How to Secure APIs to Defend Against Emerging Cyber Threats to Digital Web Assets |
||
 |
 |
|
| © 2024 by IJCTT Journal | ||
| Volume-72 Issue-9 |
||
| Year of Publication : 2024 | ||
| Authors : Piyush Dixit | ||
| DOI : 10.14445/22312803/IJCTT-V72I9P125 | ||
How to Cite?
Piyush Dixit, "How to Secure APIs to Defend Against Emerging Cyber Threats to Digital Web Assets," International Journal of Computer Trends and Technology, vol. 72, no. 9, pp. 157-164, 2024. Crossref, https://doi.org/10.14445/22312803/IJCTT-V72I9P125
Abstract
Application Programming Interfaces, or APIs, enable modern businesses to exchange data and establish connectivity between digital systems. However, increased connectivity needs have spawned more novel security risks as more and more digital assets get deployed on the web. This is why API security has become paramount for any successful business organization, that is exposing its web digital assets on the internet. Common API security risks include things like vulnerability exploitation, where attackers exploit flaws in an API’s construction, or zero-day exploits that exist on the infrastructure where APIs are hosted or most famous DDoS attacks, where APIs are made unavailable, all these risks lead to cyber issues like unintended access, data breaches or data unavailability. There are several best practices to ensure API security, like API OWASP (2023 list) top 10, API rate limiting, DDoS mitigation, payload validation, authentication mechanisms like OAuth, logging and monitoring to ensure accountability and traceability. The purpose of this study is to present an accomplished stepwise solution in the form of an API security framework for organizations that are serious about API security and want to know how and where they can start their journey to secure their digital assets exposed over the web, while still benefiting from them as intended originally.
Keywords
API Security, OWASP top 10, OAuth, API rate limiting, DDoS, HTTPS.
Reference
[1] OWASP API Security Project, OWASP, 2023. [Online]. Available: https://owasp.org/www-project-api-security/
[2] OWASP Top 10 API Security Risks, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0x11-t10/
[3] The Ten Most Critical API Security Risks, OWASP, pp. 1-31, 2019. [Online]. Available: https://owasp.org/API-Security/editions/2019/en/dist/owasp-api-security-top-10.pdf
[4] API1:2023 Broken Object Level Authorization, OWASP API Security Top 10, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization
[5] Inon Shkedy, The Uber API Authorization Vulnerability, Traceable, 2021. [Online]. Available: https://www.traceable.ai/blog-post/the-uber-api-authorization-vulnerability
[6] Mark Dolan, Issue 255: Versa Director API Flaw, Feeld BOLA Vulnerabilities, Logic Flaw Risks Aircraft Disaster, API Security News, 2024. [Online]. Available: https://apisecurity.io/issue-255-versa-director-api-flaw-feeld-bola-vulnerabilities-logic-flaw-risks-aircraft-disaster/
[7] API2:2023 Broken Authentication, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication
[8] API3:2023 Broken Object Property Level Authorization, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa3-broken-object-property-level-authorization
[9] API4:2023 Unrestricted Resource Consumption, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption
[10] API5:2023 Broken Function Level Authorization, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization
[11] API6:2023 Unrestricted Access to Sensitive Business Flows, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows
[12] API7:2023 Server Side Request Forgery, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa7- server-side-request-forgery
[13] API8:2023 Security Misconfiguration, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa8- security-misconfiguration
[14] API9:2023 Improper Inventory Management, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa9- improper-inventory-management
[15] API10:2023 Unsafe Consumption of APIs, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis
[16] Authorization Servers, Okta Developer, 2024. [Online]. Available: https://developer.okta.com/docs/concepts/auth-servers/
[17] OAuth 2.0 and OpenID Connect Overview, Okta Developer, 2024. [Online]. Available: https://developer.okta.com/docs/concepts/oauth-openid/
[18] David Neal, An Illustrated Guide to OAuth and OpenID Connect, Okta Developer, 2019. [Online]. Available: https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
[19] API2:2023 Broken Authentication, OWASP, 2023. [Online]. Available: https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/
[20] MyF5, K000135849: Unrestricted Resource Consumption | APIs and the OWASP Top 10 guide (2023), My.F5, 2023. [Online]. Available: https://my.f5.com/manage/s/article/K000135849