OWASP Top-10 highlights API risk – A positive evolution

04/19/2017

Although the period for public comment is still open, by all accounts the updated OWASP Top-10 will include Underprotected APIs as one of the top 10 threats faced by developers and organizations. This is a positive move and highlights the oft-ignored risk posed by APIs.

In today’s high-speed software development mentality, APIs are critical to connectivity and functionality of modern solutions. An analysis of the strategic impact of APIs found that “Salesforce.com generates 50% of its revenue through APIs, Expedia.com generates 90%, and eBay, 60%.”

As the interconnected web continues to flourish, more and more microservices will have their associated web APIs exposed to the perils of exploitation at the hands of competent threat agents. And even as these threats increase, the pressure on DevOps teams to hold the security line grows too.

OWASP Top 10 - 2017 Release Candidate" by J. Williams and D. Wichers is licensed under CC BY-SA 3.0

The fact is that Web Application Vulnerability Scanners, or web scanners, were never developed to address API risks. As web APIs proliferate, web scanners and existing static analysis tools will be less and less able to identify crucial vulnerabilities – especially in third-party APIs. In particular, web scanners are ill-suited for API security testing for two main reasons. First, web scanners are ineffective at testing modern web APIs, especially in microservice architectures.  Second existing web scanners do not test, or are unable to test, for many of the issues that impact web APIs.

As Jeff Williams, a creator of OWASP Top 10 recently told SD Times that “APIs represent a major blind spot for security programs in organizations, and OWASP is helping to refocus teams on this expanding problem .” Peach API Security addresses this blind spot directly: securing SOAP/XML and REST/JSON formats against the top 10 identified risks, including injection, broken authentication, XSS, CSRF.

When we designed Peach API Security, we adopted APIs-first as our security mentality, and developed this as an automated tool that puts the Sec in DevSecOps. To keep the secure development cycle flowing in an agile manner, and help organizations deliver securely implemented solutions, Peach API Security seamlessly combines fuzzing and security testing. It pushes bugs into existing issue trackers, and integrates with the CI/CD pipeline. It’s the only API-first tool we’re aware of that addresses security vulnerabilities in complex call scenarios. My favorite aspect is that we take existing QA test cases and turn them into security tests.

The OWASP Top-10 candidate release for 2017 highlights just how serious the issue is, and if I sound a little excited, it’s because I know that our Peach API Security solution is a powerful, capable tool, available for organizations who want to secure their web applications.

By Akshay Aggarwal, CEO

Top