APIsecurity.io - APISecurity.io Newsletter: Issue 163

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #163
Why API security strategies fail, AWS keynote on good API design, biggest breaches in 2021
This week, we have an article on seven reasons why API security strategies are failing, details on the recent keynote by Werner Vogels at AWS re:Invent on six rules for good API design, an article by Cisco on API discovery, and a review of some of the biggest API security attacks in 2021.
     
Article: Seven reasons your API security strategy is failing
 

This week, AmazicWorld featured a review of why API security strategies are failing to have the desired effect. The author’s view is that whilst developers are well-versed in how to create APIs, security risks that APIs pose are an increasing threat to organizations. These risks are in large part a consequence of rapid API adoption: the sprawl of APIs is widening the threat landscape, and the fact that APIs are well-documented and can be easily reverse-engineered enables attackers to take advantage of them.

The report identified seven top reasons why API security strategies are failing as follows:

  • Limited exposure to APIs: Many APIs are developed by teams more familiar with other programming paradigms (such as UI or backend) and who are not familiar with the intricacies of API development, particularly security.
  • Lack of visibility: The lack of a comprehensive API inventory is a recurring topic in this newsletter — you can’t secure what you can’t see!
  • The growing threat of API attacks: The increasing growth of APIs has led to rapidly expanding attack surface, making defense increasingly challenging.
  • Implementation of traditional security practices: Another topic that I, too, keep returning to is the use of legacy security tools, such as WAFs and API gateways, which are simply not capable of providing appropriate API security controls.
  • Improper security ownership structure: Some organizations suffer from a lack of ownership and accountability regarding API security.
  • Putting the onus of API security on the developer: Developers are increasingly pushed to address API security issues and often do not have adequate time or appropriate tooling for it.
  • Rushing to market: Development teams are frequently under pressure to release new features and functionalities, leading to compromises in the security of the related APIs.

There are no easy solutions to many of the topics addressed — the best advice would be to start with gathering a comprehensive API inventory and upskilling the development teams.

Opinion: Werner Vogels on good API design
 

Last week saw the annual AWS re:Invent conference, during which the AWS CTO Werner Vogels gave prominent focus to the importance of good API design, as covered by the NewStack. The talk also highlighted a new AWS offering called Cloud Control API, which acts as a unified control for API resources not only on AWS but also from 3rd-party providers.

Of interest to API practitioners are the six best API design practices identified by Vogels:

  • APIs are Forever: Beware of phantom APIs, which may still be active but are not assessed for risks or protected.
  • Never Break Backward Compatibility: API versioning is key here.
  • Work Backwards from Customer Use Cases: Focus on the customer’s needs rather than on what you think makes a useful API.
  • Create APIs That are Self Describing and Have a Clear, Specific Purpose: API documentation should be clear and intuitive.
  • Create APIs with Explicit and Well-Documented Failure Modes: Ensure users can understand what can go wrong.
  • Avoid Leaking Implementation Details at All Costs: Avoid leaking implementation details to minimize coupling to specific technologies and, of course, to avoid security concerns.

Many of these are self-evident to readers of this newsletter, but it’s nonetheless encouraging to see APIs receiving prominence on the big stage.

Article2-4

 

Article: APIs are not known well enough
 

In our issue 155, we covered the new APIClarity product being developed as a joint collaboration between Cisco, 42Crunch, and API Metrics. This week, Techrepublic featured the views of Cisco’s Vijoy Pandey on the challenges faced by organizations in being able to comprehensively produce an inventory of their API estate. A key takeaway from Pandey is this view on the importance of the OpenAPI Specification (OAS):

“Once you have an OpenAPI spec, you can see what an API is actually transmitting, versus what it was originally intended to do. Say you intended it to pass an integer, but over time people started sending flops. Or you intended two arguments, but over time people started passing three or four, and the API spec hasn’t been updated. These are clear attack vectors,”

From a security perspective, Pandey suggests the following three best practices:

  • Leverage the community of security experts in the OWASP organization, such as their excellent OWASP API Security Top 10.
  • Focus on the security of your software supply chain using a bill of materials to ensure provenance and governance.
  • Consider health indicators of an API — like uptimes or hosting location — when determining if an API is reliable and safe.
Article: Biggest API security attacks in 2021
 

As we head toward the end of 2021, it is time to look back over some of the biggest API security attacks of 2021 — this week we feature Security Boulevard’s summary of some of the biggest attacks.

First up is the Parler API hack in January (featured in our issue 116), in which over 60 terabytes of data was leaked affecting 10 million users. Another big one followed in April with the Clubhouse leak (our issue 129), where over 1.3 million records were leaked. In July, the LinkedIn API breach ( issue 140) affected 700 million users and was attributed to inadequate API security practices. Last on Security Boulevard’s list is the NoxPlayer API hack, which we covered in our issue 119.

The key takeaway clearly is that API security is likely to be an ever-increasing concern as API adoption continues to burgeon and attackers focus their efforts on this seemingly vulnerable target.

     
42Crunch APISec EmailTemplate Colin v2
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch APISec EmailTemplate FooterLogo-24
Powered by 42Crunch Logo

 

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 162

Thursday, December 2, 2021

Hi, this week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (with weak or no passwords on APIs) APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 161

Thursday, November 25, 2021

Hi, this week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files. 42Crunch APISec EmailTemplate Header v3 The Latest API Security

APISecurity.io Newsletter: Issue 160

Thursday, November 18, 2021

Hi, this week, we have a vulnerability in the AWS API gateway that allows a potential cache-poisoning attack, disclosed at a recent conference APIsecurity.io The Latest API Security News,

APISecurity.io Newsletter: Issue 159

Thursday, November 11, 2021

Hi, this week, we have news of a high criticality vulnerability on GoCD, a common open-source CI/CD system. APIsecurity.io The Latest API Security News, Vulnerabilities and Best Practices Issue: #159

APISecurity.io Newsletter: Issue 158

Thursday, November 4, 2021

Hi, this week, we have news on a breach affecting 400 000 users of a popular German school app, and another vulnerability in a popular WordPress plugin. APIsecurity.io The Latest API Security News,

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power