I have recently attended an online course titled API Security Fundamentals. Dan Barahona presents excellent and practical information regarding API Security. In 90 minutes, you can learn about OWASP API Security Top 10, 3 Pillars of API Security, and Best Practices. In this article, I want to share information about API Security and, at the same time, strengthen my knowledge.

As the saying goes, getting certified is easy; it’s much harder to retain the information. One has to consistently practice and work with the new knowledge for it to stick. This article is my way of working practically.

OWASP API Security Top 10

Let’s start with some definitions. OWASP stands for the Open Web Application Security Project. It is a nonprofit organization dedicated to improving security software and web apps. The OWASP API Security Top 10 lists APIs’ most critical security risks. API stands for Application Programming Interface. It’s like a bridge between different applications that helps them communicate and exchange information.

Here are the categories and risks covered in the OWASP API Security Top 10:

• API1: Broken Object Level Authorization (BOLA)
  • The manipulation allows access to other people’s data.
  • Enforce access policies.
  • Automated testing is needed.
• API2: Broken Authentication
  • Missing security controls.
  • Authentication policies and best practices.
  • Automated testing is needed.
• API3: Broken Object Property Level Authorization
  • Excessive data exposure and mass assignment (modify records).
  • Return the minimum amount of data required.
• API4: Unrestricted Resource Consumption
  • Abuse of APIs.
  • Excessive operations in a single request.
  • Traffic controls.
• API5: Broken Function Level Authorization
  • Manipulation of methods.
  • Develop controls.
  • Testing is needed.
• API6: Unrestricted Access to Sensitive Business Flows
  • Abuse of a legitimate business workflow.
  • Fraudulent traffic detection and control.
  • Testing is needed.
• API7: 2023 Server Side Request Forgery
  • Exploiting URL inputs to request a malicious, third-party server.
  • Validate and sanitize.
• API8: 2023 Security Misconfiguration
  • Lack of hardening.
  • Implement hardening.
  • Testing is needed.
• API9: 2023 Improper Inventory Management
  • Know your environment.
  • Versioning and retirement.
  • Auditing.
• API10: 2023 Unsafe Consumption of APIs
  • Third-party APIs can be exploited, thus affecting APIs that rely on them.
  • Encrypt and validate.
  • Auditing.

The 3 Pillars of API Security

• Governance
  • This pillar is all about preparation. We set expectations and define security and processes. Documentation and versioning are made here as well. Know yourself. What are your APIs, data, and risks?
• Testing
  • This pillar is all about testing. Quality assurance is needed. Start early. Speak with your QA team. Involve them in the process. A lot of flaws will be uncovered in pre-production.
• Monitoring
  • This pillar is all about monitoring. Policy enforcement. Authentication. Traffic monitoring. For traffic, we can choose to integrate WAF and API Gateway or log the traffic to SIEM.

Best Practices

• Enforce governance. Write documentation. Test your APIs. Enforce security.
• Lots of testing. Do automatic and manual testing. Involve QA people.
• Zero trust principles. Trust, but verify.