API sprawl is a common issue when building applications using microservices. Ease of deployment (i.e. using cloud services) and developer autonomy may lead to new API endpoints popping up without anyone’s knowledge. Old API versions or deprecated APIs could still be available publicly when the development team thinks they’ve been shut down. API discovery is the act or service of systematically searching through to find all APIs currently in use or publicly available. Discovery is essential to API security since you can’t protect an API if you don’t know it exists or is in use.
Modern web APIs are becoming more prevelant as web applications embrace flexibility and scalability. Web APIs introduce a new set of security vulnerabilities that security teams must account for to keep their APIs, data, and users safe.
ATO, or Account Takeover, is the act of compromising a victim’s account in order to impersonate them to a web application and steal or modify data. There are several flaws that can lead to ATO, such as poor authentication and authorization implementation, broken object level authorization, broken function level authorization, and poor password/secrect management practices. ATO is a highly dangerous attack and should be a priority for development teams to prevent.
Advanced Rate Limiting
Rate limiting is a technique used by APIs to limit the amount or size of client requests. It’s used to prevent ATO, bruteforce attacks, DoS and DDos attacks. When a client reaches the designated limits, requests from that client are temporarily rejected. Lack of proper rate limiting is a risk on the OWASP API Top 10.
Application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of software applications and their data. There are several types of software applications, such as web, mobile, native clients (i.e Windows Store apps), and command line. Each type of application has a different threat model and must apply different principles and tactics to secure it.
Artificial intelligence is intelligence displayed by machines. There are several branches of AI, each with a focus on allowing machines to make decisions and learn without human intervention. Machine learning is a common application of AI. Others include computer vision and natural language processing. Autonomous self-driving vehicles are an example of the practical application of AI technologies.
A bad actor or threat actor tries to infiltrate a web application with the goal of stealing data, modifying data, or other malicious act for personal gain. This term is used in threat modeling to help discover those who may have reason to launch attacks against an application and what techniques they might use.
A “bot” is a compromised machine used to attack another application or system. Many types of DDoS attacks are performed by armies of bots made up of compromised IoT and other connected devices. Poor security used on these devices make it easy to compromise them and then use them to overload a website or API with traffic.
Broken Access Control
Authentication is identifying who is accessing an application. Authorization is enforcing what they’re allowed to do while logged in. It’s a critical distinction as broken access control allows attackers to gain access to data or functions they shouldn’t. They can view and/or modify other users’ accounts or steal data.What to look for in your code:* Modifying the URL or HTML page to bypass access control checks* Allowing the request’s ID to be changed to the account number of another user’s account.* Elevation of privilege. Can a user act as an admin by modifying the request?* APIs with missing access controls for POST, PUT, and DELETE HTTP verbs.
A flaw allowing an attacker to assume other users’ identities temporarily or permanently by compromising passwords, keys, or session tokens.What to look for in your code:* Storing passwords in plaintext, encrypted, or poorly hashed* Poor session management* Permits brute force or other automated attacks* Weak or ineffectual credential recovery processes* Missing or ineffective multi-factor authentication.
Broken User Authentication
Continuous Integration/Continuous Delivery refers to a mode of operation and a suite of tools used to regularly build and deploy applications to staging and production environments. Continuous integration is the practice of building code and running tests every time a developer checks in code changes. This ensures any new bugs are found and resolved quickly and no existing functionality is broken by new code. Continuous Delivery is the practice of always being in a “ready to deploy to production” state. Typically the code is deployed and tested in a staging area. Then a product owner (or other designated party) approves a deployment to production and automated processes take over to deploy the application. Another “CD” you may encounter is Continuous Deployment, where changes are automatically deployed to production every time a developer checks in code.
Cloud-native technologies, such as containers, service meshes, microservices, immutable infrastructure, and declarative APIs, empower developers to build and run scalable applications on public, private, and hybrid clouds.Cloud-native architecture focuses on creating loosely coupled services with high resiliency. Developers can make changes frequently without negatively impacting the entire system.
Cloud-native security is the discipline of securing cloud-native applications. Cloud-native technologies have many benefits, but they also introduce new avenues of attack. Application security has to change to properly protect cloud-native applications from sophisticated attacks.
Cross-Site Scripting (XSS)
XSS the is act of running arbitrary scripts in a victim’s browser in order to deface websites, compromise sessions, or redirect users to malicious websites (usually to steal data for use in identity theft or account takeover). The vulnerability lies in using untrusted data to render HTML pages without validating, sanitizing, and escaping the values.What to look for in your code:* Including unvalidated and unescaped user input in HTML output.* Storing unvalidated and unescaped user input for later use in HTML output (i.e. a forum post or comment)* SPA frameworks that dynamically update the HTML of a page based on unvalidated and unescaped input.
