{"id":3378,"date":"2017-07-18T12:42:29","date_gmt":"2017-07-18T11:42:29","guid":{"rendered":"https:\/\/staging-site.42crunch.com\/?p=3378"},"modified":"2022-11-18T12:12:16","modified_gmt":"2022-11-18T12:12:16","slug":"a10-owasp","status":"publish","type":"post","link":"https:\/\/staging2022.42crunch.com\/a10-owasp\/","title":{"rendered":"Why do we need the A10 entry in the OWASP Top 10?"},"content":{"rendered":"

Without any doubt, APIs have redefined the enterprise architecture landscape by becoming the building blocks of internal and external enterprise applications. APIs are now the entry point into most architectures, much like servlets and JSPs were in the application server era.\u00a0<\/span>APIs give access to a wide range of applications, systems, databases and now things with the expansion of IoT.\u00a0<\/span><\/p>\n

In the latest edition of the Top 10 OWASP threats list, APIs have been singled out under “A10: unprotected APIs<\/a>“. Granted, the threats associated to APIs are not new, and one might wonder why APIs deserve their own entry. But as Jeff Williams (OWASP Top 10 project creator and co-author) mentioned in an interview to the SDTimes<\/a>, the goal of this list is primarily to draw attention to the problem at hand.<\/p>\n

I can only agree with Jeff’s statement.<\/p>\n

False assumptions regarding API Security<\/h4>\n

The nature of APIs and the clients consuming them have little impact on whether APIs should be properly secured or not:<\/p>\n

    \n
  1. An API must be protected even if it’s only used by applications and not exposed publicly to consumers. Applications can be reverse-engineered and APIs calls uncovered. Do not count on obscurity to protect your assets.<\/li>\n
  2. Do not count on clients to filter or validate data: if your API accepts a credit card number, the format must be validated at the API level. Don’t expect the application to have done this properly.<\/li>\n
  3. Do not trust any client, internal or external (e.g. public), as any of them could have been compromised.<\/li>\n
  4. 3rd party APIs (typically to SaaS applications) must be secured and monitored just like your own APIs. Although they are exposed by a 3rd party, they manipulate sensitive enterprise data and could also have been compromised.<\/li>\n<\/ol>\n

    Challenges of API security<\/h4>\n

    While API security is one of the core concerns of enterprises, applying API security is often a challenge. We have spoken with many customers in the past year and the following patterns emerged from those discussions:<\/p>\n