{"id":16188,"date":"2023-03-15T09:00:20","date_gmt":"2023-03-15T09:00:20","guid":{"rendered":"https:\/\/staging2022.42crunch.com\/?p=16188"},"modified":"2023-03-15T14:36:15","modified_gmt":"2023-03-15T14:36:15","slug":"mind-the-gap-how-api-security-testing-tools-complement-api-gateways-for-enhanced-api-security","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/mind-the-gap-how-api-security-testing-tools-complement-api-gateways-for-enhanced-api-security\/","title":{"rendered":"Mind the Gap! How API Security Testing Tools Complement API Gateways for Enhanced API Security"},"content":{"rendered":"

\u201cI want security, yeah<\/em>
\nWithout it I had a great loss, no now<\/em>
\nSecurity, yeah<\/em>
\nAnd I want it at any cost \u2026<\/em>\u201d
\n(Otis Redding, 1964)<\/p>\n

Otis Redding may well have been singing about the love for another in these famous lines, but taken literally, his message will resonate with any company that has recently suffered an API breach. Sadly the number of companies impacted by API breaches is growing day by day. As noted in a recent market survey by Google, as much as 63% of C-suite executives reported an API security breach in the last 12 months. 1<\/sup><\/p>\n

Identify the API Gap<\/strong><\/span><\/h4>\n

Examining these companies we can see a common architectural pattern. Despite all relevant Web Application security measures being in place, a Web Application Firewall (WAF) and an API Gateway at the edge for the runtime, plus the DAST\/SAST process and tools enabled to protect at implementation time, we are still witnessing a growing number of successful hacks exploiting API vulnerabilities.<\/p>\n

Naturally enough you are wondering, what\u2019s missing? How can we do better?<\/p>\n

Looking into the breaches in detail we can see that there is a very clear gap in these web AppSec programs that ignores securing the APIs at design time and is exposing companies to potential exploitation by hackers.<\/p>\n

Shift-Left with Design Time API Security Testing<\/span><\/h4>\n

Let\u2019s take the Topcoder BOLA vulnerability as an example. 2<\/sup><\/p>\n

    \n
  1. Topcoder account profiles have the userid as an integer exposed in the path, a very common pattern.<\/li>\n
  2. By enumerating the userid we can verify that there is a victims userid present.<\/li>\n
  3. Locate a request without an Authorization header and replace your userid with the victims.<\/li>\n
  4. And you got access to the victim\u2019s account.<\/li>\n<\/ol>\n

    In the example above we can see that the API involved in the communication has a vulnerability in the design and the implementation.<\/p>\n

    Just\u00a0like Topcoder, if you already have APIs in production you don\u2019t want to wait until an intelligence, human or artificial, discovers the vulnerability, or worse, you are alerted by a breach.<\/p>\n

    To avoid such problems occurring 42Crunch recommends companies use dedicated API security testing tools at design time, to examine the API definition, the OAS file, of each API to clean up the mess, prior to deployment. Furthermore, such tools will also enable you to restrict all PII data exposure to the absolute minimum as well as ensure that each parameter is not just \u201cstring\u201d.<\/p>\n

    In the Topcoder example, an\u00a0 audit of the OAS file would have pointed out that an identifier in the path is an integer, and not an UUID as per best practice.<\/p>\n

    Also make sure that no API Endpoint is without authentication and authorization.\u00a0Do this automatically for all APIs in your repositories and give the API Designer an educated feedback on what must be fixed.\u00a0Best case you take the OWASP API Top 10 vulnerabilities as a guide for the tests.<\/p>\n

    Next in line is to ensure that your implementation does conform to the secure OAS file.\u00a0Test not only the \u201chappy path\u201d but all other security related options, for example in the Topcoder case to capture a possible BOLA<\/p>\n

      \n
    1. Create an account to simulate an attacker.<\/li>\n
    2. Create an account to simulate a victim.<\/li>\n
    3. Test the attacher account authorization against the victim\u2019s endpoint.<\/li>\n
    4. The result must be a 403.<\/li>\n<\/ol>\n

      Using the 42Crunch Scan tool with the scenario option you can run these test scenarios automatically as part of your build pipeline.<\/p>\n

      \"\"<\/p>\n

      BOLA test scene: Can you delete another users pet or petstore?<\/em><\/p>\n

      Shield-Right for Runtime Protection<\/span><\/h4>\n

      Now, with the security tested and validated OAS file we can go back to our existing infrastructure and in particular feed the API Gateway with the best possible option to protect at the edge at runtime.<\/p>\n

      42Crunch offers out of the box integrations into several market leading API Gateway solutions<\/a>, such as those from Apigee, Kong, Microsoft, Axway and WSO2 .<\/p>\n

      1\u00a0Google Market Survey Report API Security: Latest Insights & Key Trends 2022
      \n2<\/sup> https:\/\/hackerone.com\/reports\/1073420<\/sup><\/p>\n","protected":false},"excerpt":{"rendered":"

      \u201cI want security, yeah Without it I had a great loss, no now Security, yeah And I want it at any cost \u2026\u201d (Otis Redding, 1964) Otis Redding may well have been singing about the love for another in these famous lines, but taken literally, his message will resonate with any company that has recently […]<\/p>\n","protected":false},"author":18,"featured_media":16204,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"none","_seopress_titles_title":"API Security Testing Tools enhance API Gateways for API Security","_seopress_titles_desc":"API Gateways and API Management platform ignore securing the APIs at design time and this gap is exposing companies to exploitation by hackers.","_seopress_robots_index":"","site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"disabled","ast-hfb-above-header-display":"disabled","ast-hfb-below-header-display":"disabled","ast-hfb-mobile-header-display":"disabled","site-post-title":"disabled","ast-breadcrumbs-content":"disabled","ast-featured-img":"disabled","footer-sml-layout":"disabled","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[14],"class_list":["post-16188","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-api-security"],"_links":{"self":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/16188"}],"collection":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/comments?post=16188"}],"version-history":[{"count":0,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/posts\/16188\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media\/16204"}],"wp:attachment":[{"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/media?parent=16188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/categories?post=16188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging2022.42crunch.com\/wp-json\/wp\/v2\/tags?post=16188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}