Have you ever wondered about the buzz surrounding the exponentially growing risks of APIs? It’s not just speculation. API attacks are now our reality. Gartner analysts had seen this coming. A few years back, they warned, “by 2022, API attacks will surpass other methods to become the most frequent attack vector, leading to data breaches in enterprise web applications.” Fast forward to 2023, and their prediction is, regrettably, our present situation.
As daily data breach notifications pour in—most of which are a result of API attacks—the health sector sadly stands out as a prime target. This has driven many to closely examine the newly released OWASP Top 10 API Security Risks for 2023. Yet, simply seeing the OWASP (Open Web Application Security Project) list as a basic starting point would be overlooking its depth. Each vulnerability on this list represents an organizational risk, with inherent risks that can evolve into residual ones, creating a vicious, ongoing cycle of threats. This underscores the vastness of the security challenges ahead.
The inherent and residual risks are often overlooked and misunderstood and they are crucial to grasp the extent of the OWASP list.
Inherent risk refers to the risk associated with an activity or decision in its natural, uncontrolled state. It’s the level of risk that exists before any measures or interventions have been taken to manage or mitigate it.
Residual risk refers to the remaining risk that persists after all known risk management and control measures have been implemented. In other words, it’s the risk left over after you’ve done everything you can to mitigate or manage the initial (inherent) risk.
Let’s apply the general definitions above to the realm of API security. We’ll start by looking at an example involving Server Side Request Forgery (SSRF) – denoted as API7:2023.
Consider a telemedicine platform that among other infrastructures relies on an API to connect patients and doctors remotely. The API is responsible for fetching patient medical records from various hospital systems. A vulnerability in the API’s implementation allows an attacker to manipulate the API requests and potentially access sensitive patient data.
Inherent Risk:
The CISO is aware of inherent risks involved in the operation and took actions to mitigate these risks by implanting a WAF and other measures to reduce any potential damages.
Residual Risk:
Even though security measures are in place the residual risk becomes a reality when an attacker exploits a SSRF vulnerability and sends crafted requests to the API, enabling them to retrieve medical records of patients from different hospitals without proper authorization.
Mitigation:
Upon discovering the vulnerability, the telemedicine platform’s security team applies a patch and fixes the issue by implementing input validation checks to prevent unauthorized requests to external hospital systems.
Long term ongoing residual damages and risks:
After mitigating the initial vulnerability, several types of long term residual damages persist:
- Data Breach: Residual risk involves potential data breaches if the attacker managed to exfiltrate sensitive patient information before the vulnerability was fixed.
- Patient Privacy Violation: Patients whose medical records were accessed might experience privacy violations. Residual risk includes ongoing concerns about the exposure of their medical history.
- Regulatory Non-Compliance: Medical data is heavily regulated by laws such as HIPAA. The incident might trigger regulatory investigations and potential fines, even after the vulnerability is resolved.
- Medical Identity Theft: Patient data exposed during the attack might be used for medical identity theft. Residual risk involves ongoing unauthorized use of compromised patient information.
- Healthcare Provider Relationships: If sensitive patient data from external hospitals was accessed, it could strain relationships between the telemedicine platform and the affected healthcare providers.
- Credential Theft: If credentials were used in the attack, residual risk includes their potential use in future attacks or other systems belonging to the telemedicine platform or healthcare providers.
- Legal Actions: Patients might take legal action against the telemedicine platform for compromising their medical data. This could lead to legal consequences even after the vulnerability is addressed.
- Reputation Damage: News of a data breach and unauthorized access could tarnish the telemedicine platform’s reputation within the medical community and among patients.
- Credential Rotation: The platform might need to rotate credentials for accessing external hospital systems to prevent unauthorized access. Residual risk involves the impact of rotating credentials on ongoing operations.
Let’s continue with a mobile banking application provided by a fintech company that heavily relies on an API to manage transactions, account balances, and user profiles. The API has functions for transferring funds between accounts and updating user information. A vulnerability in the authorization mechanism allowed an attacker to gain unauthorized access to the “transfer funds” function.
Inherent Risk:
An MSSP company that monitors and manages the security of the organization applied measures like a WAF, Anti-Virus, anti-malware management system, VPN, and SIEM to address inherent risks. However, they missed or underestimated the looming residual risk associated with an API attack focused on Broken Function Level Authorization – denoted as API5:2023.
Residual Risk:
The attackers send legitimate API calls to an API endpoint that they should not have access to and initiated unauthorized fund transfers from several user accounts to their own account, causing financial loss to affected users.
Mitigation:
Upon discovering the vulnerability, the fintech company’s development team promptly fixed the issue and implemented strong authorization controls for the “transfer funds” function. They also conducted a thorough security audit to ensure there were no other similar vulnerabilities.
Long term ongoing residual damages and risks:
After mitigating the initial vulnerability, several types of long term residual damages persist:
- Financial Reconciliation: The unauthorized fund transfers might have led to discrepancies in account balances. Even after the issue is fixed, reconciling account balances and reversing fraudulent transactions could be a time-consuming process.
- Regulatory Compliance: Fintech companies are often subject to strict regulatory requirements. The incident might trigger regulatory scrutiny, audits, and potential fines even after the vulnerability is addressed.
- Customer Confidence: Customers who experienced financial losses due to unauthorized transfers might question the platform’s security measures. Rebuilding customer confidence could take time.
- Legal Actions: Affected customers might consider legal actions against the fintech company for the financial losses incurred due to the attack.
- Long-Term Repercussions: The incident could negatively impact the fintech company’s reputation within the financial industry, affecting its ability to attract investors, partners, and customers in the future.
- Continuous Monitoring: The attacker might have gained insights into the application’s security weaknesses during the initial exploit. There’s a risk that they could attempt future attacks or expose additional vulnerabilities.
The essence of robust API security can’t be understated. While organizations make commendable strides in applying measures to mitigate the inherent risks, it’s crucial to remember that these are the initial risks. Even after addressing them, residual risks persistently lurk, as we’ve seen in our examples. The OWASP 2023 list underscores these lurking risks, serving as a potent reminder that standard mitigations may not suffice. As the digital world advances, it’s imperative for organizations to remain vigilant, continuously adapting their security measures to combat evolving threats.
