API Security – Are You Secure from OWASP 2019 Top 10?
Firstly, Happy New Year. 2020 is going to be an exciting year for Fox Red Risk. We have lots of cool new offerings in the pipeline to support businesses large and small in the thankless task of keeping secure. If you have resource gaps and need support, then let us know. Right, back to the main topic! Over the last few years, developers have gone API crazy. Which means they are everywhere and API security must be part of your wider information security strategy. Here’s why…
What is an API?
Before you can begin considering API security it’s worth giving those not of a technical background a brief explanation as to what an Application Program Interface (API) actually is and what it does. An API is:
“An API specifies how software components should interact. A good API makes it easier to develop a program by providing all the building blocks. A programmer then puts the blocks together.”
You have probably interacted with APIs without even knowing it. Most likely you are interacting with APIs all the time. The free #FoxSecCal security controls hashtag utilises an API to automate the delivery of tweets throughout the year so us humans can get on and do more useful work.
“Time waits for no man. Unless that man is Chuck Norris.”
There are however serious applications for APIs. Those in the UK will have no doubt heard of Open Banking where customers can:
“Get ready for a world of apps and websites, where you can choose new financial products and services from providers regulated by the Financial Conduct Authority (FCA) and European equivalents.”
So my Bank is opening up my account details to Third-Party App Developers via an API?
In a word, Yes! The UK’s nine largest banks and building societies must make your data available through Open Banking. So if you’re in the UK and bank with the likes of HSBC, Barclays, Lloyds, Santander, RBS or Banks that operate using their infrastructure such as Tesco Bank, M&S, then you can take advantage of connecting your Bank account to thousands of new applications! Application Providers such as Bippit, Fractal Labs and Skrill and many, many more.
This is not just in Banking, there are tens of thousands of APIs. A significant volume of these APIs is interacting with systems containing personal and sensitive data. If they are not directly transmitting personal or sensitive data, they are connecting to and from systems which we all rely on. The question we should be asking is:
“How secure are these APIs?”
Are my API Secure?
The short answer is, it depends? If you’re asking this question as part of the InfoSec Team then it’s highly likely the answer is more likely, no, no they are not! That could be a major problem depending on what your APIs are doing? In 2019 there were a number of security breaches involving poor API security. Take the British Airways breach that may result in a £183million GDPR fine or the JustDial breach in India. Each of these incidents had poor API security. As more and more systems become integrated through APIs, it is even more important that robust API security controls are in place.
API Security – How can I secure my APIs?
The first step is to understand your environment. You need to do a thorough review of your environment. If you have a Security Operations Team, they should be able to help with the discovery of API activity by reviewing the services used by your organisation. Web APIs calls typically follow a specific structure so a good SOC Analyst should have no problem finding API activity.
An API Security Policy (or sub-section to a wider InfoSec Policy) must be established so that in-house and third-party API development can be governed. Supporting the policy requirements must be an API security standard and one can’t go too far wrong using the OWASP API Security Top 10 2019 as a starting point.
What is the OWASP API Security Top 10 2019
Many may be familiar with the wider Open Web Application Security Project (OWASP). The project has been around for some years now and is an amazing resource. Some of you may also be familiar with tools like OWASP-ZAP which can help you automatically find security vulnerabilities in web applications during development and testing. OWASP-ZAP is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. If you don’t have OWASP-ZAP in your armoury, you really should! Anyway, back to API security. Whilst you can read the details in full in the OWASP documentation, the current Top 10 are:
- Broken Object Level Authorisation
- Broken User Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function Level Authorisation
- Mass Assignment
- Security Misconfiguration
- Improper Assets Management
- Insufficient Logging & Monitoring
Each of these vulnerabilities has the capacity to cause your organisation problems so make sure you have systems and controls to first prevent these issues but then to detect whether issues have accidentally (or deliberately) entered into your API applications.
API Security – Anything else to think about?
Don’t forget API security in your supply chain and shadow IT. If you are using third party API services (or your general employee-base are tinkering) then you also need to make sure you have systems and controls to monitor this activity too. APIs are amazing tools but the agility in which applications and datasets can be created may mean Infosec professionals are caught on the backfoot…get yourselves ahead of these potential issues before you’re dealing with the aftermath of a major incident!
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 27001:2013 article 25 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPIA DPO DSAR GDPR incident management information security leadership management Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso vulnerability scanning