版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
WHITEPAPER
Akamai
APISecurity
Fundamentals:
BuildYourKnowledge,SecuretheEnterprise
|2
Akamai
Introduction
APIshaveevolvedrapidlyfromanimplementationdetailtoastrategicenablerofdigitalinnovation.Everytimeacustomer,partner,orvendorengageswithabusinessdigitally,there’sanAPIbehindthescenesfacilitatingaseamlessdataexchange.
AsAPIsproliferate,sodotheirrisks.Intheracetoquicklycreateandreleasenew
applicationsandAI-enhancedservices,theunderlyingAPIsaretoooftenmisconfigured,lackinginsecuritycontrols,andvulnerabletoeasilyexecutedattacks.
Asaresult,APIshaveemergedasatopattackvector,leavingmanysecurityteamstoplaycatch-upwiththeirAPIsecuritystrategies.Therefore,APIsecurityisquickly
emergingasatopstrategicpriorityforITandsecurityexecutives.
Whetheryou’relookingtogroundyourselfinAPIsecuritybasicsorareassemblingalistoftherightquestionstoask,thisguideoffersthedetailsyouneedtoknow,including:
?ThedifferenttypesofAPIs
?WhatAPIsecuritymeansforbusinessestoday
?BestpracticesforaddressingAPIsecurityrisks
?CommonAPIattackandabusemethods
ITogodirectlytoAPIsecuritybestpractices,youcanskipaheadtopage10.
|3
Akamai
TableofContents
APIbasics
4–9
APIsecurityexplained
10–12
APIsecurityrisksandabuse
13–18
APIsecuritysolutionsandtrends
19–22
Akamai
APIbasics
WhatisawebAPI?
Awebapplicationprogramminginterface,orAPI,consistsofoneormoreendpointsofa
definedrequest–responsemessagesystem,typicallyexpressedinJSONorXML,whicharepubliclyexposedviatheweb—mostcommonlybymeansofan
HTTP-basedwebserver
.
Inotherwords,awebAPIiswhatmostpeoplethinkofwhentheyhear“API.”It’sa
collectionofendpoints.Endpointsconsistofresourcepaths,theoperationsthatcanbeperformedontheseresources,andthedefinitionoftheresourcedata(inJSON,XML,Protobuf,oranotherformat).
WebAPIsaredifferentfromotherAPIs,suchasthoseexposedbytheoperatingsystemorbylibrariesofapplicationsrunningonthesamemachine,butthegeneralterm“API”usuallyreferstoa
HTTP-based
(web)API,especiallyinthecontextofenterprisedigitaltransformationandAPIsecurity.
WhatarethemostcommontypesofAPIs?
Thefollowingtablecontainstermsthatrefertodifferentusagemodelsandtechnical
approachesforAPIimplementations.WebAPIsaredefinedasbeingbasedon
HTTP
,andthefourmaintypesofwebAPIsseentodayareRESTful,SOAP,GraphQL,andgRPC.
Thetabledefinesthesecommontypes,aswellasothers.
