BOPLA is an acronym for Broken Object Property Level Authorization. BOPLA refers to a property inside an object, while BOLA refers to a whole object. API protection against BOLA does not ensure coverage for BOPLA, so it’s important to choose security products that offer protection against both types of attacks.
API protection involves a set of processes, practices, and technologies that defend application programming interfaces (APIs) from attacks and abuse by malicious actors. API protection is an essential part of a modern cybersecurity program and a top priority for security teams.
What is an API?
An application programming interface, or API, is a set of protocols and definitions that enable different software programs and components to communicate with one another and share data and functionality. APIs also govern how applications are permitted to interact, and they control how requests are made and the types of requests that may be exchanged between programs.
APIs are critical to the cloud services, microservices, serverless architectures, and the Internet of Things (IoT) on which many IT environments depend. Because they expose application logic and resources, and often involve the transfer of sensitive information, APIs are an attractive target for hackers. An unsecured API may allow malicious actors to access IT assets that are otherwise secure. Consequently, API protection is critical to maintaining the security of networks and applications, and preventing data exposure and other security issues.
What are API security risks?
The most common risks to API security fall into several categories.
- Vulnerability exploits. This type of API attack allows malicious actors to gain unauthorized access to the API because of a flaw in the way it is built or coded.
- Authorization errors. When authorization is not carefully managed, clients interacting with an API may have access to data that should not be available, raising the risk of a data breach.
- Authentication issues. When user authentication processes are compromised, APIs may accept requests from illegitimate or malicious sources.
- Distributed denial-of-service attacks. By overwhelming APIs with too many requests, DoS or DDoS attacks may cause APIs to become unresponsive or to crash.
What is the OWASP API Security Top 10?
The Open Worldwide Application Security Project (OWASP) is a nonprofit organization dedicated to improving software security. Each year, OWASP publishes a list of the top 10 security risks for APIs. The 2023 OWASP API Security Top 10 list includes these security threats:
- Broken Object Level Authorization (BOLA): APIs often create a wide attack surface of Object Level Access Control issues by exposing endpoints that handle object identifiers.
- Broken Authentication: When authentication mechanisms are implemented incorrectly, attackers may be able to compromise authentication tokens or exploit implementation flaws.
- Broken Object Property Level Authorization (BOPLA): Improper authorization validation at the object property level may lead to information being exposed or manipulated by attackers.
- Unrestricted Resource Consumption: Because satisfying API requests consumes specific resources in CPU, memory, storage, and network bandwidth, unrestricted use of APIs can lead to denial of service or increased costs.
- Broken Function Level Authorization: Complex access control policies may lead to authorization flaws.
- Unrestricted Access to Sensitive Business Flows: When business flows are exposed to the public, they may be used excessively in an automated manner to disrupt processes.
- Server Side Request Forgery: When an API fetches a remote resource without validating the user-supplied URL, attackers may force the application to send a crafted request to an unexpected destination.
- Security Misconfiguration: APIs are often misconfigured by software and DevOps engineers, leaving the door open for a variety of attacks.
- Improper Inventory Management: When inventory and documentation is not properly updated, issues such as deprecated API versions and exposed debug endpoints may arise.
- Unsafe Consumption of APIs: Because they tend to trust data received from third-party APIs more than user input, developers may adopt weaker security standards for certain APIs.
How is API security different from application security?
While API protection includes many of the same security principles as web security, defending APIs from attack involves several unique challenges. The sheer number of APIs used in modern application systems makes identifying API vulnerabilities and updating protections more difficult for security teams. Because APIs are designed to be accessed by third-party applications or services, they are often exposed to a broader range of potential threats than traditional web apps. Flexibility and customization also make APIs more vulnerable to attacks. And because APIs frequently use tokens or other types of authentication to control access, they may be subject to attacks based on stolen or compromised tokens.
What is API gateway security?
An API gateway is a layer of software that serves as a single entry point for managing API calls or client requests and returning responses from API endpoints. API gateway security solutions can apply rate limiting and throttling to ensure APIs are not abused. Gateways may protect APIs by authorizing and routing API calls to the appropriate back-end services and front-end endpoints. API gateway security also involves authenticating credentials and validating tokens to verify identities. While a gateway is an important part of API protection, API gateway security on its own is not enough to ensure adequate defense of APIs. Gateways don’t provide visibility and control over the entire API architecture, and they may not identify misconfigured APIs, shadow APIs, or activity by malicious bots.
What are API security best practices?
The following controls, protocols, and security solutions can help to improve API protection.
- Discover and track all APIs. When security teams are unaware of APIs, they are unable to spot vulnerabilities, update security patches, or ensure adequate API protection.
- Identify vulnerabilities. Security testing tools can help identify vulnerabilities that exist within each API. Once vulnerabilities are identified, they may be prioritized for remediation, mitigation, and correct configuration based on risk tolerance.
- Establish blanket API security policies. Instead of adopting unique policies for each API, API management and security teams should set policies for all APIs or for specific classes of APIs, avoiding the need to code policy directly into individual APIs.
- Implement authentication and authorization. Authenticating and authorizing users and applications is essential to protecting APIs from abuse.
- Implement rate limiting and throttling. These techniques determine how often APIs may be called and prevent malicious spikes in requests that could result in denial of service.
- Encrypt data. Data encryption is essential for protecting sensitive data that is communicated over APIs.
- Configure a web application firewall (WAF). Using a WAF in networking security adds an additional layer of protection against malicious API traffic coming from outside the local network.
- Implement an API gateway. A superior gateway can provide a variety of protections and help to analyze how APIs are accessed.
- Deploy OAuth. OAuth is an OpenAPI security model that can protect APIs by allowing users to securely delegate access to resources without sharing their original credentials.
- Use behavioral analytics. An effective API detection and response solution can use behavioral analytics to record all API behavior and identify unusual behavior that security teams can respond to.
- Protect B2B APIs. While most API protections focus on B2C APIs, sometimes the most sensitive data is shared with B2B APIs that are assumed secure. A behavioral analytics solution can monitor B2B APIs and alert on suspicious activity.
- Leverage a data lake. All API activity should be stored in a data lake for at least 30 days, which will provide context for any alerts or potential threats. Additionally, teams can derive findings from this data lake to strengthen their security posture.
Frequently Asked Questions (FAQ)
OpenAPI is a specification for building APIs that defines a standard, language-agnostic interface to describe APIs and their capabilities in ways that both humans and computers can understand — without needing access to source code or documentation. OpenAPI security involves practices around authentication, encryption, authorization, and other measures to protect the integrity, availability, and confidentiality of the API.
BOLA stands for Broken Object Level Authorization and is considered a top threat to API protection security because it is so difficult to discover. This vulnerability enables an attacker to manipulate input such as URL parameters or request payloads to access unauthorized data or perform unauthorized actions.
Why customers choose Akamai
Akamai is the cybersecurity and cloud computing company that powers and protects business online. Our market-leading security solutions, superior threat intelligence, and global operations team provide defense in depth to safeguard enterprise data and applications everywhere. Akamai’s full-stack cloud computing solutions deliver performance and affordability on the world’s most distributed platform. Global enterprises trust Akamai to provide the industry-leading reliability, scale, and expertise they need to grow their business with confidence.