In the first two articles in this three-part series, we examined the top risks on 2023 OWASP Top 10 API Security Risks list. In this article, we’ll discuss what future lists may – or should – include and how enterprises can best protect themselves from these evolving risks.
Future API risks: What can we expect?
While it is difficult to predict what future OWASP API Security Risks lists will include, I’m certain that both broken authentication and broken authorization, which both topped the 2019 and 2023 lists, will never go away. They remain constant security challenges. Another risk that made OWASP’s 2019 list and (I think) should have made the 2023 list is insufficient logging and monitoring. Continuous logging and monitoring give you the information you need to help you respond to today’s fast-moving threats. Proper logging is always important and answers questions about breaches such as: When did it happen? Where did it happen? Who was responsible? What happened?
In addition to the possible return of certain risks featured on current (or past) lists, I expect we will see the types of risks expand. For example, we may see a separate section on Internet of Things (IoT)-based, bot-based or generative AI-based API risks as we see an uptick in specific threats and vulnerabilities. Right now, each of these are unexplored attack surface areas, but we are seeing signs that they could be the next security trend very soon.
- IoT: Today APIs are not just from a web agent or a mobile device; they are also embedded in Internet of Things (IoT) devices and are ripe for attack. For example, earlier this year, Check Point uncovered vulnerabilities that could be exploited in internet-connected workout equipment. The research found that Peloton Treadmill’s operating system includes numerous standard APIs that can be exploited to execute Android code.
- Bots: While any instance of bots being used in cyberattacks is a cause for concern, bots have been used more often in API attacks. Bots can improve discovery for threat actors looking to probe for weak spots in your defenses. They can map web apps, identify vulnerabilities while remaining under the detection threshold, and avoid triggering tripwires in defenses.
- AI: Until now, developers have primarily been designing APIs for applications that are used by humans, but designing APIs for machines will become an increasingly important area. In a recent post, Postman CEO Abhinav Asthana wrote, “APIs are the hands and legs that power the ‘thinking’ that the AI is doing. APIs will connect these bots to data, as well as to verbs and nouns to get stuff done in the real world.” Just as AI can provide potential benefits, it also could be used to abuse APIs and applications.
Why API protection is a group sport
There will always be a need for community- and/or crowd-sourced vulnerability and API security risk lists. The work done by OWASP and other groups helps to shape not only our security budgets, but our security priorities. For example, in addition to OWASP, the Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, recently released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.
In addition to community groups, developers certainly play a role in better securing the software that they are creating. Security vendors too, through tools and information sharing, can also play a role. For example, for Broadcom’s Layer7 API Management users, we have a community where we post Transport Layer Security (TLS)-related vulnerabilities and other helpful information to improve their security posture.
Broadcom has been the leader in API management for the last ten years. From a product point of view, Layer7 API Management has had huge customer growth over the last few years. One reason behind this increased adoption may be that it is a secure gateway, not just an API gateway. Layer7 simplifies all key security and management processes, reduces developer workload and provides the scale and integration necessary to support mobile-first businesses and enable IoT.
Our solution’s ability to enable enterprises to meet the fast-growing regulations and compliance rules gives us an edge over our competition. It integrates with most IAM systems and supports OAuth/OpenID Connect, FIDO, PCI-DSS, FHIR and PSD2.
With the increased use of APIs by developers, we are not going to see API risks go away anytime soon. As a result, Broadcom is focused on protecting users not only from today’s threats but will continue to invest in research and development to help protect against future risks.