Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

API Security Weekly: Issue #9

DZone's Guide to

API Security Weekly: Issue #9

If you are using Kubernetes, you should install a patch for it as soon as possible.

· Integration Zone ·
Free Resource

WSO2 is the only open source vendor to be named a leader in The Forrester Wave™: API Management Solutions, Q4 2018 Report. Download the report now or try out our product for free.

Vulnerabilities

If you are using Kubernetes, you should install a patch for it as soon as possible. There was a huge privilege escalation vulnerability that got fixed this week. The flaw allows attackers to contact Kubernetes API server using a non-privileged account and then get high-privilege operations forwarded to backend services. Even worse, the calls are not showing up in server audit logs or server logs, making the attack hard to detect.

Abraham Ingersoll from Gravitational published details here:

  1. Attacker contacts Kubernetes API server and requests a connection to a backend server over HTTP/2 websockets.
  2. API server forwards the request to the backend server.
  3. The request is made in a way that it automatically fails.
  4. An error is returned to the attacker, but API server leaves open a connection to the backend that is authenticated with high-privilege TLS certificate of the API server itself,
  5. The attacker uses the open, authenticated connection to send requests to invoke high-privilege operations. The backend server has no reason to suspect anything out of ordinary but completes the request.

One of the popular security camera systems, NUUO NVRmini2 Network Video Recorder, had a serious API vulnerability reported by Digital Defense. Because string parameters were not checked for their length or sanitized, attackers could craft an overly long GET request, cause stack overflow and execute arbitrary code as root. This way, the attacker can intercept and even replace the video stream from the security cameras.

If you’re using ElasticSearch, you may expose more APIs than you are aware of. Lots of companies have lately had ElasticSearch breaches and their customer records exposed:

The breaches happen because, by default, ElasticSearch is wide open and not secured at all. So, to avoid the breaches:

  1. Avoid having your ElasticSearch accessible from the internet at all if you can.
  2. Enable (or install for older versions) the X-Pack security module and set secure passwords for all default accounts.

Best Practices

Are you implementing your APIs in Node.js? If so, check out this brilliant list of 23 security best practices.

Kristopher Sandoval from NordicAPIs goes through the possible ways how APIs get hacked and how these could be remediated. His list of attacks includes, for example:

  • Reverse engineering
  • Spoofing
  • Man-in-the-middle
  • Session replays
  • Social engineering

Tsahi Levent-Levi has posted in TechTarget his 4 steps to securing your APIs. The checklist is, in a nutshell:

  1. Authorization
  2. Audit trail
  3. Data at rest and data in motion
  4. Rate limiting

Standards

The free “HTTP/3 explained” ebook from Daniel Stenberg contains some good information on the upcoming HTTP/3 protocol. In this protocol, the encrypted traffic will be based on the QUIC protocol.

Surveys

According to a recent survey by Ping Identity, security and IT professionals seem to have doubts whether the security teams of their companies are up to speed with API security:

  • 45% lack confidence in their security team to detect malicious API access
  • 51% are not confident their security team is aware of all APIs existing in their organization.

You can subscribe to this newsletter at https://APISecurity.io.

IAM is now more than a security project. It’s an enabler for an integration agile enterprise. If you’re currently evaluating an identity solution or exploring IAM, join this webinar.

Topics:
security ,api ,api security ,integration ,integration news ,integration newsletter ,install a patch for kubernetes

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}