Dynamic Application Security Testing tools mimic a penetration tester. They perform attacks against a running application to find vulnerabilities attackers can exploit. They typically spider an application to find different paths to resources and then send payloads to try to exploit various common vulnerabilities. They report on the results, whether the attacks were successful or the application successfully resisted. DAST tools lack understanding of business logic and thus have trouble finding authentication and authorization vulnerabilities.
Distributed Denial of Service (DDoS) attacks are denial of service attacks performed by many distributed nodes across the Internet. A denial of service occurs when an attacker brings down a website so that legitimate users cannot access it. DDoS is often performed by armies of bots pointed at one website. DDoS attacks are often used for political statements or to embarass and hurt the revenue of a company.
DevOps is a movement and philosophy with the goal of delivering software application faster and with more reliability than traditional modes of operation. DevOps brings together the development and operations disciplines to achieve maximum flexibility, scalability, and reliability of software applications. Automation, collaboration, and fast feedback cycles are the core tenets of DevOps.
DevSecOps adds the security discipline to DevOps. Security teams work in collaboration with development and operations to ensure that environments and applications stay secure. For instance, DevOps focuses on repeatable processes for creating application environments on demand and deploying code to them. DevSecOps includes security so each new environment created is locked down by default and safe for deployment without any manual configuration required.
Excessive Data Exposure
APIs tend to return all data fields held within an object, expecting the client to filter and show the data it needs. This data exposure can aid in attacking the application or lead to data breaches. For example, returning the address with a user object with every request or exposing an “admin” field an attacker may try to manipulate using other means.What to look for in your code:* API methods that return raw objects from the ORM with all fields included.
Interactive Application Security Testing tools are a relatively new addition to the web application security landscape. IAST tools aim to combine the benefits of SAST and DAST to create a more complete picture of application vulnerabilities. IAST tools are embedded within the application and have visibility into the code. While the application runs automated functional tests within a staging environment, IAST will search code execution paths for possible vulnerabilties. Some may even try to perform attacks on parts of the code that may be vulnerable to validate errors and reduce false positives. A downside of IAST is the heavy dependency on a large suite of automated functional tests, which may make it difficult to use in legacy applications.
Improper Assets Management
API proliferation can cause poor documentation and old API endpoints to be exposed, which lead to vulnerabilities in endpoints you didn’t know were exposed publicly. Warning signs:* Outdated API inventory* API endpoints with unclear purposes* No retirement plan for old API versions.
Injection occurs when untrusted data is sent to an interpreter as a command or query. Interpreters execute code as it comes in, instead of compiling it into an executable. This distinction means that interpreters can be easily tricked into using data as a command. Attackers use these flaws to steal data. Common injections include SQL, NoSQL, LDAP, OS, and ORM. What to look for in your code:* User-supplied data isn’t validated, filtered or sanitized* Untrusted data is sent directly to the interpreter (i.e. concatenated to an SQL query)* Untrusted data is sent directly into an ORM search function.
Serialization changes the format of an object in code to make sending it to a server more efficient. The server then deserializes the object upon receipt so it can process the request. Insecure deserialization of objects allows attackers to make calls to system resources upon deserialization. This vulnerability leads to remote code execution along with replay attacks, injection attacks, and privilege escalation attacks.What to look for in your code:* Accepting serialized objects from untrusted sources* Using serialization mediums that permit more than primitive data types.
Insufficient Logging & Monitoring
An attack typically goes unnoticed for over 200 days. Insufficient logging and monitoring allows attackers to persist longer, leading to devestating data exfiltration and destruction.What to look for in your code:* Poor integration between logging and incident response teams* Not logging login attempts, login failures, and high-value transactions* No monitoring of log files* Log messages are unclear or two broad in language to be useful.
Lack of Resources & Rate Limiting
APIs that don’t limit the size or number of resources a user/client can request leave themselves open to denial of service and brute force attacks.Limits you should enforce:* Execution timeouts* Max allocable memory* Number of file descriptors* Number of processes* Request payload size (e.g. uploads)* Number of requests per client/resource* Number of records per page to return in a single request response.
Machine learning is a branch of artificial intelligence that studies computer algorithms that are able to learn from experience. They do this by analyzing large amounts of data and using that data to build statistical models. The program can use the models to make predictions, take action, and learn from that action.
Objects in modern applications have many properties, but not all the properties should be updated directly by a client. A mass assignment flaw exists when an API endpoint automatically converts client parameters into internal object properties without considering the sensitivity of the properties. What to look for in your code:* Using objects instead of view models within your API endpoints* Relying on frameworks to assign property values taken from parameters and request bodies.
