API Security and OWASP Top 10 are not strangers. Many years ago (circa 2009), we presented our test results on Techniques in Attacking and Defending XML/Web Services. Fast forward to 2017, OWASP has recognized API Security as a primary security concern by adding it as A10 – unprotected APIs to its list of top 10 vulnerabilities facing web applications. Forum Systems has been at the center of building solutions that address API Security and looks forward to further working with security thought leaders in making enterprise and cloud APIs secure.
Although OWASP Top 10 RC1 A10 has been opened for further community review, we believe it is a matter of time when API Security issues will dominate the OWASP Top 10. Why, because:
- The techniques that OWASP exposed in its past Top 10 lists can readily pass through APIs without being detected. Unless API specific issues are brought to the forefront, many vulnerabilities can piggy-back over APIs whose surface area continues to grow.
- Parsers for data processing are central to APIs. JSON and XML parsers have to get hardened otherwise parsers are clearly vulnerable to DoS attacks.
- Identity token types in use with APIs span the spectrum of lightweight tokens such as OAuth to heavier X.509 certificates. Understanding and addressing authentication, authorization and access control issues are central to secure API deployments.
- APIs are now central to portals, devices and cloud infrastructure. Pretty much everything built these days either consumes or generates APIs. All the heavy lifting on portals and other device interfaces is being done by APIs.
Whether A10 gets ratified in the final 2017 release remains to be seen, regardless, we commend OWASP for showing leadership in acknowledging API Security as a primary threat vector with significant and wide-ranging impact on application and data security.