版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
WHITEPAPER
Akamai
APISecurity
Fundamentals:
BuildYourKnowledge,SecuretheEnterprise
|2
Akamai
Introduction
APIshaveevolvedrapidlyfromanimplementationdetailtoastrategicenablerofdigitalinnovation.Everytimeacustomer,partner,orvendorengageswithabusinessdigitally,there’sanAPIbehindthescenesfacilitatingaseamlessdataexchange.
AsAPIsproliferate,sodotheirrisks.Intheracetoquicklycreateandreleasenew
applicationsandAI-enhancedservices,theunderlyingAPIsaretoooftenmisconfigured,lackinginsecuritycontrols,andvulnerabletoeasilyexecutedattacks.
Asaresult,APIshaveemergedasatopattackvector,leavingmanysecurityteamstoplaycatch-upwiththeirAPIsecuritystrategies.Therefore,APIsecurityisquickly
emergingasatopstrategicpriorityforITandsecurityexecutives.
Whetheryou’relookingtogroundyourselfinAPIsecuritybasicsorareassemblingalistoftherightquestionstoask,thisguideoffersthedetailsyouneedtoknow,including:
•ThedifferenttypesofAPIs
•WhatAPIsecuritymeansforbusinessestoday
•BestpracticesforaddressingAPIsecurityrisks
•CommonAPIattackandabusemethods
ITogodirectlytoAPIsecuritybestpractices,youcanskipaheadtopage10.
|3
Akamai
TableofContents
APIbasics
4–9
APIsecurityexplained
10–12
APIsecurityrisksandabuse
13–18
APIsecuritysolutionsandtrends
19–22
Akamai
APIbasics
WhatisawebAPI?
Awebapplicationprogramminginterface,orAPI,consistsofoneormoreendpointsofa
definedrequest–responsemessagesystem,typicallyexpressedinJSONorXML,whicharepubliclyexposedviatheweb—mostcommonlybymeansofan
HTTP-basedwebserver
.
Inotherwords,awebAPIiswhatmostpeoplethinkofwhentheyhear“API.”It’sa
collectionofendpoints.Endpointsconsistofresourcepaths,theoperationsthatcanbeperformedontheseresources,andthedefinitionoftheresourcedata(inJSON,XML,Protobuf,oranotherformat).
WebAPIsaredifferentfromotherAPIs,suchasthoseexposedbytheoperatingsystemorbylibrariesofapplicationsrunningonthesamemachine,butthegeneralterm“API”usuallyreferstoa
HTTP-based
(web)API,especiallyinthecontextofenterprisedigitaltransformationandAPIsecurity.
WhatarethemostcommontypesofAPIs?
Thefollowingtablecontainstermsthatrefertodifferentusagemodelsandtechnical
approachesforAPIimplementations.WebAPIsaredefinedasbeingbasedon
HTTP
,andthefourmaintypesofwebAPIsseentodayareRESTful,SOAP,GraphQL,andgRPC.
Thetabledefinesthesecommontypes,aswellasothers.
|4
Akamai
|5
APIusagemodelDescription
PublicAPI
AnAPIthatismadeavailableandsharedfreelywithalldevelopersviatheinternet
ExternalAPI
OftenusedinterchangeablywithpublicAPI;thesetypesofAPIsareexposedtotheinternet
PrivateAPI
AnAPIthatisimplementedinaprotecteddatacenterorcloudenvironmentforusebytrusteddevelopers
InternalAPI
OftenusedinterchangeablywithprivateAPI
Third-partyAPI
Providesprogrammaticaccesstospecializedfunctionality
and/ordatafromathird-partysourceforuseinanapplication
PartnerAPI
Atypeofthird-partyAPIthatismadeavailableselectivelytoauthorizedbusinesspartners
AuthenticatedAPI
AnAPIthatisonlyaccessibletodeveloperswhohavebeengrantedaccess(orthreatactorswhohavegained
unauthorizedaccesstocredentials)
UnauthenticatedAPI
AnAPIthatcanbeaccessedprogrammaticallywithouttheneedforspecificcredentials
HTTPAPI
AnAPIthatusesthehypertexttransferprotocolasacommunicationprotocolforAPIcalls
Akamai
|6
RESTfulAPI
GraphQL
