2017 OWASP Top 10 Includes API Protection

This month we share a blog on the recently released OWASP Top 10 Application Security Risks, from our technology partner, Zenedge.

Open Web Application Security Project (OWASP) is an organization composed of international security experts who provide independent intelligence on applications and their security risks. Every four years, the OWASP Top 10 releases a list consisting of the most significant Application Security Risks.

Considered an AppSec benchmark, the list is keenly watched and endorsed by the application security community. The list comprises the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analysing the frequency and the severity of each threat.

The 2017 OWASP Top 10 list has recently been released for public comment. It’s based on the examination of over 2.3M vulnerabilities which impacted 50,000 applications and contains updated attack scenarios.

The Release Candidate for the OWASP Top 10 project is out now and available for public consumption. This year’s list presents some notable changes from previous editions.

OWASP Top 10 - API Protection NEW
OWASP Top 10: Image Courtesy of Zenedge

Most evident among the updates is the inclusion of OWASP A10 – Under-protected APIs. This comes as no surprise as the rise of mobile, application services and integrations, cloud, and micro services is changing the security landscape.

In today’s digital economy, purveyors of data are leaders in all industries. Take, for example, Google’s transit API which makes it possible for municipalities and developers to serve millions of riders daily all over the world with timely and accurate information. RESTful interactions facilitate tremendous business opportunities through the consumption of information in a highly automatic and integrated fashion. The reach of APIs now extends into business critical applications and backend data stores, which has made them a vector for malicious activity. Therefore, API services are increasingly in scope for various regulatory regimes. Web services and applications that rely on API are at an increased risk as threat actors develop and deploy the means to target and interfere with them. Additionally, API malware is on the rise.

APIs are the new trend when it comes to present day modern applications, as apps are most commonly written in JavaScript and use APIs to grab data. Therefore, APIs serve as a link between intricate client platforms and a batch of web applications or services. And while APIs may technically be web apps, securing them is not as simple as securing traditional web applications.

APIs are often left unprotected, while the APIs themselves contain vulnerabilities that leave your application exposed, making this an extreme addition to the 2017 list. APIs may use a plethora of different protocols and frameworks – including SOAP/XML, REST/JSON, RPC, and GWT – and many security tools and manual pen-testing are not able to successfully examine many of the used APIs due to the complex level of the protocols and frameworks, making APIs a major blind spot for the organizations using them.

The challenge also stems from the fact that API vulnerability assessment is generally not covered well or not covered at all by the existing web application vulnerability assessment tools and therefore API protection requires thorough thinking, planning, testing, and adjustments to secure the SDLC process.

API Protection: What Can You Do?

Next steps:

  • Adjust your SDLC to include rigorous API security testing and validation
  • Input validation, Input validation, Input validation
  • Proper authentication and authorization
  • Implement an API Security solution

API Security protects your web services from DDoS attacks and malicious bots without sacrificing legitimate API traffic. The Zenedge service uses advanced techniques to validate API requests, determine their legitimacy, and eliminate API attacks at the edge of the network based on unique hash identifiers generated by an integrated Zenedge library. Malicious activity is blocked by the Zenedge web application security proxy while authorized traffic passes through seamlessly.

This article was first published by Mike Levin, Zenedge on Jun 19, 2017 on the Zenedge blog.

To learn more about API Protection and Web Application Firewalls, please contact an activereach Security Expert on 0845 625 9025