DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • Unlocking the Benefits of a Private API in AWS API Gateway
  • API and Security: From IT to Cyber
  • Securely Sign and Manage Documents Digitally With DocuSign and Ballerina
  • Securing APIs in Modern Web Applications

Trending

  • AI-Driven Root Cause Analysis in SRE: Enhancing Incident Resolution
  • How to Build Real-Time BI Systems: Architecture, Code, and Best Practices
  • Designing a Java Connector for Software Integrations
  • Mastering Advanced Aggregations in Spark SQL
  1. DZone
  2. Data Engineering
  3. Databases
  4. API Security Weekly: Issue 170

API Security Weekly: Issue 170

Discover benefits of a DevSecOps approach to API security, API vulnerabilities at F5, trends in API integration, bot attacks on APIs on the rise, and more.

By 
Colin Domoney user avatar
Colin Domoney
DZone Core CORE ·
Jul. 21, 22 · News
Likes (1)
Comment
Save
Tweet
Share
5.1K Views

Join the DZone community and get the full member experience.

Join For Free

This week, we have an article on applying a DevSecOps approach to API security by utilizing a shift-left and protect and monitor right approach, a pair of vulnerabilities patched by F5, views on the top 10 API integration trends by Brenton House, and finally, a view on the rise of bot attacks against APIs.

Article: Taking a DevSecOps Approach to API Security

This week, Doug Dooley published an article on how a DevSecOps approach could be applied to API security. It describes how an approach of shift-left and protect and monitor right could result in more secure APIs by bringing API development more in line with well-established processes for application development.

Dooley describes how a traditional approach to API security is overly reliant on the protection afforded by API gateways and content delivery networks (CDNs). While these methods offer some level of protection, they are insufficient against some of the more sophisticated attack methods, such as broken object-level authorization (BOLA/IDOR) or authentication and authorization attacks.

Dooley describes how customer-facing APIs (the “north-south” APIs) need to be thoroughly and continuously secured. The internal APIs (the “east-west” APIs) are also vulnerable to attack if deployed in a cloud environment. Basically, assume all APIs are equally valuable and attractive to attackers.

By using a DevSecOps approach, API developers can leverage a number of advantages:

  • Security experts can make ongoing risk-based decisions on issues as they arise, rather than catching issues post-deployment.
  • CI/CD systems enable automated testing of APIs throughout their construction and deployment.
  • APIs can be deployed with active protection and continuous reporting, to ensure that emerging API threats are detected in real-time.
  • When an incident occurs, all teams involved can have an informed view of the affected components and their risks, and make appropriate decisions to remediate and redeploy.

Vulnerability: F5 Fixes High-Risk Vulnerabilities

The Daily Swig featured details of a pair of high-risk vulnerabilities affecting network technology provider F5. Details of them were provided in F5’s quarterly patch notice, which addressed a total of 15 high-severity vulnerabilities.

The first issue affected the NGINX Controller API Management product, which allows DevOps teams to control the API lifecycle, security included. Somewhat ironically, the product itself had an API vulnerability that allowed an injection attack using an admin role against an undisclosed API. An attacker could have used this endpoint to inject malicious JavaScript which could then execute within the target data planes — a great example of API5:2019 — broken function level authorization. The vulnerability (CVE-2022-23008) was given a CVSS score of 8.7 and has now been patched in version 3.19.1.

The second vulnerability affects the BIG-IP load balancer. This configuration utility was vulnerable to cross-site scripting (XSS) attacks that allowed injecting JavaScript into the context of the current logged-in user. The vulnerability (CVE-2022-23013) was given a CVSS score of 7.5 and has also now been patched.

Opinion: Ten API Integration Trends

We also have our regular contributor to the newsletter, Brenton House, who discusses ten hot API integration trends for 2022. In his view they are:

  1. API cybersecurity
  2. Seamless integration solutions
  3. Adaptive API management
  4. API and integration automation
  5. Industry-specific breakouts
  6. API best practices
  7. OpenAPI standards
  8. API and integration experience
  9. API-led modernization
  10. API economy growth

Readers of this newsletter are unlikely to be surprised to see API security featuring at the top of the list. House highlights that APIs are likely to become the most frequently used attack vector, which — coupled with the exponential growth of APIs — leads to API security becoming a very hot topic.

House emphasizes the value of the “shift-left, shield-right” approach (covered in the first article in this newsletter), and highlights the importance of the related topics of encryption and privacy when considering the overall API security strategy.

Article: Bot Attacks on APIs Increasing

Next up, we have an article on the rise of bot attacks against APIs. It highlights the challenges that bots present to APIs, primarily that they are hard to detect and therefore hard to defend against. Bot sophistication has increased rapidly and can now mimic the behavior of a human user quite accurately.

Typically, adversaries use a combination of the following tactics:

  • Automate bot attacks
  • Access a wide pool of account information and credentials to attempt account takeovers (ATO)
  • Use clusters of mobile devices all grouped together to avoid device detection

Defenders have two options in reducing the effectiveness of bot attacks: firstly, they can reduce the efficiency of bot attacks, for example, with rate-limiting, and secondly, they can increase attacker costs by using better protection methods on their APIs.

API security

Published at DZone with permission of Colin Domoney. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • Unlocking the Benefits of a Private API in AWS API Gateway
  • API and Security: From IT to Cyber
  • Securely Sign and Manage Documents Digitally With DocuSign and Ballerina
  • Securing APIs in Modern Web Applications

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!