Author: Cody Mercer – Senior Threat Intelligence Research Analyst
It has been nearly 4 years since any major updates to the widely recognized OWASP (Open Web Application Security Project) Top 10 has had any updates or modifications. The primary purpose of the OWASP Top 10 is to address commonly observed security vulnerabilities posing the greatest risk associated with web applications and the poor coding practices of those applications. The significant changes are depicted in the following diagram:
Figure 1: Illustration Courtesy of https://www.secplicity.org
The attack surface and security postures that the Top 10 identify have relatively remained un-changed and static throughout the years. Although, as information technology has evolved new security measures and protocols associated with weak API’s have demanded additional measures to be taken into consideration and added to the OWASP Top 10 list.
OWASP API Security Addition
An increased demand for integrating API (Application Programming Interface) capabilities into web application processes for its simplicity of use in the parsing of data in the information security world has risen drastically. With this noted, the TTP’s and attack vectors available have also risen in sophistication and availability. Exploiting known vulnerabilities of improperly and poorly written API scripts are readily available and effortlessly developed by even the most novice of script kiddies.
Capitalizing on weak API scripts developed by the vendors for the sake of parsing web application data with the addition of exploiting known vulnerabilities in the web applications themselves permits for limitless possibilities for any black or white-hat hacker. The illustration below supports a simplistic overview to understanding the end-to-end process of how an API call may be used to exploit and un-secure web application or public facing asset:
Figure 2: Illustration Courtesy of https://www.secplicity.org
The OWASP Top 10 list attempts to address any and all exploits that are affiliated with the CIA (Confidentiality, Integrity, Availability) triad and the AAA (Authorization, Authentication, Accounting) schema. Seemingly, pin-pointing all 10 vulnerabilities in the list and their protection measures spans far beyond the scope of this blog.
Top 5 Recommendation’s
Listed below are the 5 best-of-breed recommendations and proper practices that should be utilized in API policy and procedures for any company or individual wishing to perform API calls:
- Maintain proper handling procedures of all associated API’s. This includes revocation, disbursement, rotation periods, destruction, and appropriate storage based on classification level of an applications API keys.
- Guarantee secure communications is applied between end-points that are performing API calls. This can help to mitigate MiTM (Man-in-the-Middle) attacks and the possibility of intercepted data during API processes.
- The classification level of the API keys need to be stored in the same location of the classification in question. Keys that have a higher classification levels should not be stored in the same location as those with a lower classification levels.
- Perform static and or dynamic code analysis on the API’s themselves to eliminate the possibility of poorly written API scripts that could contribute to additional vulnerabilities or expose applications to greater attack surfaces.
- Develop and integrate an official application security program for your company’s RnD and DevOps Teams that can identify and eliminate weak application security configuration management. Strong API development should be a major factor during the SDLC (Software Development Life Cycle) in developing applications and programs.
Laliberte, I. (2017). OWASP Top 10 Web Application Security Update. Retrieved from: https://www.secplicity.org/2017/04/12/owasp-top-10-web-application-security-update/