|4
Akamai
|5
APIusagemodelDescription
PublicAPI
AnAPIthatismadeavailableandsharedfreelywithalldevelopersviatheinternet
ExternalAPI
OftenusedinterchangeablywithpublicAPI;thesetypesofAPIsareexposedtotheinternet
PrivateAPI
AnAPIthatisimplementedinaprotecteddatacenterorcloudenvironmentforusebytrusteddevelopers
InternalAPI
OftenusedinterchangeablywithprivateAPI
Third-partyAPI
Providesprogrammaticaccesstospecializedfunctionality
and/ordatafromathird-partysourceforuseinanapplication
PartnerAPI
Atypeofthird-partyAPIthatismadeavailableselectivelytoauthorizedbusinesspartners
AuthenticatedAPI
AnAPIthatisonlyaccessibletodeveloperswhohavebeengrantedaccess(orthreatactorswhohavegained
unauthorizedaccesstocredentials)
UnauthenticatedAPI
AnAPIthatcanbeaccessedprogrammaticallywithouttheneedforspecificcredentials
HTTPAPI
AnAPIthatusesthehypertexttransferprotocolasacommunicationprotocolforAPIcalls
Akamai
|6
RESTfulAPI
GraphQL
Representationalstatetransfer(RESTful)isthemostcommontypeofwebAPIthatusesplaintext,HTML,XML,YAML,or
JSONtodeliverdata;RESTfulAPIsareeasytoconsumeby
modernfront-endframeworks(e.g.,ReactandReactNative)andfacilitatewebandmobileapplicationdevelopment;theyhavebecomethedefactostandardforanywebAPI,includingthoseusedforB2B
GraphQLAPIsarethenewer,Facebook-developedstandardthatprovidesdatabaseaccessoverasinglePOSTendpoint(typically/graphql);itsolvesacommonRESTfulAPIproblem—thatofrequiringmultiplecallstopopulateasingleuser
interfacepage
SOAP
XML-RPC
gRPC
SOAPusestheverboseeXtensibleMarkupLanguage(XML)forremoteprocedurecalls(RPCs).ItcanstillbefoundinlegacyAPIs
XML-RPCisamethodofmakingprocedurecallsovertheinternetthatusesacombinationofXMLforencodingand
HTTPasacommunicationsprotocol
gRPCAPIsareaGoogle-developed,high-performancebinaryprotocolover
HTTP/2.0andareusedmostlyforeast-west
(withininternalnetwork)communication
OpenAPI
OpenAPIisadescriptionanddocumentationspecificationforAPIs.ItmaybehelpfultoknowthatthetermSwaggerreferstotheoriginalspecification,andOpenAPIreferstotheopen
standarddevelopedbytheOpenAPIInitiative
|7
WhatisthedifferencebetweenAPIsandendpoints?
Peopleoftenuse“API”whentheyarereallyreferringtoasingleAPIendpoint.APIs,
sometimescalledservicesorAPIproducts,arecollectionsofendpointsthatservea
businessfunction.Anindividualendpoint,ontheotherhand,isaresource(orresourcepath,alsoknownasaURIoruniformresourceidentifier)alongwiththeoperation
performedonit(create,read,update,ordelete).InRESTfulAPIs,operationsaretypicallymappedtothe
HTTPmethods
(POST,GET,PUT,andDELETE).
Whatisanorth-southAPI?
TheseareAPIsthatanorganizationleavesaccessibletotheoutsideworld,primarilytoconductbusinesswithitsbusinesspartners.ThisiscalledAPIexposure.Forexample:
BanksembracingopenbankingmayexposetheirdatatootherfintechorfinancialservicesorganizationsviaAPIs.
HealthcareorganizationsmayexposepatientrecordstoinsurancecompaniesandothermedicalorganizationsviaAPIs.
HospitalityorganizationsmayexposetheirreservationsystemstotravelagentsoraggregatorsviaAPIs.
APIsaretheconnectivetissuethatallowsdisparateorganizationstoexchange
data.North-southAPIsareoftenconsideredsafebecauseaccessisauthorizedandauthenticated.Typically,thisisthefastest-growingandlargestvolumeofAPIs,
andconsequently,itisthelargestattacksurfaceformostorganizations.
Whatisaneast-westAPI?
TheseareAPIsthatanorganizationusesinternallyandshouldnotbeaccessibleto
anyoneoutsidethebusiness.TheseAPIsconnectinternalapplicationsorbusinessunitsordepartments.Itispossibleforadevelopertomakeamistakethatmakeseast-westAPIsaccessiblebyaccident.TheseAPIsarenotmeanttobeaccessibleorevenknownbyexternalentities,butbreachesdohappenwhenthreatactorsfindeast-westAPIs
accessibleviatheinternet.
|8
WhatarethedifferencesbetweenB2CAPIsandB2BAPIs?
