New OWASP project aims to address API insecurity

May 23, 2016 15:01 GMT  ·  By

OWASP, the famous organization dedicated to teaching proper security practices to the world, has launched a new initiative named the OWASP API Security Project.

The main people behind this new project are David Shaw, CISO at AppFolio, and Leif Dreizler, Senior Security Engineer at Bugcrowd.

The two outlined their project at the NolaCon security conference that took place in New Orleans over the past week.

API security flaws can have devastating consequences

The OWASP API Security Project will work just like all the rest of the OWASP projects and provide a guide on how to properly implement modern-day technologies, in this case, Application Program Interfaces.

APIs are nothing more than standalone applications or software components that respond to data requests with information about a product or service, based on a set of rules and parameters bundled with the incoming request.

Oftentimes, improperly coded APIs can allow attackers to escalate their access and retrieve more information about an application or its users.

Depending on where the API is situated, inside a Web service or inside the firmware of a hardware device, the damages of API exploitation can vary from trivial automated data harvesting to remote code execution flaws that allow attackers to take over entire devices or PCs.

A temporary Top 10 API Security Risks list was made available

OWASP plans to address these situations of API insecurity that have recently started to become extremely common.

The organization, which is famous for its Top 10 Web (and Mobile) Security Risks lists, will also assess and create a Top 10 API Security Risks page as well.

During their video presentation (after minute 20:50), the two researchers released a temporary version of the project's Top 10 API Security Risks.

Currently, their list comprises API security issues such as Improper Data Sanitization, Insufficient Access Control, Insecure Direct Object Reference, Insufficient Transport Layer Security, Sensitive Data Exposure, Weak Server-Side Security, Improper Key Handling, Inconsistent API Functionality, and Security Misconfiguration. The list only includes nine items. The tenth will be added when the final version of the list is released in the upcoming months.

Problems with the security of API servers are notorious. Last month, a study from Distil Networks revealed that most companies don't even employ the most basic API security settings such as rate limiting.

Below is a YouTube video of David Shaw and Leif Dreizler presenting the new OWASP API Security Project at NolaCon 2016.