Microservices are small services that together make up an entire web application or API. They take the “do one thing exceptionally well” mantra of Unix/Linux development and apply it to software applications. In a microservice architecture, one request to a site may result in dozens or even hundreds of separate requests to focused microservices on the back end. Advantage of microservice architecture include increased speed of development, flexibility, developer autonomy, and scalability.
Next Generation WAF
Next Generation WAFs, or NG-WAFs, are WAFs with added features to help overcome the shortcomings of rules-based security. NG-WAFs add ML features such as behavior analysis and anomaly detection to find and prevent attacks traditional WAFs miss. NG-WAFs are also more compatible with cloud-native applications.
RASP / Runtime Application Self Protection
If WAFs serve as the moat of the castle, Runtime Application Self-Protection (RASP) tools are the castle guards. RASP is deployed within the runtime environment of the web application. It’s able to see and change application behavior to prevent attacks in realtime.
Rest API Security
Static Application Security Testing is the process of scanning application code to find possible vulnerabilities. The term “static” refers to the testing of precompiled code to detect programming patterns that could lead to exploitation. For example, a SAST tool may find concatenation of untrusted input within the code and flag it as a possible SQL injection vulnerability. A downside of SAST is a tendency for false positives since code that looks incorrect may not be a vulerability.
Web application frameworks often have many options for developers to choose from that affect how they operate. This choice leads to misconfiguration, as making the wrong decision (or leaving unsecure defaults) leaves security holes attackers use to steal data or otherwise compromise the application.What to look for in your code:* Missing or misconfigured security headers* The use of default values* Revealing stack traces when errors occur.
A security posture is the overall “grade” of security for an organization. It includes all security controls an organization has in place as well as the way the organization detects and defends against cyber attacks. A security posture takes into account network, software and hardware assets, services, and information.
Sensitive Data Exposure
Many applications don’t protect sensitive data, such as financial, healthcare, or PII. Attackers can steal or modify this data to perform credit card fraud and identity theft. Sensitive data requires extra protection, such as encryption in transit and at rest.What to look for in your code:* Transmitting data in plaintext, such as using HTTP, FTP, and SMTP.* Using old or broken encryption algorithms* Poor cryptographic key management.
Serverless computing is the ability to run code within a cloud environment without worrying about server configuration and deployment. It’s not truly “serverless,” but rather features an interface for developers to write and run code without provisioning and configuring servers. From the developer’s point of view, the code just runs when required. AWS Lambda is an example of serverless computing.
Shadow APIs are unknown APIs that are publicly exposed. These APIs pose a risk because APIs that no one knows are publicly exposed could be a target for attackers. API discovery tools can help find shadow APIs so you can properly protect them or shut them down if they’re unnecessary.
A threat landscape is a group of threats within a given context or environment. It includes threat actors, risks, vulnerable assets, and current and emerging trends.
Using Components with Known Vulnerabilities
Most applications use open source or third-party frameworks to achieve desired functionality. These components run at the same privilege level as the application. Therefore, if vulnerabilities exist within the components your application depends on, they can perform server takeover or steal data.What to look for in your code:* No up-to-date record of the components in use* No mechanism to update components when patches are released* Using vulnerable, unsupported, or out-of-date software.
WAAP / Web Application & API Protection
Web application and API Protection services protect modern web applications and APIs from a variety of attacks. WAAP services include NG-WAF and RASP capabilities along with Distributed Denial of Service (DDoS) protection and malicious bot detection. WAAP aims to meet the security needs of modern, API and microservice-based web applications.
WAF / Web Application Firewall
Web application firewalls take the idea of network firewalls and apply them to web applications. It scans all traffic coming into a web application to find possible attacks, such as cross-site scripting and SQL injection. WAFs use rules and signatures to know what to look for within the request that flags it as a possible attack.
Web API Security
Web Application Security
Web application security is the discipline of applying sound security principles to protect the confidentiality, integrity, and availability of web applications. Web applications are the most common way for customers to interact with businesses and they are a juicy target for attackers. Web application security seeks to protect web applications by hardening network, code, and infrastructure against attack.
XML External Entities (XXE)
Applications that accept XML content (i.e. XML uploads) may use vulnerable XML processors that evaluate external entity references. Attackers exploit this vulnerability to perform many attacks, such as remote code execution, denial of service attacks, and disclosing internal files.What to look for in your code:* Having document type definitions (DTDs) enabled in an XML processor* Accepting XML directly, or XML uploads from an untrusted source* Using SOAP prior to version 1.2