Business-to-consumer(B2C)APIspowerwebandmobileapplications.Theyaretypicallyconsumedbymodernfront-endclientstoallowauthenticatedendusersaccesstothecompany’sbusinessfunctionality.
Business-to-business(B2B)APIsareofferedbytheorganizationtootherorganizationstoconductbusinessandsometimestoprovidevaluetojointcustomers.
B2BAPIshelpstreamlinehowanenterpriseworkswithitssuppliers,resellers,andotherpartnersandhowitprovidesbetterexperiencestoitscustomers.
ExamplesofB2BAPIsinclude:
Openbanking
APIs
Supplychain
managementAPIs
Electronic
invoicingand
payments
betweentrading
partners
SincetheconsumersoftheAPIsdiffergreatly,thesecuritycontrolsavailablefor
protectingtheseAPIsalsovary.TheindustryhasbeenfocusedonB2Cusecasesuntil
fairlyrecently,buteventhere,thefocushasnotbeenonsecuringB2CAPIsbutratheronsecuringwebapplications.Thesecuritytoolsandcontrolstypicallyemployedfor
securingB2Cwebapplicationsoffercertainbenefits(e.g.,webapplicationfirewall[WAF]/webapplicationandAPIprotection[WAAP])butcannotprovidethedegreeofvisibility,
real-timemonitoring,andprotectionrequiredforsecuringB2CAPIsfromattacks.
ProtectingB2BAPIsisbecomingincreasinglychallenging.TheseAPIsareofteneasiertargetsforattackersbecausetheyfrequentlylackessentialprotectionmechanisms.
EarlierAPIsecuritytoolshadlimitedvisibilityintoB2BAPIsandstruggledtosecureAPIsthatfacilitatedbulkdataaccessonbehalfofsharedusers(asseeninopenbanking,
wherefintechcompaniesandfinancialinstitutionsconsensuallysharecustomerdata).However,newerAPIsecuritysolutionsofferbehavioralanalyticsandcanrecognize
anomalousactivities,effectivelyaddressingtheseconcerns.
Akamai
WhatarethedifferencesbetweenprivateAPIsandpublicAPIs?
PrivateAPIs,sometimesalsocalledinternalAPIs,areintendedtobeusedbythecompany’sdevelopersandcontractors.Oftenapartofaservice-orientedarchitecture(SOA)initiative,privateAPIsaremeanttostreamlineinternaldevelopmentbyenablingdifferent
departmentsorbusinessunitstoaccesseachother’sdataefficientlyandeffectively.
Bycontrast,publicAPIs,alsoknownasexternalAPIs,areexposedtoconsumersfromoutsidethecompany.Intheirmostextrememanifestation,asopenAPIs,theycanbefreelyconsumedbyanyone.Inallcases,theyrequiretightmanagementandgreat
documentationsotheycanbeusedbyengineersoutsidethecompany.
It’simportanttonotethatprivateAPIsthatcanbeaccessedovertheinternetarenot
reallyprivateinthestrictsenseoftheword.Forexample,let’ssayACME’sB2CAPIis
usedonlybyACMEmobileapps(developedinhousebyACMEengineers).YoumaybetemptedtocallthisaprivateAPI,butsincethetraffictothisAPIarrivesfromtheinternet(outsidethecompany),thisAPIisnotreallyprivate—itissimplyunpublishedtoexternalaudiences.HackersattacksuchAPIsregularlybyinterceptingtrafficandbyreverse
engineeringmobileappstofindtheircorrespondingAPIs.
|9
Akamai
APIsecurityexplained
WhatisAPIsecurity?
