OWASP recently released the first iteration of the API Security Top 10. Like the ubiquitous OWASP Top 10, the API Security Top 10 delivers a prioritized list of the most critical application security issues with a focus on the API side of applications. This is a critical new tool for AppSec teams that hones in on one of the fastest growing, yet chronically under-addressed aspects of security. In this blog, I’d like to offer you an overview of the API top 10 with comparisons to the OWASP top 10 for web applications.
As the demands of both modern applications and complex threat landscapes have continued to increase, many organizations have been forced to adopt an ever-growing list of new, specialized security tools in an attempt to keep pace. This often includes a mixture of WAFs, anti-bot tools, DDoS prevention, behavioral and analytics tools, intelligence feeds, and more. However, a fractured approach to security is rarely effective and almost never efficient.
We live in a world where new application security vulnerabilities are discovered daily. Additionally, the advent of botnets and crypto currency mining has increased the attractiveness of targets. There are two major techniques utilized by attackers to find vulnerable applications en masse:
- Run scanners against large portions of the Internet to look for common exploits, such as SQL injection, Remote Command Execution, etc. Virtually any poorly coded web application can be vulnerable to these attacks.
- Follow the security feeds for newly discovered vulnerabilities, create exploits and launch them against every public instance of the application. Well known platforms like Wordpress and Drupal are especially susceptible to such an attack.
There is little debate that the best place to fix security issues is within the application code itself. However, that is not always feasible given the time that is required.
Application security never fails to keep us on our toes. Between the continuous evolution of application frameworks and integrations, and the advancement of human and automated attackers, security teams must always be braced for change and new challenges. On a similar vein, if the trends from 2018 continue, web application attacks will remain the most successful hacked area of the enterprise. In fact, over 60% of actual breaches occurred through web applications.*
Data, data everywhere and yet there’s very little insight to inform the business on the true nature and severity of cyber threats. That’s the story at most organizations where traditional Web Application Firewalls (WAFs) fail to bring into focus the visibility into the mounting expanse of security data.
APIs are at the heart of modern applications and have quickly become a favorite target of attackers. And for good reason - they expose a wealth of functionality and attack surface that is often poorly defended. In our previous article we introduced the key building blocks of API security that can help ensure your APIs get the same level of protection as the web front-end of your application.
For many enterprises today, Web and cloud applications are critical components of the business. And for the ever-increasing number of companies conducting business online, they are the business.
APIs have altered the attack surface of modern applications and exposed new gaps in security in the process. In the old days, virtually all application traffic passed through the web front-end of an application, and unsurprisingly that is where security efforts were focused. APIs have quickly and thoroughly eroded this basic assumption.