or other, you should check out this cyber talk on the new popular ‘kid on the block’: API security attacks.

Cyber criminals don’t neglect to study today’s innovations in our app driven world. So it’s little wonder that a company as Gartner predicts that by “2022, API abuse will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” In the Cyber Talk “API Security”, Roey Eliyahu, ceo and co-founder of Salt Security, explains about the dangers and possible mitigations.

API’s as a security risk
Application Programming Interfaces (API’s) allow applications to talk to each other, exchanging any type of data over any protocol. As a result, there is a danger for “data exfiltration, data modification and account take over,” dixit Roey Eliyahu. Today, information environments contain many more API’s (often 1.000 or more rather than a few), with many of those continuously in flux (rather than static) and carrying lots more sensitive data. Furthermore, API attacks are much more business logic oriented, and extended in time (‘low and slow’).
As a result, companies are confronted with tough questions: do you know all active API’s (read: no, as there is no/insufficient/outdated documentation) and what sensitive data do they expose?
Also, there is a wide variety of API attacks, to the extent that OWASP already lists an API Security Top 10. This talk covers two of them: ‘A1 Broken object level authorization’ and ‘A3 Excessive data exposure’, illustrating how seemingly correct usage can yet be a form of abuse, as well as pointing out discovery issues.

What to do?
Clearly, discovery of all active API’s is indicated, preferably in an automated way as manual discovery won’t keep up with changes, and attacks are often very API specific. The ‘low and slow’-nature op API attacks also requires an extended scrutiny of the API’s in actual everyday use, as “you have to see the whole movie, not frame by frame.” According to Roey Eliyahu, web application firewalls and API gateways do not cover all the security needs of API’s ‘(see comparative table in the talk), with Gartner as a result creating a new specific API security related product category. These products must connect to all kinds of API-connected elements in your stack; monitor API changes; check behavioural attributes (what is ‘normal’) and stop attacks. Furthermore, these products must be complementary to other security investments, for integration in a multi-layer defence.

As is often the case, this is an ‘if you need it, you need it badly’-type of talk, even as an introduction as this is probably still a less known problem. Because not staying abreast with emerging but fast growing threats is not an option.

More on the OWASP API Security Project
(including API Security Top 10:2019 list)
< https://owasp.org/www-project-api-security/>



Nos autres articles

NIS-2: Where are you?

In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.  

SANS Experience Sharing Event

The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.

Privacy Focus Group – Practical AI Use Cases

It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.

30 November: Computer Security Day: Ada Lovelace

On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.


Partagez ce contenu avec votre réseau :