OWASP, the Open Web Application Security Project known for its top 10 list of web application vulnerabilities, published the release candidate version of its API Security Top 10 list at the end of September 2019. It’s a good time to pay attention to API security, since some high-profile breaches have involving APIs in recent months — most notably, at Capital One.
API-enabled breaches in the news
According to a report released by Akamai earlier this year, API calls now represent 83% of all web traffic. Web-enabled applications already have 40% of their attack surface in the form of APIs instead of user interfaces, according to a recent Gartner report. By 2021, APIs will account for 90% of the attack surface. By 2022, according to Gartner, API abuses will become the most-frequent attack vector.
The problems have already begun. Recent examples of organizations in the news due to API-related breaches include McDonald’s, Facebook, Twitter, Panera Bread, T-Mobile, Instagram, Salesforce, Snapchat and the US Internal Revenue Service.
The biggest name of all is Capital One, where information on more than 100 million individuals was compromised this summer. There, a configuration issue with the web application firewall allowed access to API tokens, says Johannes Ullrich, dean of research at SANS Technology Institute and director of the institute’s Internet Storm Center. This was compounded by insufficient access controls on the part of the AWS API. “The authentication systems used by the Amazon API weren’t restricted correctly,” he says. “If you have that problem, it’s easy to find, and easy to exploit — and that’s a dangerous combination.”