The new imperative in API security strategy

Of the 239 vulnerabilities, 33% (79 out of 239) were associated with authentication, authorization and access control (AAA) — foundational pillars of API security, according to Wallarm.

Prioritizing AAA principles

Open authentication (OAuth), single-sign on (SSO) and JSON Web Token (JWT), safeguards for API security, were compromised in reputable tech organizations such as Sentry and WordPress.

Sentry experienced incorrect credential validation on OAuth token requests, potentially exposing developers’ projects to unauthorized access, while WordPress’ SSO was subject to plugin broken authentication, leaving its millions of users’ data vulnerable to theft.

The foundation of robust API security lies in the core principles of authorization, authentication, access control (referred to as AAA). It’s essential to acknowledge these core principles are also subject to security issues and flaws that can have severe ramifications.

The Q3 2023 report witnessed a surge in vulnerabilities related to AAA within technology stacks that are used by various technology companies. This underscores the necessity for organizations to regularly commit and update their entire supply-stack to effectively mitigate potential risks.

Incorporating API leak protection measures

API leaks have emerged as a significant threat, yet they are often overlooked. It is crucial to incorporate API leak protection measures into a security strategy program.

Despite not being covered in the OWASP API Security guidelines, the report highlights a multitude of incidents traced back to leaked credentials (including by 3rd parties) leading to security breaches. It is paramount to implement an automatic discovery system of leaked API keys and secrets, enforcing controls and measures to block their use, and protect against any subsequent attacks.

Evidence of these risks is found in the recent serious data breaches suffered by Netflix, VMware and SAP, with Netflix exposing JWT secret keys in error messages and VMware disclosing sensitive information vulnerabilities.

“We saw in recent months that even major players like Netflix and VMware aren’t exempt from significant data exposures,” said Ivan Novikov, CEO of Wallarm. “Whether caused by malicious actors or internal carelessness, this report is a wake-up call for business leaders and cybersecurity professionals to include protection against threats to APIs and other leaks in their product security programs. Established security frameworks, like OWASP API Security Top-10, are one way to get started but have limitations in addressing today’s complex API security needs.”

APIs are no longer just connectors; they’re the valves that control the flow of data in an organization. Any leak, minor or major, can result in significant setbacks, from compliance failures to catastrophic data breaches. These aren’t theoretical risks; they’re happening now, warranting immediate attention and action.