Unpacking OWASP’s API9:2023: Improper Inventory Management
The Critical Importance of API Inventory in Modern Cybersecurity
The release of the updated OWASP API Top 10 gives us more validation of a growing trend we’re seeing in API Security – API inventory.
The critical role of API inventory has gained more prominence recently, as more industry standards and regulations start catching up with API security requirements. We saw this in the update to the OWASP API Top 10 recently released. This adds to updates made in the past six months, namely regulatory bodies such as the Financial Institutions Examination Council (FFIEC). The FFIEC has explicitly highlighted the need for meticulous API inventory and risk assessments of digital assets.
These shifts indicate a growing recognition of the risks associated with unmanaged and unsecured APIs, and the crucial role that API inventory plays in managing these risks.
OWASP’s API9: Improper Inventory Management
The API9:2023 underscores Improper Inventory Management as a notable cybersecurity issue. Understanding and mitigating this challenge is of paramount importance for every cybersecurity professional.
An API inventory is more than just a list of APIs – it is a comprehensive “roadmap” that details the nature, purpose, functions, and interactions of each API within an organization’s digital ecosystem. It is an essential way to identify and manage potential security vulnerabilities in a proactive way. Without a well-maintained API inventory, organizations are virtually navigating their API security terrain blindfolded.
One common way attackers can exploit APIs is through older versions or endpoints that have been left unpatched, or by gaining unauthorized access to sensitive data through third parties. This can result in damaging data leaks and significant disruptions to operations, thereby tarnishing your business reputation.
It’s crucial to ask: Are our APIs vulnerable? If the answer isn’t a resounding “no”, there’s important work to be done.
A lack of understanding of your own API landscape often leads to “documentation blindspots” and “data flow blindspots”. The former happens when the purpose of your API host is unclear, documentation is missing or not up-to-date, and there’s no retirement plan for each API version. The latter occurs when there’s an unregulated, unjustified flow of sensitive data via your API, often leading to damaging data breaches.
OWASP Gives Examples of the Potential Impact
Scenario #1: Exploiting API Vulnerabilities
Consider a social networking platform that has installed a rate-limiting mechanism to prevent brute force attacks aimed at guessing reset password tokens. This security feature, however, was not embedded in the API code itself but implemented as a separate component. A researcher discovered a beta API host that mirrored the official API’s functions, including the reset password mechanism. Unfortunately, the beta version lacked the rate-limiting feature. Leveraging this loophole, the researcher, using a straightforward brute force approach, could reset the password of any user by guessing the six-digit token.
Scenario #2: Unrestricted Data Flow
In a separate instance, a social networking site offered developers of independent applications the ability to integrate with their platform. To facilitate this, the social network would request consent from end users to share their personal information with the independent application. The pitfall was that the data flow between the social network and these applications was not sufficiently regulated or monitored, giving independent applications access to not just a user’s data, but also the private information of their contacts.
Exploiting this lax security, a consulting firm created a malicious application and obtained the consent of 270,000 users. This approval gave them access to the private data of 50 million users due to the flaw in data sharing. Subsequently, the consulting firm monetized this private information for malicious purposes, highlighting the serious repercussions of inadequate API and data flow management.
So how can we safeguard APIs and ensure they remain as assets rather than liabilities?
- Inventory Management: Keep an exhaustive inventory of all API hosts, detailing the API environment, who should have network access, and the API version. Similarly, create a detailed inventory of integrated services, listing their roles, the data exchanged, and the sensitivity of that data.
- Automated Documentation: Opt for an automated documentation process that includes authentication, errors, redirects, rate limiting, CORS policy, and endpoints. Integrating documentation builds into your CI/CD pipeline will ensure your documentation is always updated and accessible to the relevant individuals.
- API Security Solutions: Adopt robust API security solutions for all exposed versions of your APIs, not just the current production version. Also, avoid using production data with non-production API deployments. When security improvements are implemented, perform a risk analysis to ensure potential vulnerabilities in older versions are mitigated.
In our capacity as cybersecurity professionals, we carry the mandate to shield our organizations from potential security breaches, adhere to continuously evolving standards, and place a priority on ensuring the integrity of our APIs. This becomes more achievable through a combination of rigorous API inventory management, and meticulous documentation and security protocols.
For more information about how Traceable can help, learn more about our platform capabilities.
Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.