Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Understanding API Profiles
This first blog post of the API security series addressed Discovery, or the ability for an organization to identify which APIs are present and where they are hosted. The second post addressed how a proper API Inventory can reduce redundant development costs by identifying duplicate API functionality. We are now at Profile phase, where we need to classify API usage, exposure, data, and compliance.
As discussed in previous blog posts, your inventory can impact the potential for additional attack surface. How the API is used and the type of data that is exposed becomes important for your organization’s security maturity. The Open Worldwide Applications Security Project (OWASP) has provided the 2023 OWASP Top 10 API Security Risks for organizations to see potential vulnerabilities and risks that APIs pose.
The API inventory does begin to classify API usage and which parties use the inventory internally within the organization or amongst third parties. Tracking and managing API inventories should help with the exposure of the API and support from the responsible parties. While organizations should address governance, it is necessary to understand how API usage can impact an organization’s data and potential compliance issues. I have addressed API protection tools in previous posts, and organizations can leverage these tools to greatly enhance security. For instance, if you consider the vulnerabilities listed above, these tools can help with terminating API attacks and supporting API throttling, as well as preventing account takeover, sensitive data exposure, and data exfiltration.
Understanding the risks of APIs to the organization will require the knowledge of the data that is exposed. To understand this, see the scenario below on information disclosure.
In this scenario, an API provides the following:
APIs should only expose the data necessary for the downstream consumer:
Below is the API GET for this user’s information:
But what is all the information being exposed for this API? In this case, having a simple understanding of the API can help the responsible parties address and mitigate organizational risk. What we discover is that the API response of the user information returns additional personally identifiable information (PII), which includes:
Personal Information: UserID, FirstName, LastName, Email, Address, City, State, Zip, Country, HomePhone, CellPhone, OfficePhone, NickName, MiddleName, MaidenName, GradeYear, Department, SpouceID, ChildNames, ChildIDs
Control Information: InsertDate, ModifiedBy, LastModifiedDate, LastModifyUserID, Internal_ID, Vendor_External_ID
To better understand the significance of the security of data being transmitted, it is important to understand the capability of the API and what it returns. In similar cases, the API could provide PII, as well as financial, health, or company data that should not be public. You can help decrease the frequency and severity of these issues by using API protection tools or by leveraging API assessment services to gain awareness of API vulnerabilities putting company systems at risk.
Understanding the profile of an API can be difficult. As you begin to work through each of these phases, you grow to better understand your environment. You also learn how to maintain your environment and limit the exposure of unnecessary data to end users or potentially malicious individuals.
By using tools like Postman or Burp Suite to perform security tests, you can build efficiency through the use of automation. You can also use these tools for quality assurance, data reviews, adding security checks into build scripts, and performing incremental testing as you review the API. As mentioned above and in previous posts, API assessment services are manual efforts, but they differ from web application penetration testing. Manual testing is necessary to ensure that you mitigate any findings that you have reviewed. This will ensure that you are protecting yourself from the top 10 API security risks provided by OWASP.
In our next blog post, we will dive into the dependency phase to understand how API security concepts are related and where your concerns should be.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
July 11, 2023
APIs facilitate automation, communications and more. But just how secure are they? Optiv explains how you can better discover and secure your APIs.
August 04, 2023
An API inventory can identify duplicate API functionality. Read how organizations can reduce redundant development costs as they create, track and....
June 15, 2023
OWASP has updated their API top 10 list. See how the 2023 list compares to the 2019 one and learn how to mitigate key API vulnerabilities.
Let us know what you need, and we will have an Optiv professional contact you shortly.