SlideShare a Scribd company logo

Api economy and why effective security is important (1)

I
IndusfacePvtLtd

With the rapid explosion of APIs and the huge exchange of information through APIs, every organization should be concerned about API security. Download this whitepaper to understand API threats and how to mitigate them.

Technology
1 of 9
Download to read offline
WHITEPAPER API Economy and Why Effective Security is Important?
Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 1 API Economy API has become the lifeline for digital busi- nesses and has opened up new business op- portunities. No longer is API just a technology enabler, but it has grown into a business en- abler, with various business models and part- nerships built on the strength of APIs. This has led to the term API economy. It can be defined as how organizations leverage API to improve their efficiency and profitability by opening up new revenue opportunities. Some of the major recent deals in this sector include Okta acquiring Autho for $6.5 billion acquisition, Salesforce spending $6.5 bil- lion for Mulesoft, and Google acquiring Api- gee for $625 million are testimonials for the importance of API and how it is driving the digital economy. All these deals were made to strengthen the acquirers’ capabilities to support the API economy. Such deals would have not happened unless there are develop- ers that need the right tool to create, deploy, control, monitor, analyze, and secure APIs. In this fast-moving world where technologies are rapidly evolving, the businesses that strive are the ones that leverage APIs and integrate. The winner in the current digital world is “In- tegration” and not “Best in breed”. Security Risk – How attackers target APIs According to Gartner’s research, 90% of ap- plications will have more of their attack sur- face area exposed in the form of APIs instead of UI. It predicts by 2022, API abuses will be the most frequent attack vector. By nature, APIs expose application logic and sensitive data and due to this, they become a natural target for attackers. Since APIs are meant to communicate between applications, the APIs need to be well defined in nature fol- lowing a specific structure, and often, this definition is available in public as it is required by the developers to use those APIs. With this, attackers can easily understand how the API is written, the underlying structure, and armed with this knowledge launch targeted attacks to exploit any vulnerabilities found in APIs. These risks are not something perceived, but are real and in the recent past, there is a sig- nificant jump in attacks targeting APIs. For example: The personal data of Ledger’s customer, a French cryptocurrency wallet company, was exposed not because of the security flaws in the wallet but due to a misconfigured third-party API. Even companies like YouTube, Tesla, and Twitter were not spared. Based on how the YouTube API was writ- ten and how the authorization was handled, hackers were able to upload videos to differ- ent accounts that they did not own. Tesla’s
backup-gateway API also had authentica- tion-related vulnerabilities exposing sys- tem-related information and also certain per- sonal information of the users. Twitter’s Fleet API allowed access to the past-posts older than 24 hrs, which ideally should have been deleted from the public accounts leaving its owners in the dark on who is accessing their tweets. With the rapid explosion of APIs and the huge exchange of information through APIs, every organization should be concerned about how their APIs are being consumed and how they are consuming other APIs. How secure are these APIs and how well are they protected against attacks? OWASP Top 10 API Threat In line with the changing trends and acknowl- edging the boom of the API economy, OWASP, the trusted open-source community lead project geared towards strengthening the security of software, released the API-spe- cific top 10 threats. OWASP Top 10 is known for highlighting the major and common flaws from the security point of view which is prev- alent and commonly exploited by hackers. They generally used to focus on threats found in software but now they have released top 10 threats focused on API. Let’s quickly skim through the Top 10 threats highlighted by OWASP. API1:2019 Broken Object Level Authorization This is an attack that exploits gaps in the authorization layer of APIs. For example, if a getAPI returns details of a user based on ID passed, as part of the getAPI call, autho- rization of the user who is accessing the API should also be checked and validated if the user has permission for the ID. Such checks need to be done at each API call and are done by passing an authorization token as part of the API call and validation of the auth token. If such checks are not done properly, then vul- nerability can be exploited to gain access to data that the user does not have permission for. API2:2019 Broken User Authentication This is a vulnerability that is introduced due to improper implementation of the authenti- cation layer which allows attackers to exploit gaps to assume other user’s identity tempo- rarily or permanently. Such vulnerabilities are introduced because many times convenience is given more importance than security and either improper authentication mechanism like fixed API keys is used or proper validations of the token are not done. API3:2019 Excessive Data Exposure In many cases, developers do not consider the sensitivity and context before returning data for API calls. They end up exposing more information than needed, which then can be exploited by hackers. For example, for login API, as a response instead of saying success or failure, the response also contains addi- tional information like device id, etc. Now this information can be captured by hackers to launch further exploits. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 2
Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 3 API4:2019 Lack of Resources & Rate Limiting Normally there are no rate limits on the number of calls that a client can make, which is then ex- ploited by hackers for denial-of-service attacks making the server not accessible for legitimate users. But such a lack of rate limits can also be used to exploit business logics. For example, if there is OTP implemented in a login where OTP is sent to mobile which user needs to enter but no rate limit is imposed on the POST API that gets the OTP from the user, then a hacker could launch a volumetric attack to guess OTP and by- pass OTP. API5:2019 Broken Function Level Authorization This vulnerability is related to how the authori- zation is done on an API. For example, a custom- er’s API can be used to both GET and Delete. So the authorization needs to be done at the oper- ation level and not only at the API level, as user may have access to the customer’s API but only to access the data and not delete it. API6:2019 Mass Assignment Nowadays, many frameworks for ease of use, al- low mass assignment where the entire input is assigned to a JSON object. For example, a GET user API may also return the permissions and if this is assigned to the object which is then used through HTML injection, the attacker could ma- nipulate permissions and become a super-user. Such mass assignments should not be allowed, and selective assignment should be done to avoid such issues. API7:2019 Security Misconfiguration These kinds of vulnerabilities are introduced due to bad or unplanned configurations which lead to vulnerabilities that can be exploited by hack- ers. Common mistakes around such configura- tions are not disabling the HTTP method when HTTPS is only allowed in APIs, allowing unneces- sary HTTP methods, and permissive CORS, etc. API8:2019 Injection When inputs are provided to APIs and those are passed on by APIs without sanitizing, then it al- lows for such kinds of attacks. For example, say there is a search API to get the list of users from customer name, but instead of customer name, an SQL to delete is sent and API without sanitiz- ing passes it on to DB, then the users get deleted and such an attack is called injection attacks. API9:2019 Improper Assets Management Containers/Kubernetes have enabled engineers to deploy rapidly. This opens up new doors for hackers as there are higher chances for older APIs to be deployed and forgotten, as new APIs are built, new containers are launched with no one worrying or thinking about the security of older APIs. Essentially, it is important to track and document the available APIs and manage those assets. API10:2019 Insufficient Logging & Monitoring All actions performed by the system and APIs need to be logged, monitored, and analyzed for abnormalities. The authentication and authori- zation layers are not sufficient to detect all types of issues. A valid token used from Asia and with- in 5 mins from Australia is abnormal and needs to be detected. Such abnormalities can only be identified if all the actions are sufficiently logged with relevant details and are monitored continu- ously for abnormalities.
Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 4 API Security with AppTrana At Indusface, we understand APIs are becoming the lifeline and how important is the security of APIs is for organizations. With its risk-based approach, Indusface’s AppTrana is the only solution in the market that provides accurate protection that is tailor-made according to the APIs security posture. Risk Based Approach By nature, APIs expose application logic and sensitive data, and due to this, they are an automat- ic target for hackers. For effective protection, it is imperative that one understands the hacker’s mindset and their approach to prevent attacks. AppTrana with its risk-based approach enables customers to gauge the security posture of the application and helps detect and fix unidentified risks immediately. Customers need to provide swagger/ postman files of their APIs and the AppTrana scanner will take care of the rest by accurately identifying the risk posture of their APIs. Unlike other auto- mated scanners, AppTrana also complements its automated scanner with manual pen-testing to ensure all vulnerabilities, including OWASP top 10 vulnerabilities are identified accurately with- out any false positives. AppTrana also ensures the identification of business logic vulnerabilities which is the most common exploit in the case of APIs.
Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 5 With the combination of automated scans and manual pen-testing, some of the vulnerabili- ties that AppTrana tests for in APIs include: • Insecure Direct Object References • Restricted Files can be viewed by Direc- tory Listing • Application is vulnerable to Cross-Origin Resource Sharing • Sensitive Information Sent Over Unen- crypted Channel • Application is vulnerable to SQL injection attack • Application is vulnerable to Directory Traversal attack • Application is vulnerable to Email flooding attack • HTTP Request Smuggling attack • Improper Token Management • Application is vulnerable to OTP flooding attack • Abuse of Send-Mail Functionality • Abuse of Send-SMS Functionality • Application is vulnerable to XML Injection attack • Oauth/JWT/SAML Misconfiguration • Valid account can be brute forced • XML-RPC is publicly available • Application is vulnerable to Race Condi- tion Attack • Application is vulnerable to Remote Code Execution attack • Application is vulnerable to Remote file inclusion attack • Application is vulnerable to XML External Entity (XXE) Injection • Application is vulnerable to Xpath Injec- tion attack • Insecure Deserialization • ASP.NET tracing is enabled • Application is vulnerable to SSRF attack • Application’s Apache Server - Status Enabled • Application is vulnerable to Iframe injec- tion attack • Application is vulnerable to Link injection attack • Application is vulnerable to Log Injection attack • Application is vulnerable to OS Command injection attack • Application is vulnerable to Price Manipu- lation attack • Application is vulnerable to Replay Attack • Application is vulnerable to SSI Injection attack • Application’s OTP can be Bypassed • ASP.NET debugging is enabled • Authentication / 2FA bypass using re- sponse manipulation • Cross-Site Web Socket Hijacking • Local File Inclusion Attack – LFI • Mobile No can be ByPassed and used to perform critical transactions • Server-side Template Injection • Application is vulnerable to HTTP Param- eter pollution • Application is vulnerable to URL Redirec- tion attack
Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 6 API Protection: Once the APIs are bought under AppTrana protection, APIs are protected against at- tacks immediately. AppTrana is equipped with default policies that protect the APIs against the OWASP identified Top 10 API threats. Virtual Patching for all vulnerabilities found: Based on the risk posture identified through API scans, the API protection profile is fur- ther updated to ensure that vulnerabilities identified are patched ensuring there are no risk vectors that hackers can exploit. Patches can be automatic in nature due to the default API-specific policies applied on WAF or due to custom patches written by security experts based on need. Right Security Model Based on Need: Based on the nature of the API definition pro- vided and the kind of vulnerabilities found, AppTrana uses a combination of positive & negative security models to provide effective protection. Since the protection is fine-tuned based on the APIs need after understanding how the APIs are written, there are fewer chances of false positives, unlike the self-learning ap- proach that alternative solutions take. Protection Against API Abuses: AppTrana being a cloud-based WAAP pro- vides a unified solution with integrated CDN, DDoS & BOT protection along with its WAF. This means that any API abuses are identified through its behavior-based BOT/DDoS anom- aly detection policies ensuring maximum protection. Protection of Sensitive Data: AppTrana provides a data loss prevention op- tion, where policies can be enabled for APIs to ensure sensitive data is not sent through APIs. This avoids any accidental leakage of critical data.
Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 7 API Security Key Capabilities API security is complex, and one needs a comprehensive solution that can tune its protection based on the API’s need. Check out AppTrana now to get the most comprehensive API security solution. Reference: https://www.cloudvector.com/api-data-breaches-in-2020/ AppTrana - Risk based Approach Features Risk Detection Dynamic Scan capabilities for Rest APIs Coverage for OWASP identified Top 10 API Threats Authentication Support for APIs API Discoverability through Swagger /Postman files. Intelligently generate attack payload based on API definition Risk Protection Inspect JSON and XML Layer 7 Protection for OWASP Identified Top 10 API Threats Positive API Security Model API Abuse protection Sensitive Data detection
API Economy and Why Effective Security is Important? Whitepaper : API Economy and Why Effective Security is Important? ABOUT INDUSFACE Indusface is a leading application security SaaS company which secures critical Web, Mobile & API applications of 2000+ global customers using it’s award winning fully managed platform that integrates web application scanner, web appli- cation firewall, DDoS, BOT Mitigation, CDN and threat intelligence engine. The company has been funded by Tata Capital Growth Fund, is Great Place to Work certified, mentioned by analysts like Gartner, Forrester etc in their reports and has been the recipient of many awards such as the Economic Times Top 25, NASSCOM DSCI Top Security Company, Deloitte Asia Top 100 and several other such prestigious recognitions. Bengaluru | Vadodara | Mumbai | New Delhi | San Francisco Contact: marketing@indusface.com Get Instant Protection

