CISA, partners issue cybersecurity guidance on web application access control abuse
In July, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US National Security Agency (NSA) issued a joint cybersecurity advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.
IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web API, specifying the user identifier of other, valid users. IDOR attacks are one of the most common and costly forms of API breaches, and requests succeed where there is a failure to perform adequate authentication and authorization checks.
OWASP updates top 10 API security risks list
In July, the Open Worldwide Application Security Project (OWASP) published the API Security Top 10 2023 list, detailing the 10 biggest API security risks posed to organizations. It was the first time the API-specific risk guidance had been updated since its launch in 2019, part of OWASP’s API Security Project. “Since then, the API security industry has flourished and become more mature,” OWASP wrote.
The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations. The latest API security list is:
- Broken object-level authorization
- Broken authentication
- Broken object property level authorization
- Unrestricted resource consumption
- Broken function level authorization
- Unrestricted access to sensitive business flows
- Server-side request forgery
- Security misconfiguration
- Improper inventory management
- Unsafe consumption of APIs
Salt Security launches STEP program to strengthen API security ecosystem
In August, Salt Security launched the Salt Technical Ecosystem Partner (STEP) program, an initiative aimed at integrating solutions across the API ecosystem and enabling organizations to strengthen their API security postures. The program is designed to move businesses to a risk-based approach for API testing, help focus scanning efforts on priority APIs, and reduce friction for DevOps and DevSecOps teams.
Partners include dynamic application security testing (DAST) firms Bright Security, Invicti Security, and StackHawk, and interactive application security testing (IAST) company Contrast Security.
“To deliver a strong AppSec program, developers need access to best-of-breed technologies that simplify finding and fixing vulnerabilities before deploying code to production,” said Joni Klippert, CEO of StackHawk. Given the explosive growth of API development, he added that teams prioritize and automate security testing for their APIs and do so in a way that seamlessly integrates with developer workflows.