As most of the Apps and software development companies are moving to APIs the risk of data breach has increased manifold. This is due to the fact APIs serve the gateways to the application and sensitive customer data it holds. The benefits that APIs provide also becomes a threat due to the data these APIs carry making them vulnerable and invite the attackers.
Recently, McDonalds’ App in India exposed an unprotected, publicly accessible API endpoint leaking every detail from phone numbers to home addresses of their customers. To note, this app called McDelivery by McDonalds, is a home-delivery app that allows Indian consumers to order their food, pay online, and track their orders. This vulnerability in McDonalds app is the latest but not the lone in long list of data breaches to numerous companies.
Moreover, API breaches are on rampage and have affected many startups and the small things such as the likes of Facebook, Twitter, Buffer, and Snapchat. It’s evident that these breaches are now substantially affecting established and robust web applications.
To raise a flag for the data breach, Open Web Application Security Project (OWASP) has recently revised their list of top 10 vulnerabilities. They have introduced a substantial entry - Under-protected APIs.
Quoting OWASP for their inclusion of API
As soon as APIs were officially introduced in OWASP top 10 vulnerabilities, OWASP security experts were quick enough to state 9 major reasons that can make an API vulnerable. In future, the list can get more exhaustive or some reasons can be changed. The current list looks like:
We must work with a handy list of some countermeasures that a developer can consider to allay vulnerabilities in APIs. In most case and attackers can easily control the complete application system once they are inside it. Therefore APIs must-have security priority. In the current industry standards, REST, SOAP, and other APIs (through which user normally reach the back-end data) are weak when it comes to access control and monitoring.
As we all know that APIs are more widespread in the web applications than these have ever been. Paradoxically, securing these is often ignored or kept at the back burner. This recognition of APIs in OWASP as a unique ingredient testifies the need of a more secured web services environment in this change world of web applications.