Month: March 2024
Medical Case Study Research and Presentation Outlines – HLS Copilot Snacks
HLS Copilot Snacks are the perfect way to learn how to use Copilot to boost your productivity and reduce your workload.
In this snackable you will learn how to conduct research for medical case studies right from the comfort of Microsoft Teams. Then you will be able to create a presentation outline, again from the comfort of Teams, based on that research. All of this… in less than 10 minutes!
To see all HLS Copilot Snacks video click here.
Resources:
Prompt – “I’m working on a presentation about Pancreatic Cancer. Can you help me find the latest case studies to include?” also “Can you help me with the presentation outline?” – *Prompts and videos are for informational purposes only.
Microsoft Copilot grounded in your work data
Learn about Copilot prompts – Microsoft Support
Edit a Copilot prompt to make it your own – Microsoft Support
Have questions you would like to have us address in a snackable? Let us know!
Thanks for visiting – Michael Gannotti LinkedIn
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Professional Journal PDF to Word to PowerPoint – HLS Copilot Snacks
HLS Copilot Snacks are the perfect way to learn how to use Copilot to boost your productivity and reduce your workload.
In this snackable you will learn how to quickly take a professional journal publication in PDF format and convert it to Microsoft Word where you can use Copilot to query and summarize the contents. Then you will learn how to turn that professional journal publication and leverage Copilot to create a PowerPoint presentation in order to present its contents to colleagues and staff.
To see all HLS Copilot Snacks video click here.
Resources:
Prompt – “Summarize this doc” and “Create a presentation from file…” – *Prompts and videos are for informational purposes only.
Copilot in Word help & learning (microsoft.com)
Copilot in PowerPoint help & learning (microsoft.com)
Prepare your presentation with Copilot for Microsoft 365 – Microsoft Support
Copilot for Microsoft 365 – Microsoft Adoption
Your path to value with Copilot for Microsoft 365 – Microsoft Community Hub
Have questions you would like to have us address in a snackable? Let us know!
Thanks for visiting – Michael Gannotti LinkedIn
Microsoft Tech Community – Latest Blogs –Read More
Microsoft AI Tour : Sydney, Bengaluru, Tokyo
The Microsoft AI Tour, a global event series aimed at enhancing AI skills for decision-makers and developers, kicked off with Microsoft Build: AI Day London in October 2023. The tour has been held in various locations around the world, including San Francisco and New York in January 2024. Many attendees at these events had the opportunity to learn about the latest AI technologies, interact with Microsoft leaders and technical experts, and enjoy a unique opportunity to further utilize Microsoft AI technology in the future.
In this blog, we will look back at the events held in Sydney, Bengaluru, and Tokyo, and introduce the voices of Microsoft MVPs, Microsoft Regional Directors, and Microsoft Learn Student Ambassadors who participated in the events and spent a day immersed in AI as part of the global event tour.
February 7, 2024 – Microsoft AI Tour Sydney
At the Microsoft AI Tour Sydney, decision-makers and developers eager to learn about various Microsoft AI and Copilot technologies visited the venue. Scott Guthrie, Executive Vice President of the Microsoft Cloud + AI Group, participated as an executive speaker and gave a keynote speech on AI transformation using Microsoft Cloud in Australian organizations. He also interacted with attendees, providing an opportunity to further enhance the momentum for AI utilization among Australian users.
MVPs and RDs supported the event mainly as Technical Theater speakers, Workshop proctors, and booth speakers. Additionally, the day before the event, the technical community BizApps Sydney User Group hosted a community event in collaboration with Microsoft Reactor Sydney, enhancing the experience of participating in the Sydney event and inspiring attendees with shared ideas from a user perspective.
Michael John Peña, Microsoft Azure MVP, Theater session speaker
“Attending the Microsoft AI Tour in Sydney was an enlightening journey. It offered a distinctive platform to interact with a wide array of individuals, including Microsoft MVPs, FTEs, customers, and other tech enthusiasts. My theatre session was a testament to the curiosity and engagement surrounding Copilot experiences. As an MVP, my unique perspective added depth to the discourse on these technologies. The event underscored the message that we are entering a new era where AI is not just a concept, but a tangible reality within our grasp. The fact that such a high-caliber event was free of charge is still astonishing to me. I eagerly anticipate a similar event next year, hopefully spanning multiple days.”
Lisa Crosbie, Business Applications MVP, Theater session speaker
“This was an absolutely incredible event, networking with customers, Microsoft and the community to learn and share our knowledge with AI, and the whole event had an incredible buzz. I expanded my knowledge into new technical areas and have opened up new learning paths for myself. The opportunity to present a technical session meant that I could help more people get over that barrier of how to get started with Azure OpenAI and how to work out their use cases. I had several 1:1 conversation with attendees after the session to discuss and help them further.”
Olena Grischenko, Business Applications MVP
“Recently, I attended the Microsoft AI Tour event in Sydney, which marked the first significant in-person gathering since COVID-19. Throughout the event, I engaged in multiple keynotes, presentations, and hands-on labs, focusing particularly on Business Applications relevant to government organizations, where most of my clients operate. Immediately following the event, we applied the insights gained to a tender we were participating in, offering our client the latest platform capabilities powered by AI. Also, I shared these updates with my clients, recognizing the widespread interest in AI advancements. Utilizing the capabilities announced at the event will benefit all my clients by enhancing productivity, improving performance, and ultimately leading to cost savings for their businesses.
Thank you very much for organising the event!”
