Protect Against OWASP API Top 10 Security Risks Using Defender for APIs
Overview
The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation dedicated to improving software security through community-led open-source projects, education, and transparency. The OWASP API Security Project focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of APIs. In this post, we’ll dive into how Defender for APIs (a plan provided by Microsoft Defender for Cloud) provides security coverage for the OWASP API Top 10 security risks.
Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.
Concepts
Security recommendations – Recommendations in Defender for Cloud are based on the Microsoft cloud security benchmark. The Microsoft cloud security benchmark is the Microsoft-authored set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. For a complete list of API security recommendations, see Security recommendations – a reference guide
Security alerts – Security alerts are the notifications generated by Defender for Cloud’s workload protection plans when runtime threats are identified in your Azure, hybrid, or multi-cloud environments. For a complete list of API security alerts, see Security alerts – a reference guide
Attack path analysis – Defender for Cloud uses environment context to perform a risk assessment of your security issues and subsequently identifies the biggest security risk issues. Defender for Cloud then analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. To learn more, see Identify and remediate attack paths
Defender for APIs – OWASP API Security Coverage Mapping
OWASP API Risk
Defender for APIs Security Coverage
Broken Object Level Authorization (API1:2023)
(Security alert) Parameter enumeration on an API endpoint – A single IP was observed enumerating parameters when accessing one of the API endpoints
(Security alert) Distributed parameter enumeration on an API endpoint – The aggregate user population (all IPs) was observed enumerating parameters when accessing one of the API endpoints.
Broken Authentication (API2:2023)
(Security recommendation) API endpoints in Azure API Management should be authenticated – API endpoints published within Azure API Management should enforce authentication to help minimize security risk.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials.
Broken Object Property Level Authorization (API3:2023)
(Security alert) Previously unseen parameter used in an API call – A single IP was observed accessing one of the API endpoints using a previously unseen parameter in the request.
(Security alert) Unusually large response payload transmitted between a single IP address and an API endpoint – A suspicious spike in API response payload size was observed for traffic between a single IP and one of the API endpoints.
Unrestricted Resource Consumption (API4:2023)
(Security alert) Suspicious population-level spike in API traffic to an API endpoint – A suspicious spike in API traffic was detected at one of the API endpoints.
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
(Security alert) Unusually large request body transmitted between a single IP address and an API endpoint – A suspicious spike in API request body size was observed for traffic between a single IP and one of the API endpoints.
(Security alert) Suspicious spike in latency for traffic between a single IP address and an API endpoint – A suspicious spike in latency was observed for traffic between a single IP and one of the API endpoints.
(Security alert) API requests spray from a single IP address to an unusually large number of distinct API endpoints – A single IP was observed making API calls to an unusually large number of distinct endpoints.
(Security recommendation) API Management direct management endpoint should not be enabled – The direct management REST API in Azure API Management bypasses Azure Resource Manager role-based access control, authorization, and throttling mechanisms, thus increasing the vulnerability of your service.
Broken Function Level Authorization (API5:2023)
No coverage
Unrestricted Access to Sensitive Business Flows (API6:2023)
(Attack path analysis) Internet exposed APIs that are unauthenticated carry sensitive data
(Security alert) Suspicious spike in API traffic from a single IP address to an API endpoint – A suspicious spike in API traffic was detected from a client IP to the API endpoint.
Server-Side Request Forgery (API7:2023)
No coverage
Security Misconfiguration (API8:2023)
(Security recommendation) API endpoints that are unused should be disabled and removed from the Azure API Management service – As a security best practice, API endpoints that haven’t received traffic for 30 days are considered unused and should be removed from the Azure API Management service.
(Security recommendation) API Management APIs should use only encrypted protocols – APIs should be available only through encrypted protocols, like HTTPS or WSS. Avoid using unsecured protocols, such as HTTP or WS to ensure security of data in transit.
(Security recommendation) API Management secret named values should be stored in Azure Key Vault – Named values are a collection of name and value pairs in each API Management service.
(Security recommendation) API Management should disable public network access to the service configuration endpoints – To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint.
(Security recommendation) API Management calls to API backends should be authenticated – Calls from API Management to backends should use some form of authentication, whether via certificates or credentials. Does not apply to Service Fabric backends.
Improper Inventory Management (API9:2023)
Inventory dashboard – Centralized inventory of all managed APIs and related API security findings.
External exposure – Classify which API endpoints are exposed externally.
Sensitive data classification – Classify APIs that receive or respond with sensitive data, to support risk prioritization, including integration support with Microsoft MIP Purview.
Unsafe Consumption of APIs (API10:2023)
No coverage
API Security Testing
Microsoft Defender for Cloud supports third-party tools to help enhance the existing runtime security capabilities that are provided by Defender for APIs. Defender for Cloud supports proactive API security testing capabilities in early stages of the development lifecycle (including DevOps pipelines). The support for third-party solutions helps to further streamline, integrate, and orchestrate security findings from other vendors with Microsoft Defender for Cloud.
This support enables full lifecycle API security (extending to OWASP API top 10 risks), and the ability for security teams to effectively discover and remediate API security vulnerabilities before they are deployed in production. To learn more, see the following: Partner applications in Microsoft Defender for Cloud for API security testing (preview)
Next Steps
To learn more about how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management, see the following: Defender for APIs Better Together with Azure Web Application Firewall and Azure API Management.
To learn more about how Azure API Management helps mitigate risks against the OWASP API risks, see the following: Recommendations to mitigate OWASP API Security Top 10 threats using API Management
Microsoft Tech Community – Latest Blogs –Read More