防范 OWASP 十大 API 安全风险

A Game Planfor OWASPTop 10 APISecurity Risks How Akamai can help you address commonAPI vulnerabilities and threats OWASP Top 10 API Security Risks APIs live at the core of an enterprise’s digital products, cloud services, and AI technologies.They’re also the standard for building and connecting applications as organizations increasinglymove to microservices-based architecture for developing apps. However, APIs’ constant accessto data and critical systems makes them both a revenue driver and an operational risk. Exposed or misconfigured APIs are prevalent, easy to compromise, and often unprotected. Andjust one breached API can result in millions of records being stolen. With 84% of organizations reporting they’ve experienced API security incidents in a year’sspan, it’s clear that protecting APIs should be a priority. But the API attack surface has quicklyrisen to a target of choice — much faster than most enterprises have been able to build anunderstanding of: •API risks•API attack methods•API security controls and capabilities What can help? Many security teams are turning to a valuable resource from the non-profitOpen Worldwide Application Security Project: The OWASP Top 10 API Security Risks. The OWASP Top 10 API Security Risks contains guidance to help organizations understandand address common API vulnerabilities stemming from issues such as misconfigurations, laxauthentication controls, and more. OWASP also explains how API attacks work, how to identifyAPI abuse, and ways to protect your organization from threats such as broken object levelauthorization (BOLA) attacks. Read on to learn about key OWASP-identified risks and how Akamai’s API security solutions canhelp you mitigate them. 84%of organizations report they’veexperienced API security incidents ina year’s span. Clearly, protecting APIsshould be a priority. Broken Object LevelAuthorization Broken Object Level Authorization (BOLA) vulnerabilities can occur when a client’s authorizationis not properly validated to access specific object IDs. This vulnerability can provide an opening forattackers to access resources directly, bypassing the anticipated application workflow and gainingunauthorized access to sensitive data. Organizations can reduce this risk by avoiding sole relianceon object IDs that clients pass in their requests. Instead, organizations can use non-guessable,random IDs for objects to ensure robust validation for every object. When appropriate, maskingthe true ID of objects can provide an additional layer of security. How Akamai can help Akamai’s vigilant surveillance systems track threats and generate alerts for attemptedBOLA exploitation, ensuring immediate attention and action. Akamai mitigates risk by: Identifying BOLA exploitation attempts Classifying API endpoints susceptible to BOLA exploitation based on receivedinputs (e.g., enumerable parameters) as well as the relationships between APIobjects and properties Generating alerts on attempted or successful BOLA exploitation Broken Authentication Broken authentication refers to broad vulnerabilities in the authentication process, exposing thesystem to attackers who can exploit these weaknesses to compromise API object protection.Typically, attackers capitalizing on broken authentication vulnerabilities manipulate loopholes inthe system, such as weak passwords or session replay. To protect against broken authenticationvulnerabilities, organizations can establish robust authentication and secrets managementmechanisms, such as strong password policies, key rotation, strong token signatures, andencryption keys. Enforcing these stringent policies organization-wide can significantly reduce risk. How Akamai can help Akamai fortifies API security by identifying and rectifying weak authentication points,thwarting automated attacks, and proactively alerting on attempted exploitationattacks. Akamai mitigates this risk by: Identifying API endpoints that do not require authentication or do not followauthentication best practices, such as weak token signatures or encryption keysand the acceptance of expired authentication tokens Protecting against automated dictionary or credential stuffing attacks throughour bot management capabilities Handling authorization of JSON Web Tokens using strong token signaturesthrough our API Gateway capabilities Generating alerts on attempted Broken User Authentication exploitation Broken Object Property LevelAuthorization Broken Object Property Level Authorization (BOPLA) is a security flaw where an API endpointunnecessarily exposes more data properties than required for its function, neglecting the principleof least privilege. This flaw can inadvertently provide attackers with excessive data that can then be used to unearthmore vulnerabilities or mine for sensitive data. This includes scenarios where properties exclusiveto admin-level access can be manipulated by unauthorized users, further compromising systemintegrity. To ensure se