Representationalstatetransfer(RESTful)isthemostcommontypeofwebAPIthatusesplaintext,HTML,XML,YAML,or
JSONtodeliverdata;RESTfulAPIsareeasytoconsumeby
modernfront-endframeworks(e.g.,ReactandReactNative)andfacilitatewebandmobileapplicationdevelopment;theyhavebecomethedefactostandardforanywebAPI,includingthoseusedforB2B
GraphQLAPIsarethenewer,Facebook-developedstandardthatprovidesdatabaseaccessoverasinglePOSTendpoint(typically/graphql);itsolvesacommonRESTfulAPIproblem—thatofrequiringmultiplecallstopopulateasingleuser
interfacepage
SOAP
XML-RPC
gRPC
SOAPusestheverboseeXtensibleMarkupLanguage(XML)forremoteprocedurecalls(RPCs).ItcanstillbefoundinlegacyAPIs
XML-RPCisamethodofmakingprocedurecallsovertheinternetthatusesacombinationofXMLforencodingand
HTTPasacommunicationsprotocol
gRPCAPIsareaGoogle-developed,high-performancebinaryprotocolover
HTTP/2.0andareusedmostlyforeast-west
(withininternalnetwork)communication
OpenAPI
OpenAPIisadescriptionanddocumentationspecificationforAPIs.ItmaybehelpfultoknowthatthetermSwaggerreferstotheoriginalspecification,andOpenAPIreferstotheopen
standarddevelopedbytheOpenAPIInitiative
|7
WhatisthedifferencebetweenAPIsandendpoints?
Peopleoftenuse“API”whentheyarereallyreferringtoasingleAPIendpoint.APIs,
sometimescalledservicesorAPIproducts,arecollectionsofendpointsthatservea
businessfunction.Anindividualendpoint,ontheotherhand,isaresource(orresourcepath,alsoknownasaURIoruniformresourceidentifier)alongwiththeoperation
performedonit(create,read,update,ordelete).InRESTfulAPIs,operationsaretypicallymappedtothe
HTTPmethods
(POST,GET,PUT,andDELETE).
Whatisanorth-southAPI?
TheseareAPIsthatanorganizationleavesaccessibletotheoutsideworld,primarilytoconductbusinesswithitsbusinesspartners.ThisiscalledAPIexposure.Forexample:
BanksembracingopenbankingmayexposetheirdatatootherfintechorfinancialservicesorganizationsviaAPIs.
HealthcareorganizationsmayexposepatientrecordstoinsurancecompaniesandothermedicalorganizationsviaAPIs.
HospitalityorganizationsmayexposetheirreservationsystemstotravelagentsoraggregatorsviaAPIs.
APIsaretheconnectivetissuethatallowsdisparateorganizationstoexchange
data.North-southAPIsareoftenconsideredsafebecauseaccessisauthorizedandauthenticated.Typically,thisisthefastest-growingandlargestvolumeofAPIs,
andconsequently,itisthelargestattacksurfaceformostorganizations.
Whatisaneast-westAPI?
TheseareAPIsthatanorganizationusesinternallyandshouldnotbeaccessibleto
anyoneoutsidethebusiness.TheseAPIsconnectinternalapplicationsorbusinessunitsordepartments.Itispossibleforadevelopertomakeamistakethatmakeseast-westAPIsaccessiblebyaccident.TheseAPIsarenotmeanttobeaccessibleorevenknownbyexternalentities,butbreachesdohappenwhenthreatactorsfindeast-westAPIs
accessibleviatheinternet.
|8
WhatarethedifferencesbetweenB2CAPIsandB2BAPIs?
Business-to-consumer(B2C)APIspowerwebandmobileapplications.Theyaretypicallyconsumedbymodernfront-endclientstoallowauthenticatedendusersaccesstothecompany’sbusinessfunctionality.
Business-to-business(B2B)APIsareofferedbytheorganizationtootherorganizationstoconductbusinessandsometimestoprovidevaluetojointcustomers.
B2BAPIshelpstreamlinehowanenterpriseworkswithitssuppliers,resellers,andotherpartnersandhowitprovidesbetterexperiencestoitscustomers.
