Welcome to the 9th post in our weekly series on the new 2023 OWASP API Security Top-10 list, with a particular focus on security practitioners. This post will focus on API8:2023 Security Misconfiguration.
In this series we are taking an in-depth look at each category – the details, the impact and what you can do about it. To see previous posts you might have missed, click here.
This category encompasses any misconfiguration of the API itself or anything in the application stack that results in any kind of compromise of confidentiality, integrity, or availability. Sound broad? It is.
With the complexity of most applications today, there is ample room for something to be misconfigured. Those misconfigurations can result in information disclosure, broken access control, or other security issues.
This OWASP vulnerability category is incredibly broad. It covers things like a misconfigured logging library that discloses sensitive information, but also public permissions on a cloud storage object to which an API is connected.
Ultimately, the Security Misconfiguration vulnerability points to issues with API governance more than specific vulnerabilities. Organizations that implement best practices around API discovery, software development lifecycle management, vulnerability management, and patch management are significantly less likely to run into security misconfigurations. If you’re continuously discovering and evaluating all the APIs and endpoints in your environment, you’re much more likely to identify deprecated endpoints or endpoints that support inappropriate HTTP methods. If you’re running vulnerability scans of your infrastructure, you’re more likely to identify and remove unnecessary services or outdated software.
Of course, the list of potential security misconfigurations is nearly limitless, and so while we can enumerate some examples, we’ll never create a comprehensive list.
The impact varies with the specific misconfiguration, but can broadly be characterized as some compromise of confidentiality, integrity, or availability. If an impact is identified, and can’t be defined by one of the other OWASP API Top 10, then looking for a misconfiguration is a good approach.
It’s also important to note that API8:2023 has been given the maximum (and perfectly dangerous) risk rating of 9 out of 9, meaning you have your hands full with this one. Read more about the risk ratings in our previous post OWASP API Security Top-10 for 2023 Risk Ratings.
Start with good security governance, and apply that discipline to your APIs and applications specifically. There are certainly some types of attacks that leverage a misconfiguration which can be detected by API security tools, but more proactive measures to eliminate misconfigurations are a better approach.
Employing a cybersecurity framework or standard might help prioritize where to apply resources. Creating specifications for the APIs you control, and keeping them up to date, is a good way to ensure the environment doesn’t contain undocumented endpoints.
The Wallarm platform provides API Discovery capabilities that can enumerate the APIs and endpoints in the environment, including which HTTP methods are present. The API specification comparison functionality allows you to identify undocumented and unmanaged endpoints.
Wallarm can also identify vulnerabilities present in your APIs and identify endpoints that expose sensitive information. All of these capabilities enable you to better manage your environment and reduce misconfigurations.
Come back next week as we dig into the details of another category of the new 2023 OWASP Top-10 API Security Risks list – or click here to see previous posts you might have missed.
In the meantime, here are some other resources which might help on your journey to end-to-end API security:
Wallarm End-to-End API Security solution provides comprehensive protection against the OWASP API Security Top-10 threats. And in 2023, we’ve made it even easier for you!
The Wallarm 2023 OWASP API Security Top-10 Dashboard provides you with complete visibility into the security state of your APIs, easy identification of your most critical security risks, and ability to immediately apply protective measures.
If you are interested in learning more about how we can help you protect your APIs, please schedule a demo with one of our security experts today!