Juggling many different tasks at once often means losing focus on the task at hand. It's the age-old problem with API security—there's so much to do and such little time to do it all. For example, it can be a challenge to keep track of what needs to be tested and how frequently. Despite being busy, you can't lose sight of the quality and frequency of API security tasks required to stay safe against threats like zero-day attacks and the OWASP Top 10.
APIs can expose sensitive data and functionality, and a single vulnerability in an API can potentially compromise your entire system, making them a prime target for attackers. Some threats are more common than others—one-third of all API security mitigations are focused on blocking Distributed Denial of Service (DDoS) attacks alone—but every threat must be considered severe. Therefore, an API security checklist is a must-have starting point to ensure you cover all critical bases.
What is an API security checklist, and how should you use one?
An API security checklist is a set of requirements your API needs to meet in order to be marked as ready for the end user. You'll hear many experienced security researchers speak of a methodology or their "approach" when testing APIs, as many experts have developed an intuition for API security over time.
Should you use one? Standardizing the process of testing and discovering your APIs can definitely help ensure that all necessary security checks are performed consistently. It reduces the chances of overlooking critical vulnerabilities and provides a structured approach to assessing your APIs.
Can an API security checklist help protect against OWASP Top 10 risks?
An API security checklist can be part of a wider application dependency mapping strategy, helping you catch OWASP Top 10 threats like:
Broken authentication: A security checklist can guide you through testing your API for authentication vulnerabilities. It should include items such as verifying proper authentication mechanisms and checking for weak and default credentials or those used only for testing.
Broken object level authorization: By preparing a checklist, you can quickly identify vulnerabilities that might lead to broken object-level authorization. This includes testing for insecure direct object references, verifying proper authorization checks for all API endpoints, and ensuring that users can only access the resources they are authorized to.
Server-Side Request Forgery (SSRF): SSRF occurs when an attacker can manipulate the API to send requests to unintended or unauthorized destinations. A security checklist can help you create action items to mitigate SSRF risks, such as input validation and network and firewall controls.
The Essential API Security Checklist
With a solid understanding of why you should have an API security checklist, here’s what you can expect to see in one. Download our API security checklist to get started ticking off each critical task.
Authentication
The glue that ties users' identities and protects vital information should be heavily scrutinized. Specifically, you should check for broken authentication, password bypasses, or even password reset bugs.
Indirect Object References
Commonly called IDORs, indirect object references occur when an application uses user-supplied input to access objects directly. For example, a user might be able to delete a document they don't have access to by manipulating a URL parameter. While this vulnerability will look slightly different for every API, users should not be able to access or manipulate data they don't have access to.
Encryption
It might sound like generic advice, but encryption can save you in a number of ways. For APIs, terminating your endpoints with TLS can avoid man-in-the-middle attacks. Keep in mind that this should apply whether the API is internal or consumer-facing.
Rate Limiting
In order to protect your API from abuse, a common way to keep endpoints and other consumers safe is to implement rate limits. Twitter (now X) made the headline news for implementing this last year, limiting the number of requests a user can make within a specific time frame. You could implement rate limiting from scratch or leverage open-source solutions like open-appsec's rate limit and DDoS protection.
Input Validation
It's no secret that users don't always behave as intended. Sanitizing and validating inputs will go a long way in preventing SQL injections or directory traversal attacks. This goes beyond just inputs in a request body; if your API accepts files, you should also implement checks for file type as opposed to solely checking the extension.
Denial of Service (DoS) Protection
We briefly mentioned rate limiting, but DoS (a type of malicious code attack) is a different beast. While rate limits might protect you from a single bad user, DoS seeks to overwhelm your entire service. As such, you should consider implementing DoS protection for critical services.
API Key Management
Organizations should have a mechanism for invalidating and rotating API keys on the fly to react quickly to exposure. Implementing proper API key management ensures that compromised keys can be promptly revoked, minimizing the potential impact of a breach. There are several key management tools you can use. If your APIs are deployed on the cloud, in most cases, you can use your cloud provider's specific key management service or open-source tools like Hashicorp Vault or Keycloak.
Logging and Monitoring
Comprehensive logging and monitoring are crucial for detecting and responding to security incidents. AI has revolutionized observability and is implemented in most observability tooling today. It is used to analyze vast amounts of telemetry data, detect anomalies, and predict future issues. You can implement robust logging mechanisms to capture relevant information such as request/response details, user activity monitoring, and system events, and regularly monitor logs for suspicious patterns.
Cross-Origin Resource Sharing (CORS)
CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. While CORS helps enable legitimate cross-origin requests, it can also be exploited by attackers to bypass security checks. Misconfigured CORS policies can allow unauthorized domains to make requests to your API, potentially leading to data leakage or unauthorized actions.
To mitigate this risk, invest time in implementing strict origin validation, such as maintaining a whitelist of trusted origins, and ensuring proper configuration of CORS headers. Remember to regularly audit and update your CORS configurations and implement proper error handling for CORS-related issues.
Subdomain Checks
Various subdomains might be used during development before the service goes live. If not properly managed, they can become prime targets for subdomain takeovers. Attackers can claim and control abandoned or unclaimed subdomains, potentially compromising the security of your API.
Consider adding a check for your domains and regularly perform a sweep of all subdomains associated with your API. Identify any subdomains that are no longer in use or not properly configured. Delete or update DNS records accordingly to ensure that all subdomains are under your control and cannot be claimed by malicious actors.
Documentation
Documentation is often overlooked as a critical component of API security. While technical implementations like encryption and authentication are essential, your future self will thank you if you document each one. Documentation should not be done after the fact—it should happen while implementing the checklist to ensure those little details that can save hours in the future are not missed.
Web Application Firewalls (WAF)
Protecting against API security threats like the OWASP Top 10 and zero-day threats requires a proactive and preventative approach that can be achieved using a viable WAF. Look for WAFs like open-appsec that use ML-based security features without signature updates, blocking attacks pre-emptively and automating API and web application security.
Download the API Security Checklist.
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP Top 10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