APIsecurityisastrategyforgainingvisibilityinto,rigorouslytesting,andprotectingeveryAPIacrossanenterprise.ThisincludesAPIsthatareintegraltoapplications,business
processes,andcloudworkloads.However,becausebothinternalandexternalAPIsare
beingproducedsorapidlyandinsuchlargenumbers,itcanbedifficulttohavea
completeunderstandingofyourorganization’sentireAPIlandscape.ManyorganizationslackvisibilityintohowmanyAPIstheyactuallyhaveandwhichAPIsreturnsensitivedatawhencalled.IdentifyingandmitigatingAPIsecurityrisksrequiresecuritycontrolsthataresophisticatedenoughtoprovidethiskindofvisibilityanddataanalysis.TheAPIsthat
needprotectionmayinclude:
?APIsthatmakedataeasilyaccessiblebycustomersorbusinesspartners
?APIsconsumedfrombusinesspartners
?APIsthatareimplementedandusedinternallytomakeapplicationfunctionalityanddataavailabletovarioussystemsanduserinterfacesinastandardizedandscalablemanner
AneffectiveAPIsecuritystrategymustincludesystematictechniquesforassessingriskandpotentialimpactaswellasexecutingappropriatemitigationmeasures.ThefirststepinassessingriskisbuildinganinventoryofallsanctionedandunsanctionedAPIs
publishedandusedbytheorganization.Thisinventoryshouldincludeattributessuchas:
?Dataclassifications,whichataminimumdistinguishbetween“notsensitive,”“sensitive,”and“verysensitive”data
?Riskindicators,suchasAPIvulnerabilitiesandmisconfigurations
|10
Akamai
|11
Additionally,APIvisibilityandriskmitigationmeasuresmustconsideradiversecollectionofpossiblethreats,including:
?DetectingandpreventingtheuseofunsanctionedshadowAPIs(seesidebar)
?IdentifyingandremediatingAPIvulnerabilitiesand
misconfigurationsthatthreatactorscouldpotentiallyexploit
?PreventinginstancesofAPImisuse,suchasbusinesslogicabuseanddatascraping
HowisAPIsecuritydifferentfromapplicationsecurity?
WhileAPIsecurityandtraditionalapplicationsecurityarerelateddisciplines,APIsecurityisadistinctchallengefortwokeyreasons—thescaleandcomplexityoftheproblem.
Greaterscale
ThreefactorscontributetotherapidgrowthofAPIuse:
1.Theuseofmicroservices,anarchitecturethatmandatestheuseofAPIsforservice-to-servicecommunication,isgrowing.
2.Inthedirect-userchannel,modernfront-endapplication
frameworkssuchasReact,Angular,andVueuseAPIsandaredisplacinglegacywebapps.
3.APIsareaddedtoaddresscompletelynewchannelsaswell(e.g.,partners,IoT,andbusinessautomation).
Flexibilityleadingtocomplexity
Unlikewebapplications,APIsaredesignedtobeused
programmaticallyinmanydifferentways,whichmakesdifferentiatinglegitimateusagefromattacksandabuseextremelychallenging.
Thefollowingarecommon
categorizationsanddescriptionsofAPIsthatmaycomeupinasecuritycontext.
SanctionedAPIs
PublishedAPI(withSwaggerdocumentationorsimilar)
UnsanctionedAPIs
?ShadowAPI
?RogueAPI
?ZombieAPI
?HiddenAPI
Out-of-dateAPIs
?DeprecatedAPI
?LegacyAPI
?ZombieAPI
?OrphanedAPI
IsthereanAPItaxonomythatsecurityteams
shouldunderstand?
Akamai
StagesofAPIsecuritymaturity
Stage1:Visibilityanddiscovery
YouareintheprocessofdiscoveringallyourAPIsandthemicroservicestheysupportbyusingan
automatedapproach.Breadthofcoverageis
critical,asoverlookedAPIs(suchasthoseno
longerinuse)areaprimetargetforthreatactors.
Stage2:Testing
YoutestallyourAPIstoensurethattheyarecodedcorrectlyandthattheyperformtheirintended
function.TestingperformedpriortodeployinganAPIistheupperendofthismaturitystage;riskiseliminatedbeforetheAPIgoesintoproduction,
andanyneededfixisexponentiallylessexpensive.
Stage3:Riskaudit
YoucontinuallyaudityourentireAPIenvironmenttoidentifymisconfiguredAPIsorothererrors.Yourauditalsoensuresadequatedocumentationof
everyAPIanddetermineswhethertheycontain
sensitivedataorlackappropriatesecuritycontrols.