ExamplesofB2BAPIsinclude:
Openbanking
APIs
Supplychain
managementAPIs
Electronic
invoicingand
payments
betweentrading
partners
SincetheconsumersoftheAPIsdiffergreatly,thesecuritycontrolsavailablefor
protectingtheseAPIsalsovary.TheindustryhasbeenfocusedonB2Cusecasesuntil
fairlyrecently,buteventhere,thefocushasnotbeenonsecuringB2CAPIsbutratheronsecuringwebapplications.Thesecuritytoolsandcontrolstypicallyemployedfor
securingB2Cwebapplicationsoffercertainbenefits(e.g.,webapplicationfirewall[WAF]/webapplicationandAPIprotection[WAAP])butcannotprovidethedegreeofvisibility,
real-timemonitoring,andprotectionrequiredforsecuringB2CAPIsfromattacks.
ProtectingB2BAPIsisbecomingincreasinglychallenging.TheseAPIsareofteneasiertargetsforattackersbecausetheyfrequentlylackessentialprotectionmechanisms.
EarlierAPIsecuritytoolshadlimitedvisibilityintoB2BAPIsandstruggledtosecureAPIsthatfacilitatedbulkdataaccessonbehalfofsharedusers(asseeninopenbanking,
wherefintechcompaniesandfinancialinstitutionsconsensuallysharecustomerdata).However,newerAPIsecuritysolutionsofferbehavioralanalyticsandcanrecognize
anomalousactivities,effectivelyaddressingtheseconcerns.
Akamai
WhatarethedifferencesbetweenprivateAPIsandpublicAPIs?
PrivateAPIs,sometimesalsocalledinternalAPIs,areintendedtobeusedbythecompany’sdevelopersandcontractors.Oftenapartofaservice-orientedarchitecture(SOA)initiative,privateAPIsaremeanttostreamlineinternaldevelopmentbyenablingdifferent
departmentsorbusinessunitstoaccesseachother’sdataefficientlyandeffectively.
Bycontrast,publicAPIs,alsoknownasexternalAPIs,areexposedtoconsumersfromoutsidethecompany.Intheirmostextrememanifestation,asopenAPIs,theycanbefreelyconsumedbyanyone.Inallcases,theyrequiretightmanagementandgreat
documentationsotheycanbeusedbyengineersoutsidethecompany.
It’simportanttonotethatprivateAPIsthatcanbeaccessedovertheinternetarenot
reallyprivateinthestrictsenseoftheword.Forexample,let’ssayACME’sB2CAPIis
usedonlybyACMEmobileapps(developedinhousebyACMEengineers).YoumaybetemptedtocallthisaprivateAPI,butsincethetraffictothisAPIarrivesfromtheinternet(outsidethecompany),thisAPIisnotreallyprivate—itissimplyunpublishedtoexternalaudiences.HackersattacksuchAPIsregularlybyinterceptingtrafficandbyreverse
engineeringmobileappstofindtheircorrespondingAPIs.
|9
Akamai
APIsecurityexplained
WhatisAPIsecurity?
APIsecurityisastrategyforgainingvisibilityinto,rigorouslytesting,andprotectingeveryAPIacrossanenterprise.ThisincludesAPIsthatareintegraltoapplications,business
processes,andcloudworkloads.However,becausebothinternalandexternalAPIsare
beingproducedsorapidlyandinsuchlargenumbers,itcanbedifficulttohavea
completeunderstandingofyourorganization’sentireAPIlandscape.ManyorganizationslackvisibilityintohowmanyAPIstheyactuallyhaveandwhichAPIsreturnsensitivedatawhencalled.IdentifyingandmitigatingAPIsecurityrisksrequiresecuritycontrolsthataresophisticatedenoughtoprovidethiskindofvisibilityanddataanalysis.TheAPIsthat
needprotectionmayinclude:
•APIsthatmakedataeasilyaccessiblebycustomersorbusinesspartners
•APIsconsumedfrombusinesspartners
•APIsthatareimplementedandusedinternallytomakeapplicationfunctionalityanddataavailabletovarioussystemsanduserinterfacesinastandardizedandscalablemanner
AneffectiveAPIsecuritystrategymustincludesystematictechniquesforassessingriskandpotentialimpactaswellasexecutingappropriatemitigationmeasures.ThefirststepinassessingriskisbuildinganinventoryofallsanctionedandunsanctionedAPIs
publishedandusedbytheorganization.Thisinventoryshouldincludeattributessuchas:
•Dataclassifications,whichataminimumdistinguishbetween“notsensitive,”“sensitive,”and“verysensitive”data
•Riskindicators,suchasAPIvulnerabilitiesandmisconfigurations
|10
Akamai
|11
Additionally,APIvisibilityandriskmitigationmeasuresmustconsideradiversecollectionofpossiblethreats,including:
•DetectingandpreventingtheuseofunsanctionedshadowAPIs(seesidebar)
•IdentifyingandremediatingAPIvulnerabilitiesand
misconfigurationsthatthreatactorscouldpotentiallyexploit
•PreventinginstancesofAPImisuse,suchasbusinesslogicabuseanddatascraping
HowisAPIsecuritydifferentfromapplicationsecurity?