February 8, 2024 – Microsoft AI Tour Bengaluru
The Microsoft AI Tour Bengaluru, held in partnership with NVIDIA, was attended by Satya Nadella, Chairman and CEO of Microsoft from Redmond, USA. In his keynote speech, he emphasized the importance of the developer community in solving challenges in India and building products and solutions that can be deployed globally. The presence of Satya, representing Microsoft, heightened the enthusiasm of the participants, uniting them in their pursuit of developing cutting-edge AI solutions.
At this event, Microsoft MVPs such as Krunal Trivedi, Shrushti Shah, and Smita Nachan shared their learning and insights in various roles to help participants understand AI better.
Krunal Trivedi, Microsoft Azure MVP, Workshop proctor and Booth presenter at the Machine Learning Booth
“Attending the Microsoft Global AI Tour in Bangalore was an incredible experience. As a Microsoft MVP for Azure, being part of such a prestigious event was both an honor and a privilege.
One of the highlights of the event was Satya Nadella’s keynote address on the Future of AI. His insights into groundbreaking technologies like co-pilot left attendees in awe, sparking a palpable sense of excitement and anticipation for what lies ahead in the world of artificial intelligence.
The atmosphere was electric, with attendees from diverse backgrounds and industries coming together to explore the latest advancements in AI. From engaging workshops to insightful discussions, the event provided a platform for learning, networking, and collaboration.
Overall, the Microsoft Global AI Tour was a truly enriching experience. It not only showcased the cutting-edge innovations driving AI forward but also fostered a sense of community among technology enthusiasts. I am grateful for the opportunity to have been a part of it and look forward to continuing to contribute to the advancement of AI technologies in the future.”
Shrushti Shah, M365 MVP, Booth presenter at the Copilot Studio Booth
“I was selected as an expert for the Microsoft AI Tour Bengaluru event where I got the opportunity to manage Copilot Studio booth and the experience was truly unbelievable. I interacted with more than 50 attendees at the booth, answered their queries, showcased the features of Copilot Studio. Attendees were very curious to know about how copilot can be built using Copilot Studio and how this can fit their organization’s needs in different verticals. I truly loved the enthusiasm of all the attendees who wanted to get their hands wet on building Copilot for various different use cases.”
February 20, 2024 – Microsoft AI Tour Tokyo
The Microsoft AI Tour Tokyo was the first event in this series to hold sessions in the local language. It attracted an unprecedented number of visitors for a Microsoft event in Japan in recent years. Attendees enjoyed learning about Microsoft AI and Copilot from morning to night, seizing opportunities to improve their AI skills and catch up on information. Direct interactions, such as the Connection Hub and individual discussions, also provided opportunities for attendees to learn about AI outlook with Takeshi Numoto, Executive Vice President & CMO, who participated in the event for the keynote speech.
24 Japanese MVPs and RDs supported the event as Workshop proctors and Community Lounge Booth presenters. Additionally, at the Developer Meet & Greet, a networking event unique to Japan for participants and AI experts, attendees showcased their AI knowledge at the AI unconference.
Kazuyuki Miyake, Microsoft Regional Director and Microsoft Azure MVP, Workshop proctor and AI Unconference speaker
“I joined this event as a proctor for the RAG workshop. It was an event where the global tour was conducted in Japan as is, so there were many Japanese participants who were somewhat confused. However, I believe that the technical support in our native language by MVP/RDs played a very important role. Overall, I strongly agree with the concept and content of the Microsoft AI Tour, and it is very meaningful that a world-class AI tech event was held in Japan.
In Japan, the use of generative AI is more active than ever before. However, on the other hand, there are aspects where the effectiveness of utilizing AI with Azure has not been fully communicated (e.g., it is not well known that Azure OpenAI Service can be used to securely architect AI applications). As an MVP/RD, we have expertise in various areas, so we will enhance our efforts to explain the effectiveness of generative AI not only from the perspective of AI itself but also from the perspective of related areas such as application development and data platforms.
Yoshitaka Seo, AI MVP, Workshop proctor
“By participating in this event, I was once again reminded that generative AI is one of the most important technologies in the current IT landscape. The event was very informative in understanding the direction of Copilot construction, as two tools, Azure AI Studio and Microsoft Copilot Studio, were introduced side by side.
While generative AI has already become commoditized, knowing the technical background can help us use and build it more effectively. We will continue to share information that is more convenient to use, not only by introducing tools and services but also by touching on their background.”
Kenta Yamada, Microsoft Learn Student Ambassador, Attendee
“By participating in the Microsoft AI Tour, I had the opportunity to learn about and try services equipped with Copilot, such as Microsoft Copilot Studio.
I also participated in a data analysis workshop using Microsoft Fabric, which provided not only technical input but also learning about the management of the workshop itself. I will utilize this experience in future events for students as a Microsoft Learn Student Ambassador.”
The Microsoft AI Tour assists more individuals in enhancing their AI skills by holding events around the world, including Paris, Berlin, São Paulo in March, and Seoul in April. Please visit the following page for details on each event.
https://envision.microsoft.com/en-US/home
Moreover, the Microsoft AI Tour Cloud Skills Challenge is being held for those who have participated in the Microsoft AI Tour at various locations, as well as for everyone. Please check out the Cloud Skills Challenge, which offers a chance to polish your AI skills by completing four challenges, and to receive a discount voucher for the Microsoft Certification exam to verify your learning.
In addition, for those who wish to learn about AI beyond the Microsoft AI Tour, please consider participating in the Global AI Bootcamp, a global community event series led by the Global AI Community, which organizes AI-focused events in various local tech communities. Enjoy sessions and discussions led by local experts.
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More
Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More