Stage4:Runtimeprotection
Youareusingasolutionwithautomatedruntimeprotection,whichcandifferentiatebetweennormalandabnormalAPIactivity.BymonitoringAPI
interactionsthisway,you’reabletodetectbehaviorsindicatingathreatinrealtime.
Stage5:Response
Youhavesolutionsinplacetorespondto
suspiciousAPIbehavior,suchasaWAForAPI
gatewaythatblockssuspicioustrafficbeforeitcanaccesscriticalresources.Yoursolutionsuse
customized,automatedrules.
Stage6:Huntforthreats
Youregularlyperformforensicanalysisonpastthreatdatatolearnwhetheralertscorrectlyidentified
threatsandwhetherpatternsemergedthatenableproactivethreathuntingusingacombinationofsophisticatedtoolsandhumanintelligence.
WhatarethebestpracticesforprotectingAPIs?
EnhancingyourAPIsecuritystartswiththefollowingbestpractices:
?IntegrateAPIsecuritystandardsandpracticeswithyourorganization’ssoftwaredevelopmentlifecycle.
?IncorporateAPIdocumentationandautomatedsecurity
testingintoyourcontinuousintegration/continuousdelivery(CI/CD)pipelines.
?EnsurethatappropriateandeffectiveauthenticationandauthorizationcontrolsareappliedtoyourAPIs.
?ImplementratelimitingmeasurestohelppreventAPIsfrombeingabusedoroverwhelmed.
?Augmentratelimitingandotherapplication-levelmeasureswithspecializedgatewaysand/orcontentdeliverynetworksto
mitigatetheriskofdistributeddenial-of-service(DDoS)attacks.
?MakeAPIsecuritytestinganintegralpartofyourbroaderapplicationtestingprocesses.
?PerformcontinuousdiscoveryofAPIs.
?Implementasystematicapproachforidentifyingand
remediatingcommonAPIvulnerabilities,includingtheOWASPTop10APISecurityRisks.
?Usesignature-basedthreatdetectionandpreventionasabaselinelevelofprotectionagainstknownAPIattacks.
?Augmentsignature-baseddetectionwithAIandbehavioral
analyticstomakeAPIthreatdetectionmorescalable,
accurate,businessrelevant,andresilientagainstnovelthreats.
?EnsurethattheAPIsecuritymonitoringandanalysisprocessextendsovermultipleweeksandAPIsessions.
?ComplementAPIsecuritymonitoringandalertingwithon-demandaccesstoAPIinventoryandactivitydataforusebythreathunters,developers,DevOps,andsupportpersonnel.
YourabilitytoimplementtheseAPIsecuritybestpractices
dependsonwhereyouareinyourjourneytowardamatureAPIsecuritystrategy(seesidebar).
|12
|13
Akamai
APIsecurityrisksandabuse
WhatisanAPIvulnerability?
AnAPIvulnerabilityisasoftwarebugorsystemconfigurationerrorthatanattackercanexploittoaccesssensitiveapplicationfunctionalityordataorotherwisemisuseanAPI.TheOWASPTop10APISecurityRisksofferausefuloverviewofsomeofthemostwidelyabusedAPIvulnerabilitiesthatorganizationsshouldattempttoidentifyandremediate.
AreallAPIvulnerabilitiestrackedontheOWASPTop10APISecurityRisks?
TheOWASPAPISecurityTop10isanexcellentstartingpointfororganizationsseeking
toimprovetheirAPIsecurityposture.ItscategoriescoverawiderangeofpossibleAPIrisks.ButthecategoriesincludedinOWASPAPISecurityTop10arequitebroad,soit’simportanttodrilldowntothesub-areasforeachone.APIattackersfrequentlyattempttoexploit
authorizationissues(coveredbyOWASPextensively),buttherearealsoAPIrisksthatfallcompletelyoutsidetheOWASPAPISecurityTop10,suchastheabuseoflogicbugs.