WhileAPIsecurityandtraditionalapplicationsecurityarerelateddisciplines,APIsecurityisadistinctchallengefortwokeyreasons—thescaleandcomplexityoftheproblem.
Greaterscale
ThreefactorscontributetotherapidgrowthofAPIuse:
1.Theuseofmicroservices,anarchitecturethatmandatestheuseofAPIsforservice-to-servicecommunication,isgrowing.
2.Inthedirect-userchannel,modernfront-endapplication
frameworkssuchasReact,Angular,andVueuseAPIsandaredisplacinglegacywebapps.
3.APIsareaddedtoaddresscompletelynewchannelsaswell(e.g.,partners,IoT,andbusinessautomation).
Flexibilityleadingtocomplexity
Unlikewebapplications,APIsaredesignedtobeused
programmaticallyinmanydifferentways,whichmakesdifferentiatinglegitimateusagefromattacksandabuseextremelychallenging.
Thefollowingarecommon
categorizationsanddescriptionsofAPIsthatmaycomeupinasecuritycontext.
SanctionedAPIs
PublishedAPI(withSwaggerdocumentationorsimilar)
UnsanctionedAPIs
•ShadowAPI
•RogueAPI
•ZombieAPI
•HiddenAPI
Out-of-dateAPIs
•DeprecatedAPI
•LegacyAPI
•ZombieAPI
•OrphanedAPI
IsthereanAPItaxonomythatsecurityteams
shouldunderstand?
Akamai
StagesofAPIsecuritymaturity
Stage1:Visibilityanddiscovery
YouareintheprocessofdiscoveringallyourAPIsandthemicroservicestheysupportbyusingan
automatedapproach.Breadthofcoverageis
critical,asoverlookedAPIs(suchasthoseno
longerinuse)areaprimetargetforthreatactors.
Stage2:Testing
YoutestallyourAPIstoensurethattheyarecodedcorrectlyandthattheyperformtheirintended
function.TestingperformedpriortodeployinganAPIistheupperendofthismaturitystage;riskiseliminatedbeforetheAPIgoesintoproduction,
andanyneededfixisexponentiallylessexpensive.
Stage3:Riskaudit
YoucontinuallyaudityourentireAPIenvironmenttoidentifymisconfiguredAPIsorothererrors.Yourauditalsoensuresadequatedocumentationof
everyAPIanddetermineswhethertheycontain
sensitivedataorlackappropriatesecuritycontrols.
Stage4:Runtimeprotection
Youareusingasolutionwithautomatedruntimeprotection,whichcandifferentiatebetweennormalandabnormalAPIactivity.BymonitoringAPI
interactionsthisway,you’reabletodetectbehaviorsindicatingathreatinrealtime.
Stage5:Response
Youhavesolutionsinplacetorespondto
suspiciousAPIbehavior,suchasaWAForAPI
gatewaythatblockssuspicioustrafficbeforeitcanaccesscriticalresources.Yoursolutionsuse
customized,automatedrules.
Stage6:Huntforthreats
Youregularlyperformforensicanalysisonpastthreatdatatolearnwhetheralertscorrectlyidentified
threatsandwhetherpatternsemergedthatenableproactivethreathuntingusingacombinationofsophisticatedtoolsandhumanintelligence.
WhatarethebestpracticesforprotectingAPIs?
EnhancingyourAPIsecuritystartswiththefollowingbestpractices:
•IntegrateAPIsecuritystandardsandpracticeswithyourorganization’ssoftwaredevelopmentlifecycle.
•IncorporateAPIdocumentationandautomatedsecurity
testingintoyourcontinuousintegration/continuousdelivery(CI/CD)pipelines.
•EnsurethatappropriateandeffectiveauthenticationandauthorizationcontrolsareappliedtoyourAPIs.
•ImplementratelimitingmeasurestohelppreventAPIsfrombeingabusedoroverwhelmed.
