Stories of True Crime
On May 17, 2022, a criminal hacking group claimed to hold the personal data of 22.5 million Malaysians. The data was stolen from myIDENTITI API, a database that allows government agencies (like the victim National Registration Department) to access information about Malaysian citizens. The group wanted $10,000 in Bitcoin for the data.
On December 15, 2022, SevenRooms, a guest experience and retention platform, found that threat actors had posted details of more than 400GB of stolen sensitive data - stolen from the CRM’s servers - to a hacking forum. The information included API keys.
Cybercriminals love APIs, having realized “how lucrative it is to target the APIs that connect today’s digital services and sensitive data.”
Are you in a confident position to protect your APIs and get alerted to suspicious activity?
Analogy
If you ask someone if their house is protected from criminal entry and how it’s protected, they’d probably say, “Yes,” then proceed to detail how they have deadbolts, lock their windows, have cameras set up, keep their shrubs trimmed down to prevent hiding, etc. But what about their walls? Are the walls protected from criminals sawing through them?
I don’t know of home walls that are more than several inches thick, and most of that is just 2x4s spaced to provide structure for drywall and insulation. Sure, there are other types of house structures, but, in general, they’re untested against circular saws.
Of course, that kind of risk is generally an accepted risk – criminals would rather take the easy way through, such as broken windows and unlocked doors. So, homeowners automatically perform a risk assessment and accept the risk.
But what about businesses and their API security strategy? Have businesses performed an updated risk assessment and risk treatment methodology to account for all the new ways that their technology can be hacked?
API Use Increases
Ensuring APIs are properly secured – taking into consideration at least the confidentiality, integrity, and availability of the CIA triad, if not the other aspects of the Parkerian hexad – is of the utmost importance.
According to the Splunk 2023 State of Security report, over the next 2 years, half of those surveyed, "...will emphasize a best-of-breed approach, integrating individual solutions as needed through APIs." APIs are only going to increase, furthering the need for an API security strategy.
Let’s check the OWASP 2023 API Top Ten again to make sure we’ve covered the known attack areas.
OWASP 2023 API Top Ten
There’s no way to give detailed advice in an article, but it’s helpful to, at the least, dive into a brief overview of some details that can provide food for thought.
Here is a summary of each of OWASP's 2023 API Top Ten:
1. API1:2023 - Broken Object Level Authorization: By exposing endpoints that handle object identifiers, APIs create a wide attack surface of Object Level Access Control issues.
2. API2:2023 - Broken Authentication: When implemented incorrectly, authentication mechanisms allow attackers to compromise authentication tokens, or even assume other users' identities.
Consider: Optus breach, September 22, 2022: The issue was an API endpoint with no authentication, which is an example of a Broken Auth violation. Criminals harvested almost 10 million user details, such as driver's licenses and Medicare IDs.
3. API3:2023 - Broken Object Property Level Authorization: APIs often expose endpoints that return all the properties of their objects.
4. API4:2023 - Unrestricted Resource Consumption: API requests require resources such as network bandwidth, CPU, memory, and storage to meet all of the demands. Successful attacks can lead to Denial of Service and require a sudden increase in operational costs.
5. API5:2023 - Broken Function Level Authorization: APIs and their supporting systems typically require complex configurations that are meant to make the APIs more customizable. Software engineers can miss these configurations, or they don't follow security best practices when configuring them, and this opens the door to a multitude of attacks.
6. API6:2023 - Unrestricted Access to Sensitive Business Flows: APIs may provide access to critical business functions or workflows without proper authorization or validation, allowing attackers to manipulate or abuse these functions.
7. API7:2023 - Server-Side Request Forgery (SSRF): APIs may be vulnerable to SSRF attacks, where an attacker can make the API server send requests to other servers, potentially accessing internal resources or performing actions on behalf of the server.
8. API8:2023 - Security Misconfiguration: APIs and their supporting infrastructure may have insecure configurations, such as default settings or unnecessary features enabled, which can be exploited by attackers.
9. API9:2023 - Improper Inventory Management: APIs expose more endpoints than traditional web applications, making proper and updated documentation critical. Having a consistently updated inventory of hosts and deployed API versions is important to issue mitigation.
Consider: Experian breach. This credit reporting agency created an API for financial partners. At least one of those partners took that API and created their own site for applicants to look up their credit scores. All it took were a few user details (name, address, birthdate), and the searcher could find anyone’s credit records. This is an OWASP API Top Ten 10 number 9 violation.
10. API10:2023 - Unsafe Consumption of APIs: This category includes injection vulnerabilities and other risks that can arise from using APIs in an insecure manner, such as not properly validating input or output, or not using encryption when necessary.
Tackling Tomorrow’s Issues Today
It’s impossible to predict the future, but that doesn’t mean one has to gamble on it. Planning for tomorrow based on what’s known today is called a calculated risk. We don’t know everything, but we know a lot. Doing our best with what we know now will put us in the best position to provide a secure platform for our customers.