API Security: Is Authorization the Biggest Threat?

The New Stack article by Eric Newcomer

Authorization is the largest vulnerability area that is not protected well and represents the biggest current risk for API security.

As API usage continues to grow, so too does the need to secure APIs to prevent incidents, leakages, and outages. Authorization schemes have begun to gather attention from industry consortiums and vendors, with many seeking to address this longstanding and worsening set of API risks.

Recently OWASP announced the 2023 update to the OWASP API Security Top 10, keeping up with the rapid pace of change,

The update took center stage at a keynote at API Days NY last month as Erez Yalon of CheckMarx and Inon Shkedy of OWASP highlighted the increased focus on authorization controls.

Much Improved

Jeremy Snyder, founder and CEO of FireTail, an API security company at the conference, said he thinks the new release is much better for that reason. “Authorization issues are the cause of more than 50% of API security problems,” he said. “It’s not only about who can see what, but also about what I can do.”

It’s necessary to protect APIs not only against improper access to sensitive data but also to protect them against improper execution of restricted functions and programs, he added.

For this to work, both the resources and programs being accessed need a list of permissions attached to them that can be matched to the list of policies attached to the API’s ID. A match means access is ok; no match means no access.

“The task of building an infrastructure and setting up permissions, while seemingly simple at the onset, becomes exponentially complex as a company expands and as internal and external requirements evolve. Such complexity, coupled with any misconfiguration, can lead to potentially catastrophic consequences,“ said Emre Baran, co-founder and CEO of authorization specialist Cerbos. In this context specialized solutions such as Cerbos become indispensable, he added.

Without central management and governance, it’s difficult to eliminate risks and maintain security for new IDs, resources, and programs. But plenty of vendors were on hand at the conference to offer their products and services in this area, underscoring the trend toward an API security specialization in the industry.

Read the entire article here.

SHARE THIS: