Understanding API Profiles

This first blog post of the API security series addressed Discovery, or the ability for an organization to identify which APIs are present and where they are hosted. The second post addressed how a proper API Inventory can reduce redundant development costs by identifying duplicate API functionality. We are now at Profile phase, where we need to classify API usage, exposure, data, and compliance.

 

As discussed in previous blog posts, your inventory can impact the potential for additional attack surface. How the API is used and the type of data that is exposed becomes important for your organization’s security maturity. The Open Worldwide Applications Security Project (OWASP) has provided the 2023 OWASP Top 10 API Security Risks for organizations to see potential vulnerabilities and risks that APIs pose.

 

  • API 1:2023 - Broken Object Level Authorization
  • API 2:2023 - Broken Authentication
  • API 3:2023 - Broken Object Property Level Authorization
  • API 4:2023 - Unrestricted Resource Consumption
  • API 5:2023 - Broken Function Level Authorization
  • API 6:2023 - Unrestricted Access to Sensitive Business Flows
  • API 7:2023 - Server-Side Request Forgery
  • API 8:2023 - Security Misconfiguration
  • API 9:2023 - Improper Inventory Management
  • API 10:2023 - Unsafe Consumption of APIs

 

 

API Scenario

The API inventory does begin to classify API usage and which parties use the inventory internally within the organization or amongst third parties. Tracking and managing API inventories should help with the exposure of the API and support from the responsible parties. While organizations should address governance, it is necessary to understand how API usage can impact an organization’s data and potential compliance issues. I have addressed API protection tools in previous posts, and organizations can leverage these tools to greatly enhance security. For instance, if you consider the vulnerabilities listed above, these tools can help with terminating API attacks and supporting API throttling, as well as preventing account takeover, sensitive data exposure, and data exfiltration.

 

Understanding the risks of APIs to the organization will require the knowledge of the data that is exposed. To understand this, see the scenario below on information disclosure.

 

In this scenario, an API provides the following:

 

Image
Understanding API Profiles_img1.png

Figure 1: API data

 

APIs should only expose the data necessary for the downstream consumer:

 

  • User Image
  • First Name
  • Last Name
  • Email Address

 

Below is the API GET for this user’s information:

 

Image
Understanding API Profiles_img2.png

Figure 2: API GET for user information

 

But what is all the information being exposed for this API? In this case, having a simple understanding of the API can help the responsible parties address and mitigate organizational risk. What we discover is that the API response of the user information returns additional personally identifiable information (PII), which includes:

 

Personal Information: UserID, FirstName, LastName, Email, Address, City, State, Zip, Country, HomePhone, CellPhone, OfficePhone, NickName, MiddleName, MaidenName, GradeYear, Department, SpouceID, ChildNames, ChildIDs

 

Control Information: InsertDate, ModifiedBy, LastModifiedDate, LastModifyUserID, Internal_ID, Vendor_External_ID

 

Image
Understanding API Profiles_img3.png

Figure 3: API response

 

To better understand the significance of the security of data being transmitted, it is important to understand the capability of the API and what it returns. In similar cases, the API could provide PII, as well as financial, health, or company data that should not be public. You can help decrease the frequency and severity of these issues by using API protection tools or by leveraging API assessment services to gain awareness of API vulnerabilities putting company systems at risk.

 

 

API Profile

Understanding the profile of an API can be difficult. As you begin to work through each of these phases, you grow to better understand your environment. You also learn how to maintain your environment and limit the exposure of unnecessary data to end users or potentially malicious individuals.

 

By using tools like Postman or Burp Suite to perform security tests, you can build efficiency through the use of automation. You can also use these tools for quality assurance, data reviews, adding security checks into build scripts, and performing incremental testing as you review the API. As mentioned above and in previous posts, API assessment services are manual efforts, but they differ from web application penetration testing. Manual testing is necessary to ensure that you mitigate any findings that you have reviewed. This will ensure that you are protecting yourself from the top 10 API security risks provided by OWASP.

 

In our next blog post, we will dive into the dependency phase to understand how API security concepts are related and where your concerns should be.

Todd Kendall
Manager - Demand and Delivery | Optiv
Todd Kendall is a manager for the Threat Demand and Delivery practice within Optiv services. Kendall brings over 20 years with broad-based experience in all aspects of information security management; encompassing vulnerability management, network security, penetration testing assessments, risk mitigation, and security architecture design within large corporate and government agency environments.

Kendall has been recognized for expertise in monitoring a variety of operations and infrastructures, executing security incident response programs, assessing potential risks, vulnerabilities, and threats on infrastructures in compliance with industry standards and legal policies. These efforts have brought significant contributions to the organizations I have worked for, which involved continuous process improvements, productivity enhancements, and operational excellence.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.