Recommended

API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas maurya
Krishna Murari
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
 
Hacker vs AI
Hacker vs AI Hacker vs AI
Hacker vs AI
Nordic APIs
 

Recommended

API Security and OAuth for the Enterprise
API Security and OAuth for the EnterpriseAPI Security and OAuth for the Enterprise
API Security and OAuth for the Enterprise
CA API Management
 
API Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An AttackAPI Abuse - The Anatomy of An Attack
API Abuse - The Anatomy of An Attack
Nordic APIs
 
API SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas mauryaAPI SECURITY by krishna murari and vikas maurya
API SECURITY by krishna murari and vikas maurya
Krishna Murari
 
Applying API Security at Scale
Applying API Security at ScaleApplying API Security at Scale
Applying API Security at Scale
Nordic APIs
 
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewartapidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays LIVE LONDON - API Abuse - Comprehension and Prevention by David Stewart
apidays
 
Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?Is Your API Being Abused – And Would You Even Notice If It Was?
Is Your API Being Abused – And Would You Even Notice If It Was?
Nordic APIs
 
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
 
Hacker vs AI
Hacker vs AI Hacker vs AI
Hacker vs AI
Nordic APIs
 
apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...
apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...
apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...
apidays
 
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays
 
API Fortress - API Monitoring - A False Sense of Security
API Fortress - API Monitoring - A False Sense of SecurityAPI Fortress - API Monitoring - A False Sense of Security
API Fortress - API Monitoring - A False Sense of Security
Patrick Poulin
 
Kondo-ing API Authorization
Kondo-ing API AuthorizationKondo-ing API Authorization
Kondo-ing API Authorization
Nordic APIs
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
Sanjay Roy
 
The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journey
Kay Lummitsch - Digital Journeyman
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
SmartBear
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
CA API Management
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
CA API Management
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
Apigee | Google Cloud
 
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
Eldert Grootenboer
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
CloudIDSummit
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
Apigee | Google Cloud
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
Apigee | Google Cloud
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
Rich Graham
 
F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
FahmiDzikrullah
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
James Farley-Sutton
 

More Related Content

What's hot

A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
CA API Management
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
Apigee | Google Cloud
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
Rich Graham
 

What's hot (20)

apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...
apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...
apidays LIVE Hong Kong - Art and Science of Rate Limits for APIs by Shahnawaz...
 
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ngapidays LIVE Hong Kong - The Business of APIs by Jed Ng
apidays LIVE Hong Kong - The Business of APIs by Jed Ng
 
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
apidays LIVE Singapore 2021 - Securing the Open Source supply chain by Liran ...
 
API Fortress - API Monitoring - A False Sense of Security
API Fortress - API Monitoring - A False Sense of SecurityAPI Fortress - API Monitoring - A False Sense of Security
API Fortress - API Monitoring - A False Sense of Security
 
Kondo-ing API Authorization
Kondo-ing API AuthorizationKondo-ing API Authorization
Kondo-ing API Authorization
 
Enterprise API deployment best practice
Enterprise API deployment best practiceEnterprise API deployment best practice
Enterprise API deployment best practice
 
The Swisscom APi journey
The Swisscom APi journeyThe Swisscom APi journey
The Swisscom APi journey
 
Test and Protect Your API
Test and Protect Your APITest and Protect Your API
Test and Protect Your API
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
apidays LIVE New York 2021 - Playing with FHIR without getting burned by Dav...
 
Building better security for your API platform using Azure API Management
Building better security for your API platform using Azure API ManagementBuilding better security for your API platform using Azure API Management
Building better security for your API platform using Azure API Management
 
CIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the EnterpriseCIS13: APIs, Identity, and Securing the Enterprise
CIS13: APIs, Identity, and Securing the Enterprise
 
OAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in SecurityOAuth: The Next Big Thing in Security
OAuth: The Next Big Thing in Security
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 

Similar to Api economy and why effective security is important (1)

The Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionThe Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 Edition
Treblle
 
Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Secure your app against DDOS, API Abuse, Hijacking, and Fraud Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Tu Pham
 
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Tanjina Prema
 
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Techwave Consulting
 

Similar to Api economy and why effective security is important (1) (20)

F5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdfF5-API-Security-Best-Practices.pdf
F5-API-Security-Best-Practices.pdf
 
5 pillars of API Management
5 pillars of API Management5 pillars of API Management
5 pillars of API Management
 
5 Pillars of API Management
5 Pillars of API Management5 Pillars of API Management
5 Pillars of API Management
 
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
apidays LIVE Hong Kong - API Abuse - Comprehension and Prevention by David St...
 
