It has been reported that a severe vulnerability in Kubernetes, the popular, open-source software for managing Linux applications deployed within containers, could allow an attacker to remotely steal data or crash production applications.
Andrew van der Stock, Senior Principal Consultant at Synopsys:
“APIs make the friction of doing business much less. We expect to see continued explosive growth of APIs – modern responsive apps, mobile apps and B2B use cases are tremendously popular. However, whilst there are new risks to APIs not covered by previous applications, application security is near universal and still is incredibly relevant going into 2019. Securing APIs should be the focus of every organisation that uses them.
APIs can be difficult to test by traditional security testing tools and approaches, and to a certain extent, the security industry has not kept up, primarily because most are not developers themselves. As a whole, the security industry needs to shift left, adopt the same tooling as developers, and write unit and integration tests that fully exercise APIs, particularly those that have the potential to alter the state of an application or extract bulk personal information.
Organisations publishing APIs for public consumption should carefully select design and technical controls to protect against known threats, including anti-automation, and far better monitoring to detect breaches. APIs are designed to be called after all, and when they function without errors, monitoring cannot just be of failed attempts, but also include threshold breaches around extensive and sustained access to sensitive records or changes to configuration.
API developers and security personnel are always on the lookout for detailed guidance. I recommend the upcoming OWASP Application Security Verification Standard 4.0, OWASP Serverless Top 10, API cheat sheets, and other API specific projects. Traditional security advice assumes old fashioned, on-premise B2C three tier web applications, which is rarely the case for APIs. If folks are struggling to get going, the OWASP Top 10 2017 includes API security, but it should be considered the very bare minimum, rather than a destination.
Breaches such as these can be deterred and detected by well configured API gateways, but they are not a set and forget security defense or a mythical silver bullet, they have to be carefully and continuously monitored, as well as be a fundamental part of the incident response process. API monitoring is the entire point of OWASP Top 10 A10:2017 – Insufficient monitoring and logging.”