HowcanAPIsbeabused?
APIscanbeattackedandabusedinvariousways,butsomeofthemostcommonexamplesinclude:
?Vulnerabilityexploitation:Technicalvulnerabilitiesinunderlyinginfrastructurecanleadtoservercompromise.ExamplesrangefromtheApacheStrutsvulnerabilities(CVE-2017-9791,CVE-2018-11776)toLog4jvulnerabilities(CVE-2021-44228).
?Businesslogicabuse:Logicabuseiswhenathreatactorexploitsapplicationdesignorimplementationflawstopromptunexpectedandunsanctionedbehavior.ThesescenarioscausestressforCISOsandtheirteamsbecauselegacysecuritycontrolsareuselessagainstthem.
?Unauthorizeddataaccess:AnothercommonformofAPIabuseistheexploitationofbrokenauthorizationmechanismstoaccessdatathatshouldnotbeaccessible.Thesevulnerabilitiescarrymanynames,suchasBrokenObjectLevelAuthorization(BOLA),insecuredirectobjectreference(IDOR),andbrokenfunction-levelauthorization(BFLA).
Akamai
|14
?Accounttakeover:AfteracredentialtheftorevenanXSSattack,anaccountcanbetakenover.Oncethathappens,abuseofeventhemostwell-writtenandperfectly
securedAPIispossible.UsinganAPIsecuritysolutionthatoffersbehavioranalysisallowsyoutodifferentiateauthenticatedactivityfromillegitimateusage.
?Datascraping:AsorganizationsmakedatasetsavailablethroughpublicAPIs,threatactorsmayaggressivelyquerytheseresourcestoperformwholesalecaptureoflarge,valuabledatasets.
?Businessdenialofservice(DoS):Byaskingthebackendtoperformheavytasks,
APIattackerscancauseerosionofserviceoracompleteDoSattheapplicationlayer(averycommonvulnerabilityinGraphQLbutsomethingthatcanhappenwithany
resource-intensiveAPIendpointimplementation).
WhatisazombieAPI?
Drivenbychangingmarketandbusinessrequirements,APIsareinconstantflux.
Asnewendpointimplementationsarereleasedtomeetnewbusinessneeds,fixbugs,andintroducetechnicalimprovements,olderversionsoftheseendpointsaresunset.
Managingthedecommissioningprocessofoldendpointsisnottrivial.Often,endpointimplementationsthatshouldhavebeendeprecatedremainaliveandaccessible—thosearecalledzombieendpoints.
HowcanIfindthevarioustypesofshadowAPIs?
Oneofthewaystoconductenterprise-wideshadowAPIdiscoveryistoingestandanalyzeAPItrafficonyournetwork.ExamplesofAPItrafficsourcesinclude:
Contentdeliverynetworks(CDNs)
APIgateways
WAFs
Kubernetes
clusters
Cloudinfrastructure
Oncerawdatafromallavailablesourcesiscollected,AItechniquescanbeusedto
transformitintoacomprehensiveinventoryofallAPIs,endpoints,andparameters.Fromthere,additionalanalysiscanbeperformedtoclassifytheseelementsandidentify
shadowAPIsthatshouldbeeliminatedorbroughtintoformalgovernanceprocesses.
|15
HowdoyouprotectinternalAPIsandB2BAPIs?
Itreallydependsonthedefinitionof“internal.”SometeamsrefertoAPIsexposedoverthe
internettotheirownorganization’swebandmobileapplicationsas“internalAPIs.”AndwhilethedocumentationfortheseAPIsmayindeedbeaccessibleonlytocompanyemployeesandcontractors,hackershavebecomeadeptatanalyzingappsandreverseengineeringtheAPIsviaappdisassemblytoolkitsandproxiessuchasBurpSuite.