•Augmentratelimitingandotherapplication-levelmeasureswithspecializedgatewaysand/orcontentdeliverynetworksto
mitigatetheriskofdistributeddenial-of-service(DDoS)attacks.
•MakeAPIsecuritytestinganintegralpartofyourbroaderapplicationtestingprocesses.
•PerformcontinuousdiscoveryofAPIs.
•Implementasystematicapproachforidentifyingand
remediatingcommonAPIvulnerabilities,includingtheOWASPTop10APISecurityRisks.
•Usesignature-basedthreatdetectionandpreventionasabaselinelevelofprotectionagainstknownAPIattacks.
•Augmentsignature-baseddetectionwithAIandbehavioral
analyticstomakeAPIthreatdetectionmorescalable,
accurate,businessrelevant,andresilientagainstnovelthreats.
•EnsurethattheAPIsecuritymonitoringandanalysisprocessextendsovermultipleweeksandAPIsessions.
•ComplementAPIsecuritymonitoringandalertingwithon-demandaccesstoAPIinventoryandactivitydataforusebythreathunters,developers,DevOps,andsupportpersonnel.
YourabilitytoimplementtheseAPIsecuritybestpractices
dependsonwhereyouareinyourjourneytowardamatureAPIsecuritystrategy(seesidebar).
|12
|13
Akamai
APIsecurityrisksandabuse
WhatisanAPIvulnerability?
AnAPIvulnerabilityisasoftwarebugorsystemconfigurationerrorthatanattackercanexploittoaccesssensitiveapplicationfunctionalityordataorotherwisemisuseanAPI.TheOWASPTop10APISecurityRisksofferausefuloverviewofsomeofthemostwidelyabusedAPIvulnerabilitiesthatorganizationsshouldattempttoidentifyandremediate.
AreallAPIvulnerabilitiestrackedontheOWASPTop10APISecurityRisks?
TheOWASPAPISecurityTop10isanexcellentstartingpointfororganizationsseeking
toimprovetheirAPIsecurityposture.ItscategoriescoverawiderangeofpossibleAPIrisks.ButthecategoriesincludedinOWASPAPISecurityTop10arequitebroad,soit’simportanttodrilldowntothesub-areasforeachone.APIattackersfrequentlyattempttoexploit
authorizationissues(coveredbyOWASPextensively),buttherearealsoAPIrisksthatfallcompletelyoutsidetheOWASPAPISecurityTop10,suchastheabuseoflogicbugs.
HowcanAPIsbeabused?
APIscanbeattackedandabusedinvariousways,butsomeofthemostcommonexamplesinclude:
•Vulnerabilityexploitation:Technicalvulnerabilitiesinunderlyinginfrastructurecanleadtoservercompromise.ExamplesrangefromtheApacheStrutsvulnerabilities(CVE-2017-9791,CVE-2018-11776)toLog4jvulnerabilities(CVE-2021-44228).
•Businesslogicabuse:Logicabuseiswhenathreatactorexploitsapplicationdesignorimplementationflawstopromptunexpectedandunsanctionedbehavior.ThesescenarioscausestressforCISOsandtheirteamsbecauselegacysecuritycontrolsareuselessagainstthem.
•Unauthorizeddataaccess:AnothercommonformofAPIabuseistheexploitationofbrokenauthorizationmechanismstoaccessdatathatshouldnotbeaccessible.Thesevulnerabilitiescarrymanynames,suchasBrokenObjectLevelAuthorization(BOLA),insecuredirectobjectreference(IDOR),andbrokenfunction-levelauthorization(BFLA).
Akamai
|14
•Accounttakeover:AfteracredentialtheftorevenanXSSattack,anaccountcanbetakenover.Oncethathappens,abuseofeventhemostwell-writtenandperfectly
securedAPIispossible.UsinganAPIsecuritysolutionthatoffersbehavioranalysisallowsyoutodifferentiateauthenticatedactivityfromillegitimateusage.
•Datascraping:AsorganizationsmakedatasetsavailablethroughpublicAPIs,threatactorsmayaggressivelyquerytheseresourcestoperformwholesalecaptureoflarge,valuabledatasets.
•Businessdenialofservice(DoS):Byaskingthebackendtoperformheavytasks,
APIattackerscancauseerosionofserviceoracompleteDoSattheapplicationlayer(averycommonvulnerabilityinGraphQLbutsomethingthatcanhappenwithany
resource-intensiveAPIendpointimplementation).
