Noname Security Aligns With OWASP on API Security Risks – Source: securityboulevard.com

Noname Security has added full support for reducing the top ten application programming interface (API) security risks for 2023 as defined by the Open Worldwide Application Security Project (OWASP).

Filip Verloy, field CTO for Noname Security, said these risks essentially define a starting point for organizations that are increasingly becoming aware of how vulnerable API endpoints have become.

Previously, Noname Security provided support for the 2019 edition of the OWASP API security list. The latest edition identifies the following additional risks:

Unrestricted Access to Sensitive Business Flows (API6:2023) that are often exploited by bots.

Server-Side Request Forgery (API7:2023) that enables a client to redirect the server to somewhere not under its own purview.

Unsafe Consumption of APIs (API10: 2023) involving the level of inherent trust that should be assumed when relying on third-party APIs.

As organizations continue to expand the number of APIs being used, ensuring security has become a superhuman task, noted Verloy. In fact, it’s not feasible to protect large numbers of APIs without relying more on machine learning algorithms and other forms of artificial intelligence, he added.

Cybercriminals, in the meantime, have become more adroit at manipulating the business logic that is typically exposed via external-facing APIs. It’s not possible to completely thwart those types of attacks, so cybersecurity teams need to closely monitor API traffic for anomalous behavior indicative of a potential breach, noted Verloy.

Unfortunately, too many organizations have distinctly different cybersecurity policies for external and internal-facing APIs. The issue that organizations will inevitably encounter is that internal APIs quite often become external-facing as business use cases evolve. The cybersecurity policies applied to that API are not often updated as more use cases are implemented, said Verloy.

Less clear is the degree to which API security is becoming a distinct discipline apart from application security. Many APIs are now created by a specific team of developers that did not work on the application an API is attached to, so there is now a much greater need to focus specifically on securing APIs through which cybercriminals can exfiltrate data, said Verloy.

One way or another, APIs are rapidly becoming yet another type of endpoint that cybersecurity teams will be expected to secure regardless of who created them. In theory, developers are becoming more adept at securing APIs as they are developed, thanks in part to guidelines identified by OWASP. The issue, as always, is that APIs will always be created by developers of varying skill levels, so the odds there will be a security issue steadily increase as more APIs are employed.

Before too long, many organizations will find thousands of APIs that need to be secured, including rogue and zombie APIs that organizations either don’t know exist or forgot to disable after they are no longer employed. The challenge, as always, will be to first discover all the APIs in use today and then make sure those exposed have policies applied to mitigate risks.