Mitigate OWASP Security Top Threats with an API Gateway
The Open Web Application Security Project (OWASP) produces the OWASP Top 10 every four years, describing the most critical security risks. This list is a starting point for organizations looking to understand and mitigate common web vulnerabilities.
Since 2019, the group has also produced a specific Top 10 API security threats to raise awareness about API security and provide guidance on addressing the most pressing threats. These map the general security threats to the specific issues confronting APIs.
As more and more applications and platforms offer APIs for ease of integration, development, and automation, there has been a corresponding rise in security concerns associated with these APIs. APIs often act as gateways to application data, business logic and sensitive functions, making them attractive targets for attackers. If not properly secured, they can be exploited to leak sensitive information, bypass security controls or even manipulate underlying systems.
The OWASP API security project released a new top 10 API security threats in July. Let’s review this list’s takeaways and how an API gateway tool can help reduce these vulnerabilities.
The Biggest Security Threat: Authorization
Broken authorization has become the biggest API security threat that applications are enduring. Three of the top 10 API security threats in the 2023 list relate to authorization:
- Broken object-level authorization: Object-level authorization ensures users access only permitted objects. APIs receiving object IDs must validate user permissions for actions on those objects. Inadequate checks can lead to unauthorized data changes.
- Broken object property-level authorization: APIs often expose all object properties, especially REST APIs. Inspecting API responses can reveal sensitive information, while fuzzing can detect hidden properties. Unauthorized property access can cause data breaches or lead to account takeovers.
- Broken function-level authorization: Attackers exploit BFLA by accessing API endpoints they shouldn’t as anonymous or regular users. Complicated by diverse roles and user hierarchies, proper authorization checks can be daunting. However, the structured nature of APIs makes flaws easier to spot. These vulnerabilities enable unauthorized function access, risking data breaches or service disruption.
The Eternal Security Threat: Authentication
Even with the proliferation of authentication as service providers are available to developers, broken authentication is still No.2 on the list of API security threats. Authentication is verifying the identity of users or systems trying to access your API. As these are the “front door” to your services, they are prime targets for attackers.
Mistakes come when developers try to build their own authentication systems. Misunderstandings about authentication limits and their intricate implementation make vulnerabilities common. Attackers can hijack user accounts, access personal data, and execute sensitive operations indistinguishably from genuine users.
To solve this threat, you’ll want robust authentication for applications through the API gateway. Use a gateway that uses authentication mechanisms such as JSON Web Tokens (JWTs), OAuth, and other token-based authentication systems to ensure a secure user experience. These token-based methods offer a scalable and secure approach to confirming user identities without constantly exchanging sensitive credentials.
Whichever API gateway you choose, be sure it can enforce rate limiting based on authenticated users. This is a critical feature, as it prevents potential abuse by limiting the frequency of requests a user can make. For example, by associating rate limits with specific authenticated profiles, an option like Edge Stack ensures that system resources aren’t overwhelmed and deters malicious attempts to flood the system. This user-specific rate limiting is especially crucial for applications with diverse user roles, ensuring that privileged users get prioritized access while maintaining system integrity and performance.
The Growing Security Threat: Unrestricted API Access
Unrestricted API access and increasing exposed APIs without proper controls can lead to various security issues.
Two of the top 10 API security threats revolve around unrestricted access:
- Unrestricted resource consumption relates to distributed denial of service (DDoS) attacks. Attackers launch concurrent requests, overloading traffic and affecting API responsiveness. They become overwhelmed if the APIs lack limits on client interactions or resource usage. Well-crafted API requests, including specific parameters or batched operations, can pinpoint vulnerabilities, and response metrics can further highlight potential weaknesses.
- Unrestricted access to sensitive business flows is the exploitation of the business model underpinning the API, pinpointing and disrupting or exploiting sensitive business processes. An example is “programmatic scalping,” where attackers write code to manipulate a ticket seller’s API to purchase many tickets for resale when they go on sale. Unlike other security threats on the list, this isn’t a technical threat but a business one, hindering genuine users from buying products.
Find a tool that offers rate limits, a crucial measure to prevent malicious or accidental abuse of system resources. With this, you can ensure that system services aren’t overwhelmed by a deluge of requests.
Depending on the specific endpoint or the type of user making a request, varying rate limits can be applied, allowing for tailored access control. This granular approach ensures that critical endpoints or privileged users receive prioritized access, maintaining system integrity and optimal user experience.
Here’s an example of how your API gateway tool might be able to address DDoS attacks. When this happens, an API Gateway can proactively address these attacks through two mechanisms:
- Developers can set up request thresholds to detect potential DDoS attacks and mitigate these problems.
- It employs caching mechanisms to reduce backend load during regular use and under attack, ensuring faster responses and conserving valuable resources.
The Ubiquitous Security Threat: Data Validation
Data validation and sanitization play crucial roles in maintaining the authenticity and safety of the information being processed.
