Security News > 2022 > June > API security warrants its own specific solution

What makes these attacks so interesting is how they are executed: unlike a traditional "Hack," an API attack doesn't hinge on there being something wrong with the API. Rather, attackers can legitimately use the way an API functions against it and can simply find out if it hasn't been developed securely through standard interaction.

In some cases, the data used by the API has no user validation and is accessible to the public, while in other cases error messages return too much information, providing the attacker with more information on how to abuse the API. Defending against BOLA attacks requires the validation of all user privileges for all functions across the API. API authorization should be well defined in the API specification and random/unpredictable IDs.

If the API doesn't apply sufficient internal rate limiting on parameters such as response timeouts, memory, payload size, number of processes, records and requests, attackers can send multiple API requests creating a denial of service attack.

It's for these reasons that Gartner recently created a distinct API security category, separate from these other tools, in acknowledgement of the fact that APIs have their own set of problems.

In the "Advance your Platform-as-a-Service Security" report, analyst Richard Bartley reveals API security tooling for API discovery and protection should be regarded as having equal importance to and sit between internet edge security and the data plane security layers.

The hope is that with the OWASP Project highlighting how APIs can be exploited and Gartner creating a distinct new category, the tech sector will finally realize that API security is an anomaly that merits its own solution.

News URL

https://www.helpnetsecurity.com/2022/06/13/risks-api-security/