WhatisazombieAPI?
Drivenbychangingmarketandbusinessrequirements,APIsareinconstantflux.
Asnewendpointimplementationsarereleasedtomeetnewbusinessneeds,fixbugs,andintroducetechnicalimprovements,olderversionsoftheseendpointsaresunset.
Managingthedecommissioningprocessofoldendpointsisnottrivial.Often,endpointimplementationsthatshouldhavebeendeprecatedremainaliveandaccessible—thosearecalledzombieendpoints.
HowcanIfindthevarioustypesofshadowAPIs?
Oneofthewaystoconductenterprise-wideshadowAPIdiscoveryistoingestandanalyzeAPItrafficonyournetwork.ExamplesofAPItrafficsourcesinclude:
Contentdeliverynetworks(CDNs)
APIgateways
WAFs
Kubernetes
clusters
Cloudinfrastructure
Oncerawdatafromallavailablesourcesiscollected,AItechniquescanbeusedto
transformitintoacomprehensiveinventoryofallAPIs,endpoints,andparameters.Fromthere,additionalanalysiscanbeperformedtoclassifytheseelementsandidentify
shadowAPIsthatshouldbeeliminatedorbroughtintoformalgovernanceprocesses.
|15
HowdoyouprotectinternalAPIsandB2BAPIs?
Itreallydependsonthedefinitionof“internal.”SometeamsrefertoAPIsexposedoverthe
internettotheirownorganization’swebandmobileapplicationsas“internalAPIs.”AndwhilethedocumentationfortheseAPIsmayindeedbeaccessibleonlytocompanyemployeesandcontractors,hackershavebecomeadeptatanalyzingappsandreverseengineeringtheAPIsviaappdisassemblytoolkitsandproxiessuchasBurpSuite.
However,if“internalAPIs”aredefinedaseast-westAPIs,whichcannotbeaccessedfromoutsidetheorganization,thenthemainthreatisreducedtoaninsiderthreat.Protect
east-westAPIsandyourB2BAPIslikemostotherAPIs:Startbysecuringthesoftware
developmentlifecycle(SDLC)andcontinuebyensuringaccessisauthenticatedand
authorized.Youcanalsoimplementmanagingquotas,ratelimits,andspikearrests.
Additionally,youcanprotectyourAPIsagainstknownthreatsbyusingWAFs/WAAPs.
ForB2BAPIs,consideraddingstrictauthenticationmechanisms,suchasmTLS,becauseofthesensitiveandoftenbulknatureofthetransactions.
Andforbotheast-westandB2BAPIs,werecommendyouemploybehavioralanalytics,especiallyifyouhavemanyentitiesinvolved,whichmaymaketheprocessof
distinguishingbetweenlegitimateandillegitimatebehaviordifficult.Forexample:
HowdoyouknowiftheAPIcredentialsofaspecificuserhavebeencompromised?
HowwouldyouknowifyourinvoicingAPIisbeingabusedbyapartnerenumeratinginvoicenumberstostealaccountdata?
ProtectionofB2BAPIsandeast-westAPIsrequiresbusinesscontextthatcannotbe
gainedbyanalyzingtechnicalelementslikeIPaddressesandAPItokensalone.Using
machinelearningandbehavioralanalyticstogainvisibilityintobusiness-relevantentitiesistheonlywaytounderstandandmanageriskeffectively.Businesscontextand
historicalbenchmarksfornormaluseofAPIsbyspecificentitieslikeyourusersorpartners—orevenbusinessprocessentities(invoice,payment,order,etc.)—makeitpossibletoseeanomaliesthatwouldotherwisegoundetected.
Akamai
DoAPIgatewaysoffersufficientriskprotection?
ManyorganizationstakingastrategicapproachtoAPIsuseAPIgateways.MostAPI
gatewayshaverichintegratedsecurityfeaturesthatorganizationsshouldtakeadvantageof—firstamongthoseisauthentication(andauthorizationaswell,ifyoucanleverage
OpenIDConnect).However,merelyperformingauthentication,authorization,andquotamanagementattheAPIgatewayisnotsufficientforseveralreasons:
ThediscoverygapofAPIgateways:APIgatewaysonlyhavevisibilityandcontrolovertheAPIsthattheyareconfiguredtomanage,makingthemineffectiveatdetectingshadowAPIsandendpoints.
