1) The document provides guidelines for securing APIs when providing and consuming services. It outlines evaluating API risks, securing ingress API connectivity, and mapping the OWASP API security risks to the ingress API development lifecycle. 2) The guidelines include five phases for ingress API connectivity: design, development, testing, implementation, and logging/monitoring. Each OWASP API security risk is mapped to elements within these phases. 3) APIs have become critical to modern applications, but many organizations' security measures have not kept up with requirements. Robust API security policies that span the entire development lifecycle are needed to securely provide and consume services.

1. Security Guidelines for
Providing and Consuming APIs @faisaly
FaisalYahya
Faisal Yahya – Cloud Security Alliance –
Chairman Indonesia Chapter 1

2. Faisal Yahya,
Country Manager – PT. Vantage Point Security
Indonesia
CISO with 20+ exp, CIO with 15+ exp,
ISO27001 IA/LA, AWS, CISSP, CND, CEH v10,
ECSA, CTIA, CCISO, CCSK v3&4, CSX-P, CySA+,
ITILF, PSM I, PSPO I, CEI
Official Instructor for:
EC-Council & Cloud Security Alliance
Top 50 South East Asia CIOs
Actively Engage on Social Media
Twitter (7k+) – LinkedIn (11k+) –
Instagram (2k+)
AWS Community Builders
Cloud Security Alliance –
Indonesia Chapter Lead

3. Cloud-Native Threat -
2021
source: hackmageddon
• Delivery and Exploitation (the cloud service is exploited to
deliver a malware strain or a phishing page)
• Actions on Objective (the cloud service is exploited to
steal data, or launch other attacks)
• Command and Control (the cloud service is exploited as a
command and control infrastructure)
• Data Exfiltration (the cloud service is used as a drop zone
for the exfiltrated data).
PAGE
3

4. API & DevOps
New Paradigm
• Organizations have become more reliant on software
development, confirming the oft-repeated old saying
that "all organizations currently are software
companies.”
• The DevOps new paradigm facilitated not only a
business-side digital transformation. Digital
transformation also altered the processes and
activities associated with software deployment and
development.
• Gartner reports an increase in client inquiries about
API security, noting a 30% year-over-year increase in
client inquiries. By 2022, it predicts, API abuse will be
the most common attack vector for enterprise web
application breaches.
PAGE
4

5. Security As a Service as
Emerging Needs
If you work in an Agile environment, I believe you need
a continuous monitoring and security analysis system
that is integrated into your DevOps process. This
system should be able to quickly identify security issues
and provide clear guidance and even auto-remediation
functions to resolve them.
The only way to harmoniously build security into the
development pipeline is by providing security as a
service model.
The traditional security layering model just simply no
longer work.
PAGE
5

6. Related Facts
• Application Programming Interface security models have
fallen behind the requirements of a non-perimeter world.
(Forrester)
• The most frequently reported API security incident in 2020
was the discovery of a vulnerability in a production API.
Organizations must complement their build and deploy
security practices with runtime security. (Salt Security)
• According to the company's customer data, the average
number of API attacks per customer per month increased
from 50 in June to nearly 80 in December. While the
average monthly volume of API calls increased by 51%, the
percentage of malicious traffic increased by 211% during
the study period. (Michelle McLean, 2021)
PAGE
6

7. Traditional vs Modern Application
Source: DarkReading
• Exposing sensitive data
• Intercepted communications
Launching denial-of-service (DoS) attacks
against back-end servers
PAGE
7

8. API Security Concerns
Access Control
Runtime Protection
Security Testing
Integration
Visibility
Main
Barrier
IMVISION, Industry Report, 2021
PAGE
8

9. OWASP API Security
• API1:2019 Broken Object Level Authorization
• API2:2019 Broken User Authentication
• API3:2019 Excessive Data Exposure
• API4:2019 Lack of Resources & Rate Limiting
• API5:2019 Broken Function Level Authorization
• API6:2019 Mass Assignment
• API7:2019 Security Misconfiguration
• API8:2019 Injection
• API9:2019 Improper Assets Management
• API10:2019 Insufficient Logging & Monitoring
PAGE
9

10. CSA Research Paper
Important: Use this document if the answer to any of
these questions is YES:
• Does the new service/system require long-term
integration with the company’s internal systems?
• Does the new service/system require exchange of data
with a third party?
• Will the APIs be exposed to external parties, including
the public (i.e., open APIs)?
These guidelines are also highly recommended for non-
public APIs (i.e., APIs are used internally or only exposed to
restricted parties, such as in a B2B environment).
PAGE
10

11. CSA Research Paper
Section 1: API Risk Evaluation
Section 2: Ingress API Connectivity
Section 3: Mapping OWASP Top Ten to Ingress API
Connectivity
Target:
1. Platform
2. Service Owner
3. Security team
4. DevOps
PAGE
11

12. API Risk Evaluation (1/5)
PAGE
12

13. API Risk Evaluation (2/5)
PAGE
13

14. API Risk Evaluation (3/5)
PAGE
14

15. API Risk Evaluation (4/5)
PAGE
15

16. API Risk Evaluation (5/5)
PAGE
16

17. Ingress API Connectivity
• Phase 1: Design
• Phase 2: Development
• Phase 3: Testing
• Phase 4: Implementation
• Phase 5: Logging and
Monitoring
PAGE
17

18. Ingress API Connectivity
PAGE
18

19. Ingress API Connectivity
PAGE
19

20. Ingress API Connectivity
PAGE
20

21. Ingress API Connectivity
PAGE
21

22. Ingress API Connectivity
PAGE
22

23. Ingress API Connectivity
PAGE
23

24. Ingress API Connectivity
PAGE
24

25. Ingress API Connectivity
PAGE
25

26. Ingress API Connectivity
PAGE
26

27. Ingress API Connectivity
PAGE
27

28. Ingress API Connectivity
PAGE
28

29. Ingress API Connectivity
PAGE
29

30. Ingress API Connectivity
PAGE
30

31. Ingress API Connectivity
PAGE
31

32. Ingress API Connectivity
PAGE
32

33. Ingress API Connectivity
PAGE
33

34. Ingress API Connectivity
PAGE
34

35. Ingress API Connectivity
PAGE
35

36. Ingress API Connectivity
PAGE
36

37. Ingress API Connectivity
PAGE
37

38. Ingress API Connectivity
PAGE
38

39. Ingress API Connectivity
PAGE
39

40. Ingress API Connectivity
PAGE
40

41. Ingress API Connectivity
PAGE
41

42. Mapping OWASP API Top Ten
to Ingress API Connectivity
Design Development Testing Implementation
Logging &
Monitoring
API1:2019 Broken Object Level Authorization 1, 3, 5 10 17, 18, 19 31
API1:2019 Broken User Authentication 1, 2, 3 8, 9, 11 17, 18 23, 26
API1:2019 Excessive Data Exposure 1, 2, 3 7, 10, 14 17 22
API1:2019 Lack of Resources and Rate Limiting 1, 3, 5 7, 10, 13, 14, 15, 16 22
API1:2019 Broken Function Level Authorization 1, 5 8, 10, 16 17, 18, 19 30, 31
API1:2019 Mass Assignment 1, 2, 3, 5 7, 10, 12, 14, 15 17, 18, 19 31
API1:2019 Security Misconfiguration 1 8 , 9, 14, 16 17 29, 30
API1:2019 Injection 1, 6 8, 12, 14, 15, 16 17, 18, 19 24 31
API1:2019 Improper Assets Management 1 8, 15, 16 17 20, 21, 24, 27 29, 30, 31
API1:2019 Insufficient Logging and Monitoring 1 15 17 29, 30, 31
PAGE
42

43. Wrap Up
APIs, particularly for mobile and Internet of
Things (IoT) devices, have arguably become the
preferred method for developing modern
applications. The majority of organizations have
already implemented measures to defend
against well-known attacks such as cross-site
scripting, injection, and distributed denial-of-
service. Regardless of the number of APIs your
organization chooses to make publicly available,
your ultimate goal should be to establish robust
API security policies.
PAGE
43