API Security Weekly: Issue 170

This week, we have an article on applying a DevSecOps approach to API security by utilizing a shift-left and protect and monitor right approach, a pair of vulnerabilities patched by F5, views on the top 10 API integration trends by Brenton House, and finally, a view on the rise of bot attacks against APIs.

Article: Taking a DevSecOps Approach to API Security

This week, Doug Dooley published an article on how a DevSecOps approach could be applied to API security. It describes how an approach of shift-left and protect and monitor right could result in more secure APIs by bringing API development more in line with well-established processes for application development.

Dooley describes how a traditional approach to API security is overly reliant on the protection afforded by API gateways and content delivery networks (CDNs). While these methods offer some level of protection, they are insufficient against some of the more sophisticated attack methods, such as broken object-level authorization (BOLA/IDOR) or authentication and authorization attacks.

Dooley describes how customer-facing APIs (the “north-south” APIs) need to be thoroughly and continuously secured. The internal APIs (the “east-west” APIs) are also vulnerable to attack if deployed in a cloud environment. Basically, assume all APIs are equally valuable and attractive to attackers.

By using a DevSecOps approach, API developers can leverage a number of advantages:

• Security experts can make ongoing risk-based decisions on issues as they arise, rather than catching issues post-deployment.
• CI/CD systems enable automated testing of APIs throughout their construction and deployment.
• APIs can be deployed with active protection and continuous reporting, to ensure that emerging API threats are detected in real-time.
• When an incident occurs, all teams involved can have an informed view of the affected components and their risks, and make appropriate decisions to remediate and redeploy.

Vulnerability: F5 Fixes High-Risk Vulnerabilities

The Daily Swig featured details of a pair of high-risk vulnerabilities affecting network technology provider F5. Details of them were provided in F5’s quarterly patch notice, which addressed a total of 15 high-severity vulnerabilities.

The first issue affected the NGINX Controller API Management product, which allows DevOps teams to control the API lifecycle, security included. Somewhat ironically, the product itself had an API vulnerability that allowed an injection attack using an admin role against an undisclosed API. An attacker could have used this endpoint to inject malicious JavaScript which could then execute within the target data planes — a great example of API5:2019 — broken function level authorization. The vulnerability (CVE-2022-23008) was given a CVSS score of 8.7 and has now been patched in version 3.19.1.

The second vulnerability affects the BIG-IP load balancer. This configuration utility was vulnerable to cross-site scripting (XSS) attacks that allowed injecting JavaScript into the context of the current logged-in user. The vulnerability (CVE-2022-23013) was given a CVSS score of 7.5 and has also now been patched.

Opinion: Ten API Integration Trends

We also have our regular contributor to the newsletter, Brenton House, who discusses ten hot API integration trends for 2022. In his view they are:

1. API cybersecurity
2. Seamless integration solutions
3. Adaptive API management
4. API and integration automation
5. Industry-specific breakouts
6. API best practices
7. OpenAPI standards
8. API and integration experience
9. API-led modernization
10. API economy growth

Readers of this newsletter are unlikely to be surprised to see API security featuring at the top of the list. House highlights that APIs are likely to become the most frequently used attack vector, which — coupled with the exponential growth of APIs — leads to API security becoming a very hot topic.

House emphasizes the value of the “shift-left, shield-right” approach (covered in the first article in this newsletter), and highlights the importance of the related topics of encryption and privacy when considering the overall API security strategy.

Article: Bot Attacks on APIs Increasing

Next up, we have an article on the rise of bot attacks against APIs. It highlights the challenges that bots present to APIs, primarily that they are hard to detect and therefore hard to defend against. Bot sophistication has increased rapidly and can now mimic the behavior of a human user quite accurately.

Typically, adversaries use a combination of the following tactics:

• Automate bot attacks
• Access a wide pool of account information and credentials to attempt account takeovers (ATO)
• Use clusters of mobile devices all grouped together to avoid device detection

Defenders have two options in reducing the effectiveness of bot attacks: firstly, they can reduce the efficiency of bot attacks, for example, with rate-limiting, and secondly, they can increase attacker costs by using better protection methods on their APIs.