However,if“internalAPIs”aredefinedaseast-westAPIs,whichcannotbeaccessedfromoutsidetheorganization,thenthemainthreatisreducedtoaninsiderthreat.Protect
east-westAPIsandyourB2BAPIslikemostotherAPIs:Startbysecuringthesoftware
developmentlifecycle(SDLC)andcontinuebyensuringaccessisauthenticatedand
authorized.Youcanalsoimplementmanagingquotas,ratelimits,andspikearrests.
Additionally,youcanprotectyourAPIsagainstknownthreatsbyusingWAFs/WAAPs.
ForB2BAPIs,consideraddingstrictauthenticationmechanisms,suchasmTLS,becauseofthesensitiveandoftenbulknatureofthetransactions.
Andforbotheast-westandB2BAPIs,werecommendyouemploybehavioralanalytics,especiallyifyouhavemanyentitiesinvolved,whichmaymaketheprocessof
distinguishingbetweenlegitimateandillegitimatebehaviordifficult.Forexample:
HowdoyouknowiftheAPIcredentialsofaspecificuserhavebeencompromised?
HowwouldyouknowifyourinvoicingAPIisbeingabusedbyapartnerenumeratinginvoicenumberstostealaccountdata?
ProtectionofB2BAPIsandeast-westAPIsrequiresbusinesscontextthatcannotbe
gainedbyanalyzingtechnicalelementslikeIPaddressesandAPItokensalone.Using
machinelearningandbehavioralanalyticstogainvisibilityintobusiness-relevantentitiesistheonlywaytounderstandandmanageriskeffectively.Businesscontextand
historicalbenchmarksfornormaluseofAPIsbyspecificentitieslikeyourusersorpartners—orevenbusinessprocessentities(invoice,payment,order,etc.)—makeitpossibletoseeanomaliesthatwouldotherwisegoundetected.
Akamai
DoAPIgatewaysoffersufficientriskprotection?
ManyorganizationstakingastrategicapproachtoAPIsuseAPIgateways.MostAPI
gatewayshaverichintegratedsecurityfeaturesthatorganizationsshouldtakeadvantageof—firstamongthoseisauthentication(andauthorizationaswell,ifyoucanleverage
OpenIDConnect).However,merelyperformingauthentication,authorization,andquotamanagementattheAPIgatewayisnotsufficientforseveralreasons:
ThediscoverygapofAPIgateways:APIgatewaysonlyhavevisibilityandcontrolovertheAPIsthattheyareconfiguredtomanage,makingthemineffectiveatdetectingshadowAPIsandendpoints.
ThesecuritygapofAPIgateways:APIgatewayscanenforceauthenticationand,tosomedegree,authorizationschemes,buttheydonotinspectpayloads(asWAFsandWAAPsdo),nordotheyprofilebehaviortodetectabuse.
WhatarethemostcommonAPImisconfigurationerrors?
ThenumberofpossibleAPImisconfigurationsisnearlyendless,giventhelargenumberofwaysthatAPIsareused.However,therearesomecommonthemesinmisconfiguration:
Brokenornoauthentication
AuthenticationisfoundationaltosecuringsensitivedatathatismadeavailableviaAPIs.SteponeisensuringthatallAPIscarryingsensitivedatahave
authenticationinplaceinitially.Butit’salsoimportanttoprotectauthenticationmechanismsfrombrute-forceattacks,credentialstuffing,anduseofstolen
authenticationtokensviaratelimiting.MisconfigurationsallowingAPI
consumerstobypassauthenticationmechanismscansometimeshappen,
oftenaroundtokenmanagement(forexample,somenotoriousJWTvalidationissuesornotcheckingthetokenscope).
|16
Akamai
|17
Brokenauthorization
OneofthemostcommonusesofAPIsistoprovideaccesstodataorcontent,includingsensitiveinformation.Authorizationistheprocessofverifyingthat
anAPIconsumeriseligibletoaccessthedatatheyaretryingtoaccess,priortomakingitavailabletothem.Thiscanbedoneattheobjectorresourcelevel(forexample,Icanaccessmyordersbutnotsomeoneelse’s)oratthefunctionlevel(asisoftenthecasewithadministrativecapabilities).Authorizationis
hardtogetrightbecauseofthehighnumberofedgecasesandconditionsandbecauseofthevariousflowsthatAPIcallscantakebetweenmicroservices.Ifyoudon’thaveacentralizedauthorizationengine,yourAPIimplementation
likelyincludessomeofthesevulnerabilities,suchasBOLAandBFLA.
