By: Gildásio Júnior
October 14, 2020
Introduction to the OWASP API Security Top 10
By: Gildásio Júnior
October 14, 2020
In today’s world, many innovations come as an app. Banking, health & fitness, and e-commerce are some prevalent examples. Commonly, these apps adopt a modern system design created as a microservice or split the front and backend responsibilities. This type of coding practice employs more use and creation of Application Programming Interfaces (APIs). As these APIs are another input point to an organization’s data their security needs to be addressed. APIs are very common in today’s mobile applications as well as web services.
Cybrary offers the course "Introduction to the OWASP API Security Top 10", which is a beginner level course created mainly for Software Engineers or Developers. Security people, such as a SOC Analyst or Pentester, can learn a lot from this course too. The course does not require an advanced coding skill level. Software development skills and experience are not required but recommended to get a better grasp of the course scenarios. The more experience one has (in development or security) the more progress they will likely have from this course.
The course offers good quality and short videos covering all the OWASP API Security Top 10 items, study guides, and labs to practice, as well as step-by-step guides. The technical requirement to use and practice in the labs is only a web browser. The labs are focused on these two topics:
- A7: Security Misconfiguration
- A10: Insufficient Logging & Monitoring
What will be learned?
First, the course covers why securing APIs is important and needed. Then it goes into some fundamental topics in the security field, such as the CIA triad:
- Confidentiality: ensuring only the right people (those who have a need to know) can access information.
- Integrity: the point that ensures data was not changed in transmission or storage.
- Availability: the effort to ensure resource availability, anytime it is required by stakeholders.
Then the course covers the AAA components of security:
- Authentication: ensures that the person is who he/she claims to be.
- Authorization: ensures the resource or action is available only to allowed people.
- Accounting: provides ways for user action to be tracked and audited.
After introducing these security basics, the course talks about each item in the OWASP API Security Top 10 in short videos:
1. Broken Object Level Authorization
- Issues in authorization to an object can lead to users inadvertently or maliciously accessing other users data.
2. Broken User Authentication
- This concerns traditional authentication issues and others, such as weak API keys.
3. Excessive Data Exposure
- This is where more data is exposed than what was needed for a task, which is addressed by applying a control mechanism in the application frontend.
4. Lack of Resources & Rate Limiting
- Security is not always about data protection but availability and costs too. This issue concerns the use of the API backend more than was intended.
5. Broken Function Level Authorization
- In this case, API functions are not protected well and allow users to access resources or administrative functions that are not intended.
6. Mass Assignment
- This deals with when a user input object that was not validated correctly lies in a mass assignment.
7. Security Misconfiguration
- Traditional misconfiguration issues may occur in API applications too.
- Common injection failures in the API that result in unintended commands running on the back-end.
9. Improper Assets Management
- Older API versions that haven’t been properly patched or deprecated.
10. Insufficient Logging & Monitoring
- The lack of logs to notice and investigate a security incident if/when it occurs.
By completing this course one will be able to work on API projects in a better manner knowing the core security issues in APIs and which best practices to employ to mitigate these issues.
Get it on Cybrary
Cybrary is a great platform that provides this course focused on dealing with OWASP API Security Top 10 project as well as many other free courses about related topics. Start by creating an account and enrolling in this course or any other course that interests you.