As organizations embrace digital transformation initiatives, they are increasingly consuming and exposing APIs that increase their risk surface. The OWASP API Security Top 10 focuses on the strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs). CloudVector provides Deep API IntelligenceTM to discover, monitor and secure all APIs in any environment, giving organizations the ability to accelerate application development and to protect sensitive API data from vulnerabilities, exploits, attacks, and breaches.
In this blog, we will explain each of the OWASP API Security Top 10 vulnerabilities, its impact, and how CloudVector can help mitigate this risk.
Broken Object Level Authorization
One function of APIs is to provide access to objects that may contain information with sensitive content. E.g. Employee or customer data with social security numbers and credit card numbers. This access is controlled by providing object identifiers in the API requests. Failure to implement object level authorization enables the manipulation of object identifiers to gain unauthorized access to sensitive data.
CloudVector provides a flexible security policy based on “Parameter Pinning,” which accurately identifies API calls that misuse this vulnerability and automatically protects against this threat by terminating the API session.
Broken User Authentication
API authentication is a critical service that identifies and authorizes clients to access applications. A broken authentication mechanism enables attackers to use stolen authentication tokens, credential stuffing and brute force attacks to gain unauthorized access to applications.
CloudVector detects the use of stale user authentication tokens and identifies APIs that are accessed without authentication. CloudVector leverages machine learning to model the behavior of users, authentication tokens, clients apps, client locations, and so on, to alert security teams to the risk of stolen authentication tokens and unauthorized access.
Excessive Data Exposure
Developers may implement generic APIs that provide more data than is needed, which an attacker can exploit by using redundant data, such as incremental ID numbers, to further extract sensitive data. For example, Amazon’s Ring Neighbors app exposed users’ precise location because of this vulnerability.
CloudVector continuously generates API catalogs that contain a comprehensive view of the parameters transacted in the request and response of each API. These APIs and parameters are categorized if they contain or transact sensitive data, such as personally identifiable information (PII). CloudVector provides shift-left tools to assess such APIs, to determine if they contain too many parameters carrying sensitive data, and to alert security teams to the risk of APIs exposing excessive data.
Lack of Resources & Rate Limiting
It is common to find APIs that improperly implement rate limiting, or neglect to implement it entirely. This is a risk because an attacker can overwhelm the service with brute force attacks to break through its authentication. This vulnerability enabled an attacker to attempt 1 million Zoom passwords in a matter of minutes to gain access to private meetings.
CloudVector continuously monitors API call rates, the number of resources requested and the response to them. Access patterns help define behavioral models, so that abnormal access or API call rates trigger an alert to security teams.
Broken Function Level Authorization
API functions include adding, updating or deleting a customer record, a user role, and so forth. These functions are governed by authorization, the role and the scope of the users making these API calls. When authorization is not properly implemented, these functions may be executed by unauthorized users, which may lead to the loss of data or a full account takeover.
CloudVector maps the normal functions performed by users and their authorization tokens, which identify the users’ roles and scopes. Any activity that falls outside the scope generates an alert as a broken function level authorization risk.
API implementations that directly consume input requests and assign/write them to the business logic data stores are vulnerable to mass assignment because an attacker can include parameters and values that change critical data properties, resulting in exploits such as privilege escalation.
CloudVector categorizes API parameters based on CRUD (create/read/update/delete) operations. These parameters are modeled with other features, such as API call volume, to build a behavioral pattern of benign users. When a malicious user deviates from this model and attempts to exploit the mass assignment vulnerability, CloudVector alerts security teams.
There are many possible misconfigurations within API resources, transport protocols and application infrastructure. Any of these mistakes, such as APIs that are accessible without authentication or use insecure communication (plain text HTTP), may cause severe security risks, such as the loss of sensitive data or account takeover.
CloudVector can detect when APIs are accessed without authentication and insecure communication in API calls. Behavioral models identify when sensitive data is returned in API call error messages to prevent attackers from exploiting misconfiguration. CloudVector also provides shift-left tools that enable organizations to identify potential risks in their API development cycle.
APIs consume data within their URL and parameters, but if they do not check for invalid data then injection attacks may be used to perform database or OS operations. Unsanitized data inputs can cause data corruption, data leakage, denial of service, privilege escalation, and so forth. Typical attack vectors include SQL, NoSQL, and OS commands with API parameters.
CloudVector has the ability to parse multiple data formats, such as JSON, GraphQL, and gRPC. Behavioral modeling identifies normal usage and flags events when injection attempts are made, even without developer documentation or prior knowledge of parameter patterns.
Improper Asset Management
Enterprise DevOps teams are accelerating the deployment of APIs into production, which may leave them vulnerable to insecure parameters published into production, old versions of APIs left operating due to backward compatibility issues, or sensitive data transacted in APIs not conforming to governance policies. These issues may lead to sensitive data loss, ecosystem compromise, and so forth.
CloudVector identifies all APIs in production environments and categorizes all APIs containing sensitive data. Flexible security policies can detect Shadow APIs with hidden parameters and deprecated APIs. This visibility enables enterprise security teams to enforce governance of API assets, assess their risks, and monitor for API threats.
Insufficient Logging & Monitoring
API threats are often missed because of insufficient logging and monitoring of attempts. The lack of such a capability enables attackers to conduct their reconnaissance and exploit attempts over an extended period of time without detection.
CloudVector is the only solution capable of providing deep visibility into both North-South and East-West API calls, their response codes and threat attempts in real-time. These insights can be easily exported into other Security Information and Event Management (SIEM) systems. CloudVector also provides support for more hybrid infrastructure technologies, such as VMs, containers, Kubernetes, serverless and existing proxies or gateways than any other API security solutions. And CloudVector deploys with the lightest touch on DevOps, with no changes to code, no proxy, and no impact on performance.
A Single Solution for All OWASP API Security Risks
The OWASP API Security Top 10 represents a variety of API security risks, but CloudVector provides a single solution that addresses each of them. CloudVector leverages artificial intelligence and machine learning to automatically and continuously discover and catalog API analytics, which it monitors for anomalous behavior. And CloudVector’s unique micro-sensor architecture enables it to be easily deployed into any computing environment with no changes to code.
To learn more, enjoy our webinar on April 29 (or the replay), “How CloudVector Can Help Protect Against the OWASP API Security Top 10 Threats” here.