How to Develop APIs - Importance, Types, Tools, Terminology, and Best Practic...
How to Develop APIs - Importance, Types, Tools, Terminology, and Best Practic...How to Develop APIs - Importance, Types, Tools, Terminology, and Best Practic...
How to Develop APIs - Importance, Types, Tools, Terminology, and Best Practic...
 
The Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 EditionThe Anatomy of an API: 2023 Edition
The Anatomy of an API: 2023 Edition
 
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accentureapidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
apidays LIVE New York 2021 - API Security & AI by Deb Roy, Accenture
 
2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds2022 APIsecure_A day in the life of an API; Fighting the odds
2022 APIsecure_A day in the life of an API; Fighting the odds
 
Guide To API Development – Cost, Importance, Types, Tools, Terminology, and B...
Guide To API Development – Cost, Importance, Types, Tools, Terminology, and B...Guide To API Development – Cost, Importance, Types, Tools, Terminology, and B...
Guide To API Development – Cost, Importance, Types, Tools, Terminology, and B...
 
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
apidays LIVE Paris 2021 - API Attack Simulator - Find your API vulnerabilitie...
 
Role of API Gateways in API Management.pdf
Role of API Gateways in API Management.pdfRole of API Gateways in API Management.pdf
Role of API Gateways in API Management.pdf
 
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICSA REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
A REVIEW PAPER ON API MALWARE ANALYSIS AND FORENSICS
 
Guide To API Development.pdf
Guide To API Development.pdfGuide To API Development.pdf
Guide To API Development.pdf
 
Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Secure your app against DDOS, API Abuse, Hijacking, and Fraud Secure your app against DDOS, API Abuse, Hijacking, and Fraud
Secure your app against DDOS, API Abuse, Hijacking, and Fraud
 
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
Hybrid cloud-cloud-services-white-paper-external-apw12358usen-20180516
 
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
APIsecure 2023 - AI in API Security, Carolina Ruiz (Brier & Thorn)
 
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
Navigating-the-API-Ecosystem-Strategies-for-Effective-Management-in-the-Banki...
 
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
apidays London 2023 - APIs: The Attack Surface That Connects Us All, Stefan M...
 
What are ap is, how do they work, and why are they beneficial to developers a...
What are ap is, how do they work, and why are they beneficial to developers a...What are ap is, how do they work, and why are they beneficial to developers a...
What are ap is, how do they work, and why are they beneficial to developers a...
 
OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019OWASP API Security TOP 10 - 2019
OWASP API Security TOP 10 - 2019
 

More from IndusfacePvtLtd

More from IndusfacePvtLtd (12)

API7:2019 Security Misconfiguration
API7:2019 Security MisconfigurationAPI7:2019 Security Misconfiguration
API7:2019 Security Misconfiguration
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
Indusface and CARTA Whitepaper
Indusface and CARTA WhitepaperIndusface and CARTA Whitepaper
Indusface and CARTA Whitepaper
 
AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10AppTrana Competency Matrix for OWASP Top 10
AppTrana Competency Matrix for OWASP Top 10
 
AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)AppTrana SECaaS (Security as a Service)
AppTrana SECaaS (Security as a Service)
 
Why Manual Pen-Testing is a must have for comprehensive application security ...
Why Manual Pen-Testing is a must have for comprehensive application security ...Why Manual Pen-Testing is a must have for comprehensive application security ...
Why Manual Pen-Testing is a must have for comprehensive application security ...
 
10 Types of Cybersecurity Attacks
10 Types of Cybersecurity Attacks10 Types of Cybersecurity Attacks
10 Types of Cybersecurity Attacks
 
Why Startups Need to Strengthen Application Security
Why Startups Need to Strengthen Application SecurityWhy Startups Need to Strengthen Application Security
Why Startups Need to Strengthen Application Security
 
True Cost of Ransomware to Your Business
True Cost of Ransomware to Your BusinessTrue Cost of Ransomware to Your Business
True Cost of Ransomware to Your Business
 
8 Key Considerations in Choosing the Right WAF
8 Key Considerations in Choosing the Right WAF8 Key Considerations in Choosing the Right WAF
8 Key Considerations in Choosing the Right WAF
 