ThesecuritygapofAPIgateways:APIgatewayscanenforceauthenticationand,tosomedegree,authorizationschemes,buttheydonotinspectpayloads(asWAFsandWAAPsdo),nordotheyprofilebehaviortodetectabuse.
WhatarethemostcommonAPImisconfigurationerrors?
ThenumberofpossibleAPImisconfigurationsisnearlyendless,giventhelargenumberofwaysthatAPIsareused.However,therearesomecommonthemesinmisconfiguration:
Brokenornoauthentication
AuthenticationisfoundationaltosecuringsensitivedatathatismadeavailableviaAPIs.SteponeisensuringthatallAPIscarryingsensitivedatahave
authenticationinplaceinitially.Butit’salsoimportanttoprotectauthenticationmechanismsfrombrute-forceattacks,credentialstuffing,anduseofstolen
authenticationtokensviaratelimiting.MisconfigurationsallowingAPI
consumerstobypassauthenticationmechanismscansometimeshappen,
oftenaroundtokenmanagement(forexample,somenotoriousJWTvalidationissuesornotcheckingthetokenscope).
|16
Akamai
|17
Brokenauthorization
OneofthemostcommonusesofAPIsistoprovideaccesstodataorcontent,includingsensitiveinformation.Authorizationistheprocessofverifyingthat
anAPIconsumeriseligibletoaccessthedatatheyaretryingtoaccess,priortomakingitavailabletothem.Thiscanbedoneattheobjectorresourcelevel(forexample,Icanaccessmyordersbutnotsomeoneelse’s)oratthefunctionlevel(asisoftenthecasewithadministrativecapabilities).Authorizationis
hardtogetrightbecauseofthehighnumberofedgecasesandconditionsandbecauseofthevariousflowsthatAPIcallscantakebetweenmicroservices.Ifyoudon’thaveacentralizedauthorizationengine,yourAPIimplementation
likelyincludessomeofthesevulnerabilities,suchasBOLAandBFLA.
Securitymisconfiguration
Inadditiontotheauthenticationandauthorizationissuesmentionedabove,
therearemanypossibletypesofsecuritymisconfigurations,includinginsecurecommunication(e.g.,failuretouseSSL/TLSortheuseofvulnerablecipher
suites),unprotectedcloudstorage,andoverlypermissivecross-originresource-sharingpolicies.
Lackofresourcesandratelimiting
WhenAPIsareimplementedwithoutanylimitsonthenumberofcallsthatAPIconsumerscanmake,threatactorscanoverwhelmsystemresources,leadingtoservicedegradationorfull-scaleDoS.Attheveryleast,ratelimitsmustbe
enforcedonaccesstoanyunauthenticatedendpoint,withauthentication
endpointsbeingofcriticalimportance—orelsebrute-forceattacks,and
credentialstuffingandcredentialvalidationattacks,aresimplyboundtohappen.
Akamai
WhatareAPIattacks?
APIattacksareattemptstouseAPIsformaliciousorotherwiseunsanctionedpurposes.A
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025年大学第三学年(化学)物理化学实验试题及答案
- 2025年大学大三(高级财务会计)合并报表实践测试试题及答案
- AI参考模版制作技术教程
- 当前医患关系现状论文
- 2025四川绵阳市盐亭发展投资集团有限公司招聘职能部门及所属子公司人员7人备考题库及完整答案详解
- 材料考研就业前景解读
- 2026江苏省人民医院临床医学研究院(I期研究中心)派遣制人员招聘1人备考题库及答案详解参考
- 2026广东龙门产业投资集团有限公司招聘职工3人备考题库及参考答案详解一套
- 2026内蒙古锡林郭勒盟苏尼特右旗应急管理局招聘2人备考题库参考答案详解
- 2026四川成都市成华区市场监督管理局招聘编外人员1人备考题库及答案详解(夺冠系列)
- 厂区杂草施工方案(3篇)
- 帮困基金管理办法职代会
- 行吊安全操作规程及注意事项
- 艾欧史密斯热水器CEWH-50P5说明书
- ktv客遗物管理制度
- 制造业公司奖惩管理制度
- 养老院公司年会策划方案
- 司机入职心理测试题及答案
- 退休支部换届工作报告
- T/CMES 37002-2022景区玻璃类游乐和观景设施建造单位能力条件要求
- T/CATCM 029-2024中药材产地加工(趁鲜切制)生产技术规范
评论
0/150
提交评论