Securitymisconfiguration
Inadditiontotheauthenticationandauthorizationissuesmentionedabove,
therearemanypossibletypesofsecuritymisconfigurations,includinginsecurecommunication(e.g.,failuretouseSSL/TLSortheuseofvulnerablecipher
suites),unprotectedcloudstorage,andoverlypermissivecross-originresource-sharingpolicies.
Lackofresourcesandratelimiting
WhenAPIsareimplementedwithoutanylimitsonthenumberofcallsthatAPIconsumerscanmake,threatactorscanoverwhelmsystemresources,leadingtoservicedegradationorfull-scaleDoS.Attheveryleast,ratelimitsmustbe
enforcedonaccesstoanyunauthenticatedendpoint,withauthentication
endpointsbeingofcriticalimportance—orelsebrute-forceattacks,and
credentialstuffingandcredentialvalidationattacks,aresimplyboundtohappen.
Akamai
WhatareAPIattacks?
APIattacksareattemptstouseAPIsformaliciousorotherwiseunsanctionedpurposes.A
溫馨提示
- 1. 本站所有資源如無(wú)特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 2025-2030中國(guó)草本植物飲料行業(yè)市場(chǎng)深度分析及發(fā)展趨勢(shì)與投資研究報(bào)告
- 空調(diào)購(gòu)銷合同
- 2025-2030中國(guó)自卸汽車行業(yè)市場(chǎng)發(fā)展趨勢(shì)與前景展望戰(zhàn)略研究報(bào)告
- 安達(dá)市屋面防水維修工程施工合同
- 2025-2030中國(guó)腦脊液管理產(chǎn)品行業(yè)市場(chǎng)發(fā)展趨勢(shì)與前景展望戰(zhàn)略研究報(bào)告
- 2025-2030中國(guó)端乙烯基聚二甲基硅氧烷行業(yè)市場(chǎng)發(fā)展趨勢(shì)與前景展望戰(zhàn)略研究報(bào)告
- 2025-2030中國(guó)移動(dòng)支付SD卡行業(yè)市場(chǎng)發(fā)展趨勢(shì)與前景展望戰(zhàn)略研究報(bào)告
- 2025-2030中國(guó)離心管架行業(yè)市場(chǎng)發(fā)展趨勢(shì)與前景展望戰(zhàn)略研究報(bào)告
- 2025-2030中國(guó)碎漿行業(yè)市場(chǎng)發(fā)展趨勢(shì)與前景展望戰(zhàn)略研究報(bào)告
- 2025-2030中國(guó)石油天然氣檢測(cè)行業(yè)市場(chǎng)發(fā)展分析及前景趨勢(shì)與投資研究報(bào)告
- 研究思路圖模板
- 天車安全檢查表
- 《神奇的莫比烏斯帶》ppt
- 必備空調(diào)安裝免責(zé)協(xié)議書范文優(yōu)選七篇
- 電子營(yíng)業(yè)執(zhí)照下載確認(rèn)書(外籍法定代表人)
- 中國(guó)醫(yī)院質(zhì)量安全管理 第4-2部分:醫(yī)療管理 護(hù)理質(zhì)量管理 T∕CHAS 10-4-2-2019
- (自考)財(cái)務(wù)管理學(xué)完整版課件全套ppt教程(最新)
- 《智能制造技術(shù)與應(yīng)用》試題及答案
- NX_Nastran_超單元指南_cn
- 軟件系統(tǒng)平臺(tái)對(duì)接接口方案計(jì)劃
- 瘧原蟲生活史
評(píng)論
0/150
提交評(píng)論