The API threat from server-side request forgery (SSRF) is vast. This is when an API fetches external resources without validating user-provided URLs. This lets attackers force the application to send tailored requests to unintended destinations, bypassing firewalls or VPNs. OWASP puts it clearly:
“More dangerous — Modern technologies like cloud providers, Kubernetes, and Docker expose management and control channels over HTTP on predictable, well-known paths. Those channels are an easy target for an SSRF attack.”
Completely eradicating SSRF risks is challenging. Selecting protective measures requires balancing business risks with operational needs. Pick a gateway that offers robust capabilities to validate both input and output data effectively and also identifies and blocks malicious content.
In an era where cyberthreats are rampant, having a mechanism to filter out potentially harmful data before it infiltrates the system is invaluable. This proactive approach protects the application and ensures a safer user experience.
The External Security Threat: Third-Party Risks
Dependencies on third-party software or services can introduce unforeseen vulnerabilities. With unsafe consumption of APIs, developers don’t verify the endpoints they are incorporating into their applications. These third-party APIs might lack the security configurations, such as TLS, authentication, and validation, that protect against the threats we’ve outlined above.
Integrating API gateway logs and data into routine security evaluations offers a holistic view of the system’s current state and potential weaknesses. These logs provide invaluable insights into traffic patterns, user interactions, and potential red flags.
Alongside, periodic vulnerability assessments should be mandated for the API and its associated environment. These assessments delve deep into the infrastructure, identifying potential risks and unpatched vulnerabilities and ensuring the system remains resilient against evolving threats. Regular audits and vulnerability assessments forge a robust defense, continually reinforcing and updating the system’s security posture.
The Neglected Security Threat: Misconfiguration
Improperly configured systems, which are often overlooked, can inadvertently expose sensitive data or functionalities. Attackers scout for exposed endpoints, lack of security patches, absent standards (like TLS and CORS) and insecure error messages. Correct configuration is fundamental, and here’s how your API gateway tool should shoulder this responsibility:
- Encryption and data protection: For example, the Edge Stack API gateway enforces TLS on all API endpoints to secure data in transit against interceptions or eavesdropping. It also ensures that data at rest is encrypted, adding an extra security layer to safeguard sensitive information even when not actively transmitted.
- Error handling and information leak prevention: Developers should be able to configure their tool to suppress detailed error messages that could provide attackers with system insights. Instead, it returns generic error messages to users, limiting information exposure and preventing potential exploitation paths for malicious actors.
- Continuous updates and patching: Choose a gateway that constantly updates to address security flaws and promptly implements patches for known vulnerabilities, thereby reducing the window of opportunity for attackers.
- Logging and monitoring: Developers should set up their gateway to log API requests and responses, maintaining a comprehensive record that could be invaluable for post-event analyses or during forensic investigations. Your DevOps team can proactively monitor these logs for suspicious activities or anomaly detection, signaling potential security threats. Furthermore, you’ll want a tool that integrates with SIEM tools. This centralizes logging and monitoring and leverages advanced analytics, correlation rules, and real-time alerting provided by SIEM solutions, ensuring a well-informed security posture.
Taking API Security Seriously
API security is crucial in modern software ecosystems due to the pivotal role of APIs. While APIs open up a world of possibilities for integration and extension, they also introduce a new set of security challenges that must be meticulously addressed. You can’t go wrong as long as you’re incorporating some type of API Gateway, but here are a few specifics to consider:
- Is it cloud native? A cloud native and a Kubernetes API gateway are purpose-built to thrive in cloud native and Kubernetes environments. They understand and embrace the dynamic nature of container orchestration platforms. An example of a Kubernetes-native API gateway would be Edge Stack.
- Or is it all-encompassing? More generic API gateways, like Kong or Gloo, are versatile and can be deployed in various environments, including Kubernetes. However, they are not inherently tailored to the specific nuances of Kubernetes. They demand more manual configuration but are often very adaptable and include other suite tools in the API development life cycle that you may find handy. All-encompassing solutions may not provide the same level of automatic service discovery, load balancing, and dynamic routing as Kubernetes-centric counterparts, potentially requiring more hands-on management.
- OSS or commercial? There are a variety of open source options you can play around with, including KrakenD open source API gateway, Emissary Ingress, Tyk’s open source option, or Apache APISIX. Open source options are great for trying out, but don’t always have the support and scalability of a well-maintained commercial option.
Whatever tool you choose, ensure you get an API gateway tool that addresses these concerns meticulously. Recognizing the vulnerabilities accompanying APIs, and employing tools like API Gateways designed to counteract potential threats and fortify defenses becomes imperative.
By prioritizing API security, organizations protect their digital assets and cultivate trust with their user base, ensuring sustainable growth and technological innovation. For more on which API Gateway tool might make the most sense for your team, download Ambassador Labs’ API Buyers Guide.