Traditional applications (almost) always have strong authentication and access controls in place to help safeguard data. APIs – which help transmit or provide access to sensitive information – should also all be protected to the same extent, especially when you consider that an API is all-inclusive, sending data and executing functionality. Unfortunately, the recent rash of API security incidents demonstrates that appropriate security controls have not been implemented. The most common security gap across all of the recent API security incidents is weak authentication and access control. In fact, it’s listed as #1 on the OWASP API Security Top 10.
- Authentication is the process of verifying the identity of a user who wishes to access the system. In order to protect critical data, API developers must have a firm understanding of what data an API is transmitting. Developers must work closely with API owners to choose an authentication technique equal to the value of the data. For example, basic authorization, API key-based authorization, and OAuth are several options defined by the Swagger/OpenAPI specification 2.0.
- Access Control is the process of controlling access to a resource once the user identity is authenticated. In addition to API authentication, it’s critical that developers control and keep a close eye on an ongoing basis to who has access to these APIs. Users must be contained within their own authorization profiles, as without proper access controls there could be application-level privilege escalation resulting in regular users performing administrative tasks, or lateral movements where an authenticated user can access other users’ information.
Uncovering Security Gaps
There is no one reason why APIs are released without proper authentication and access control, but a few possible causes might include:
from DZone.com Feed https://ift.tt/3hmgJe1
No comments:
Post a Comment