In my first blog on How to Protect Your Web Applications from OWASP Top Ten, I discussed both OWASP and the OWASP Top Ten project, as well as how a properly configured API management solution can protect you against the first five of these threats. In this blog we’ll complete the Top Ten.
A6 Security Misconfiguration: Security misconfiguration is the most commonly seen issue (by the OWASP Top Ten Project). This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
API management solutions can often be configured as a security gateway that has been hardened for easy and secure deployment to the DMZ. As the first line of application layer defense in front of your web applications, an API Management solution configured correctly should be a key element of your overall security architecture, and should help protect you from security misconfigurations elsewhere in your stack.
A7 Cross-Site Scripting (XSS): XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
API management platforms can usually be configured to provide against attack protection for services, APIs and applications, and it will likely allow customers to detect, respond to and block attacks using centralized security policy as an application layer firewall.
A8 Insecure Deserialization: Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
API management solutions can usually provide policy assertions to protect against SQL and other types of injection attacks. They also may have access to all web request and response content and context to enable inspection and protection at runtime.
A9 Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
As noted under A5, API management solutions can usually be configured as a security gateway. API management vendors, as a rule, are constantly vigilant for new vulnerabilities and quickly create, release, and communicate vulnerability patches to their API management customers.
A10 Insufficient Logging and Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Most API management platforms provide definable monitoring levels, allowing the appropriate level of reporting based on the enterprise requirements.
Summary
A secured API management platform is an important component of a Zero Trust model (we’ll talk more about that in another blog series) that automatically protects against the OWASP Top Ten security threats. For many enterprises, implementing and configuring their API Management solution as defined above will allow them to meet that protection level, as well as to consolidate appliances, and from a single pane of glass, manage the security, integration and management of their web services, web API traffic, and web applications.