5 Effective Ways for Website Protection
5 Effective Ways for Website Protection5 Effective Ways for Website Protection
5 Effective Ways for Website Protection
 
5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business5 Top Cyber Threats That Will Ruin Your Business
5 Top Cyber Threats That Will Ruin Your Business
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Api economy and why effective security is important (1)

  • 1. WHITEPAPER API Economy and Why Effective Security is Important?
  • 2. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 1 API Economy API has become the lifeline for digital busi- nesses and has opened up new business op- portunities. No longer is API just a technology enabler, but it has grown into a business en- abler, with various business models and part- nerships built on the strength of APIs. This has led to the term API economy. It can be defined as how organizations leverage API to improve their efficiency and profitability by opening up new revenue opportunities. Some of the major recent deals in this sector include Okta acquiring Autho for $6.5 billion acquisition, Salesforce spending $6.5 bil- lion for Mulesoft, and Google acquiring Api- gee for $625 million are testimonials for the importance of API and how it is driving the digital economy. All these deals were made to strengthen the acquirers’ capabilities to support the API economy. Such deals would have not happened unless there are develop- ers that need the right tool to create, deploy, control, monitor, analyze, and secure APIs. In this fast-moving world where technologies are rapidly evolving, the businesses that strive are the ones that leverage APIs and integrate. The winner in the current digital world is “In- tegration” and not “Best in breed”. Security Risk – How attackers target APIs According to Gartner’s research, 90% of ap- plications will have more of their attack sur- face area exposed in the form of APIs instead of UI. It predicts by 2022, API abuses will be the most frequent attack vector. By nature, APIs expose application logic and sensitive data and due to this, they become a natural target for attackers. Since APIs are meant to communicate between applications, the APIs need to be well defined in nature fol- lowing a specific structure, and often, this definition is available in public as it is required by the developers to use those APIs. With this, attackers can easily understand how the API is written, the underlying structure, and armed with this knowledge launch targeted attacks to exploit any vulnerabilities found in APIs. These risks are not something perceived, but are real and in the recent past, there is a sig- nificant jump in attacks targeting APIs. For example: The personal data of Ledger’s customer, a French cryptocurrency wallet company, was exposed not because of the security flaws in the wallet but due to a misconfigured third-party API. Even companies like YouTube, Tesla, and Twitter were not spared. Based on how the YouTube API was writ- ten and how the authorization was handled, hackers were able to upload videos to differ- ent accounts that they did not own. Tesla’s
  • 3. backup-gateway API also had authentica- tion-related vulnerabilities exposing sys- tem-related information and also certain per- sonal information of the users. Twitter’s Fleet API allowed access to the past-posts older than 24 hrs, which ideally should have been deleted from the public accounts leaving its owners in the dark on who is accessing their tweets. With the rapid explosion of APIs and the huge exchange of information through APIs, every organization should be concerned about how their APIs are being consumed and how they are consuming other APIs. How secure are these APIs and how well are they protected against attacks? OWASP Top 10 API Threat In line with the changing trends and acknowl- edging the boom of the API economy, OWASP, the trusted open-source community lead project geared towards strengthening the security of software, released the API-spe- cific top 10 threats. OWASP Top 10 is known for highlighting the major and common flaws from the security point of view which is prev- alent and commonly exploited by hackers. They generally used to focus on threats found in software but now they have released top 10 threats focused on API. Let’s quickly skim through the Top 10 threats highlighted by OWASP. API1:2019 Broken Object Level Authorization This is an attack that exploits gaps in the authorization layer of APIs. For example, if a getAPI returns details of a user based on ID passed, as part of the getAPI call, autho- rization of the user who is accessing the API should also be checked and validated if the user has permission for the ID. Such checks need to be done at each API call and are done by passing an authorization token as part of the API call and validation of the auth token. If such checks are not done properly, then vul- nerability can be exploited to gain access to data that the user does not have permission for. API2:2019 Broken User Authentication This is a vulnerability that is introduced due to improper implementation of the authenti- cation layer which allows attackers to exploit gaps to assume other user’s identity tempo- rarily or permanently. Such vulnerabilities are introduced because many times convenience is given more importance than security and either improper authentication mechanism like fixed API keys is used or proper validations of the token are not done. API3:2019 Excessive Data Exposure In many cases, developers do not consider the sensitivity and context before returning data for API calls. They end up exposing more information than needed, which then can be exploited by hackers. For example, for login API, as a response instead of saying success or failure, the response also contains addi- tional information like device id, etc. Now this information can be captured by hackers to launch further exploits. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 2
