APIsecurity.io - APISecurity.io Newsletter: Issue 166

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #166
Securing large API ecosystems, creating OpenAPI from HTTP traffic, Frankenstein APIs, and API proliferation

This week, we have a comprehensive article on approaches to securing large API ecosystems, an interesting read on how to create OpenAPI definitions from HTTP traffic, how “Frankenstein APIs” are exposing businesses to additional risk, and why the continued API proliferation presents security challenges to organizations.

     
Article: Securing large API ecosystems
 

First up this week is an excellent article from Michał Trojanowski in TheNewStack discussing the challenges facing the security of large API ecosystems. Trojanowski’s view is that security patterns applied to small-scale API deployments do not scale nor are they appropriate for larger-scale API deployments.

APIs tend to grow in either breadth (a flat hierarchy exposing large numbers of APIs directly) or in depth (a nested hierarchy of APIs coupled together):

Article1-Jan-06-2022-09-03-57-19-PM

Both patterns present security challenges in their own right, namely:

  • For breadth-grown APIs, any caller with a valid token can access any of the API endpoints — the scope of access is typically too broad to adequately secure the endpoints.
  • For depth-grown APIs, tokens may be reused between layered API endpoints, leading to security issues or leaking tokens to 3rd party services.

Trojanowski suggests some possible solutions to overcoming these challenges

  1. Use a claims-based authorization scheme (for example, the audience claim aud) to limit the API access for a given token.
  2. Use token-sharing approaches (tokens are exchanged between coupled API services) to limit the scope of downstream services using a token, thus also limiting the impact of lost or leaked tokens.
  3. Use a dedicated entitlement management system, such as Open Policy Agent.

The key takeaway here is that large-scale API deployments are complex and fraught with danger if an overly simplified approach is taken with regard to security.

Article: Creating OpenAPI definitions from HTTP traffic
 

Readers of this newsletter will know I often advocate for an API-design-first strategy based on the OpenAPI Specification (OAS) at its core. The benefits are well established now, including ease of documentation, easier testing and mocking during development, and of course, being able to embed security as early as possible in the design lifecycle.

The biggest challenge to the design-first approach is the fact that in many cases organizations already have deployed a considerable number of APIs in production that do not have the corresponding OpenAPI definitions. Typically, this presents a challenge to teams to “reverse-engineer” a specification from an existing implementation.

In an article on APIsYouWon’tHate, Phil Sturgeon describes an elegant method to obtain an OpenAPI definition by reverse-engineering based on snooping the HTTP traffic to APIs. The solution uses the Akita observability tool to extract the details for the API definition from the web traffic log. Sturgeon’s approach uses the mitmproxy tool to capture traffic and then to dump the traffic in HAR format. The Akita tool is then used to convert the HAR archive into a OpenAPI definition in YAML format.

As the drive toward design-first accelerates, good, robust, and automated solutions for reverse-engineering existing API deployments become increasingly important — this is a great starting point!

Article: “Frankenstein APIs” explained
 

Brenton House written an article on his so-called “Frankenstein APIs” this week, describing them as APIs which are “creatively pieced together using unorthodox methods and is driven by a strong need for functionality.”

House describes “Frankenstein APIs” arising when an existing piece of functionality does not exist and there is a strong business need to provide bespoke functionality. The most common anti-pattern is that development teams use a variety of non-standard methods and tooling to accomplish the business objective. Unfortunately, the resultant APIs can be notoriously fragile in terms of maintainability, extensibility, and — of course —security. Typically, developers are more focused on simply getting the job done ,and delegate or totally omit security controls that might otherwise be required.

This is a quick and fun read on the topic. The key takeaway from House is to fully embrace an API-first strategy and to resist the temptation to rudimentary and fragile shortcuts.

Article: Security pitfalls of API proliferation
 

The final article this week comes from Byron Acohido who discusses how API proliferation is leading to security pitfalls. This thought-provoking article suggests that APIs are rapidly increasing the attack surface of an organization, because APIs act as a conduit between various services, each of which may be vulnerable to attacks. Essentially, the API acts as a “built-in tool on steroids”  facilitating attacks by adversaries.

Attackers are increasingly aware of the value of APIs as an attack vector, and many recent major cyber security breaches started with discovery or reconnaissance through public APIs before attackers pivoted to other internal systems. Additionally, APIs are also an invisible attack vector because they are often poorly documented or invisible to traditional protection mechanisms.

Rather unsurprisingly, Acohido’s advice for avoiding such security pitfalls is to fully embrace a shift-left approach toward API development, thereby ensuring that APIs are made visible and that any security issues can be identified and addressed as early as possible.

     
42Crunch APISec EmailTemplate Colin v2
Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch APISec EmailTemplate FooterLogo-24
Powered by 42Crunch Logo

 

 
42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  
 
 

Older messages

APISecurity.io Newsletter: Issue 165

Thursday, December 23, 2021

Hi, this week, we have news of another high severity vulnerability in a WordPress plugin, this time the popular All in One allowing compromise APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 164

Friday, December 17, 2021

Hi, this week, we have news on the Log4Shell vulnerability affecting applications and infrastructure using the ubiquitous Log4j library. APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 163

Thursday, December 9, 2021

Hi, this week, we have an article on seven reasons why API security strategies are failing, details on the recent keynote by Werner Vogels. APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 162

Thursday, December 2, 2021

Hi, this week, we have details of compromised Google Cloud accounts being used to mine cryptocurrency (with weak or no passwords on APIs) APISecurity 42C Email Header 900x128px-26 The Latest API

APISecurity.io Newsletter: Issue 161

Thursday, November 25, 2021

Hi, this week, we have details of a vulnerability in the AI platform Wipro Holmes Orchestrator, allowing the download of arbitrary files. 42Crunch APISec EmailTemplate Header v3 The Latest API Security

You Might Also Like

Charted | Global Economic Confidence in 2025, by Country 🌎

Wednesday, December 25, 2024

While emerging markets in Asia have the strongest confidence in the global economy looking ahead, European countries are most pessimistic. View Online | Subscribe | Download Our App FEATURED STORY

Top Tech Deals 🎅 Sony Headphones, iPhone Cases, 4K Projector, and More!

Wednesday, December 25, 2024

The season of giving is upon us. How-To Geek Logo December 25, 2024 Top Tech Deals: Sony Headphones, iPhone Cases, 4K Projector, and More! The season of giving is upon us. Happy Holidays! If you're

Why the Race to AGI is Humanitys Defining Moment

Wednesday, December 25, 2024

Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 25, 2024? The

Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware

Wednesday, December 25, 2024

THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest

Software Testing Weekly - Issue 251

Wednesday, December 25, 2024

GitHub Copilot is free! 🤖 View on the Web Archives ISSUE 251 December 25th 2024 COMMENT Welcome to the 251st issue! In case you missed it — GitHub Copilot is free! The free version works with Visual

Daily Coding Problem: Problem #1647 [Medium]

Tuesday, December 24, 2024

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are

Sentiment Analysis, Topological Sort, Web Security, and More

Tuesday, December 24, 2024

Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the

🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make

Tuesday, December 24, 2024

Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a

😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative

Tuesday, December 24, 2024

Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI

Mapped | The Top Health Insurance Companies by State 🏥

Tuesday, December 24, 2024

In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power