  • 4. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 3 API4:2019 Lack of Resources & Rate Limiting Normally there are no rate limits on the number of calls that a client can make, which is then ex- ploited by hackers for denial-of-service attacks making the server not accessible for legitimate users. But such a lack of rate limits can also be used to exploit business logics. For example, if there is OTP implemented in a login where OTP is sent to mobile which user needs to enter but no rate limit is imposed on the POST API that gets the OTP from the user, then a hacker could launch a volumetric attack to guess OTP and by- pass OTP. API5:2019 Broken Function Level Authorization This vulnerability is related to how the authori- zation is done on an API. For example, a custom- er’s API can be used to both GET and Delete. So the authorization needs to be done at the oper- ation level and not only at the API level, as user may have access to the customer’s API but only to access the data and not delete it. API6:2019 Mass Assignment Nowadays, many frameworks for ease of use, al- low mass assignment where the entire input is assigned to a JSON object. For example, a GET user API may also return the permissions and if this is assigned to the object which is then used through HTML injection, the attacker could ma- nipulate permissions and become a super-user. Such mass assignments should not be allowed, and selective assignment should be done to avoid such issues. API7:2019 Security Misconfiguration These kinds of vulnerabilities are introduced due to bad or unplanned configurations which lead to vulnerabilities that can be exploited by hack- ers. Common mistakes around such configura- tions are not disabling the HTTP method when HTTPS is only allowed in APIs, allowing unneces- sary HTTP methods, and permissive CORS, etc. API8:2019 Injection When inputs are provided to APIs and those are passed on by APIs without sanitizing, then it al- lows for such kinds of attacks. For example, say there is a search API to get the list of users from customer name, but instead of customer name, an SQL to delete is sent and API without sanitiz- ing passes it on to DB, then the users get deleted and such an attack is called injection attacks. API9:2019 Improper Assets Management Containers/Kubernetes have enabled engineers to deploy rapidly. This opens up new doors for hackers as there are higher chances for older APIs to be deployed and forgotten, as new APIs are built, new containers are launched with no one worrying or thinking about the security of older APIs. Essentially, it is important to track and document the available APIs and manage those assets. API10:2019 Insufficient Logging & Monitoring All actions performed by the system and APIs need to be logged, monitored, and analyzed for abnormalities. The authentication and authori- zation layers are not sufficient to detect all types of issues. A valid token used from Asia and with- in 5 mins from Australia is abnormal and needs to be detected. Such abnormalities can only be identified if all the actions are sufficiently logged with relevant details and are monitored continu- ously for abnormalities.
  • 5. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 4 API Security with AppTrana At Indusface, we understand APIs are becoming the lifeline and how important is the security of APIs is for organizations. With its risk-based approach, Indusface’s AppTrana is the only solution in the market that provides accurate protection that is tailor-made according to the APIs security posture. Risk Based Approach By nature, APIs expose application logic and sensitive data, and due to this, they are an automat- ic target for hackers. For effective protection, it is imperative that one understands the hacker’s mindset and their approach to prevent attacks. AppTrana with its risk-based approach enables customers to gauge the security posture of the application and helps detect and fix unidentified risks immediately. Customers need to provide swagger/ postman files of their APIs and the AppTrana scanner will take care of the rest by accurately identifying the risk posture of their APIs. Unlike other auto- mated scanners, AppTrana also complements its automated scanner with manual pen-testing to ensure all vulnerabilities, including OWASP top 10 vulnerabilities are identified accurately with- out any false positives. AppTrana also ensures the identification of business logic vulnerabilities which is the most common exploit in the case of APIs.
  • 6. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 5 With the combination of automated scans and manual pen-testing, some of the vulnerabili- ties that AppTrana tests for in APIs include: • Insecure Direct Object References • Restricted Files can be viewed by Direc- tory Listing • Application is vulnerable to Cross-Origin Resource Sharing • Sensitive Information Sent Over Unen- crypted Channel • Application is vulnerable to SQL injection attack • Application is vulnerable to Directory Traversal attack • Application is vulnerable to Email flooding attack • HTTP Request Smuggling attack • Improper Token Management • Application is vulnerable to OTP flooding attack • Abuse of Send-Mail Functionality • Abuse of Send-SMS Functionality • Application is vulnerable to XML Injection attack • Oauth/JWT/SAML Misconfiguration • Valid account can be brute forced • XML-RPC is publicly available • Application is vulnerable to Race Condi- tion Attack • Application is vulnerable to Remote Code Execution attack • Application is vulnerable to Remote file inclusion attack • Application is vulnerable to XML External Entity (XXE) Injection • Application is vulnerable to Xpath Injec- tion attack • Insecure Deserialization • ASP.NET tracing is enabled • Application is vulnerable to SSRF attack • Application’s Apache Server - Status Enabled • Application is vulnerable to Iframe injec- tion attack • Application is vulnerable to Link injection attack • Application is vulnerable to Log Injection attack • Application is vulnerable to OS Command injection attack • Application is vulnerable to Price Manipu- lation attack • Application is vulnerable to Replay Attack • Application is vulnerable to SSI Injection attack • Application’s OTP can be Bypassed • ASP.NET debugging is enabled • Authentication / 2FA bypass using re- sponse manipulation • Cross-Site Web Socket Hijacking • Local File Inclusion Attack – LFI • Mobile No can be ByPassed and used to perform critical transactions • Server-side Template Injection • Application is vulnerable to HTTP Param- eter pollution • Application is vulnerable to URL Redirec- tion attack
  • 7. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 6 API Protection: Once the APIs are bought under AppTrana protection, APIs are protected against at- tacks immediately. AppTrana is equipped with default policies that protect the APIs against the OWASP identified Top 10 API threats. Virtual Patching for all vulnerabilities found: Based on the risk posture identified through API scans, the API protection profile is fur- ther updated to ensure that vulnerabilities identified are patched ensuring there are no risk vectors that hackers can exploit. Patches can be automatic in nature due to the default API-specific policies applied on WAF or due to custom patches written by security experts based on need. Right Security Model Based on Need: Based on the nature of the API definition pro- vided and the kind of vulnerabilities found, AppTrana uses a combination of positive & negative security models to provide effective protection. Since the protection is fine-tuned based on the APIs need after understanding how the APIs are written, there are fewer chances of false positives, unlike the self-learning ap- proach that alternative solutions take. Protection Against API Abuses: AppTrana being a cloud-based WAAP pro- vides a unified solution with integrated CDN, DDoS & BOT protection along with its WAF. This means that any API abuses are identified through its behavior-based BOT/DDoS anom- aly detection policies ensuring maximum protection. Protection of Sensitive Data: AppTrana provides a data loss prevention op- tion, where policies can be enabled for APIs to ensure sensitive data is not sent through APIs. This avoids any accidental leakage of critical data.
  • 8. Whitepaper : API Economy and Why Effective Security is Important? Whitepaper | 7 API Security Key Capabilities API security is complex, and one needs a comprehensive solution that can tune its protection based on the API’s need. Check out AppTrana now to get the most comprehensive API security solution. Reference: https://www.cloudvector.com/api-data-breaches-in-2020/ AppTrana - Risk based Approach Features Risk Detection Dynamic Scan capabilities for Rest APIs Coverage for OWASP identified Top 10 API Threats Authentication Support for APIs API Discoverability through Swagger /Postman files. Intelligently generate attack payload based on API definition Risk Protection Inspect JSON and XML Layer 7 Protection for OWASP Identified Top 10 API Threats Positive API Security Model API Abuse protection Sensitive Data detection
  • 9. API Economy and Why Effective Security is Important? Whitepaper : API Economy and Why Effective Security is Important? ABOUT INDUSFACE Indusface is a leading application security SaaS company which secures critical Web, Mobile & API applications of 2000+ global customers using it’s award winning fully managed platform that integrates web application scanner, web appli- cation firewall, DDoS, BOT Mitigation, CDN and threat intelligence engine. The company has been funded by Tata Capital Growth Fund, is Great Place to Work certified, mentioned by analysts like Gartner, Forrester etc in their reports and has been the recipient of many awards such as the Economic Times Top 25, NASSCOM DSCI Top Security Company, Deloitte Asia Top 100 and several other such prestigious recognitions. Bengaluru | Vadodara | Mumbai | New Delhi | San Francisco Contact: marketing@indusface.com Get Instant Protection