WANAN YOSSINGKUM/istock via Gett

Tip

How to conduct an API risk assessment and improve security

APIs are essential, but hackers find them attractive targets. A comprehensive API risk assessment strategy helps you identify potential vulnerabilities.

APIs are essential tools for connecting different applications to each other. They are an integral part of application management and, to that extent, rely on network resources to connect apps.

Yet, absent proper security measures, APIs can easily become gateways for hackers to introduce malicious code, enabling potentially catastrophic attacks

Why an API risk assessment is necessary

A regular risk assessment is the best way to reduce the chance a potentially crippling API attack might occur.

APIs face a wide variety of risks and vulnerabilities. To that end, a comprehensive assessment addresses all the elements associated with an API -- among them code, configurations, policies, security measures and network connectivity.

Without regular assessments, API security may be compromised or totally bypassed by savvy hackers. Fortunately, enterprises can take advantage of readily available software and systems to help them analyze API risks.

API risks, threats and vulnerabilities

One of the first steps in an API risk assessment is to identify the risks. OWASP has developed, and regularly updates, a list of API vulnerabilities. The list, known as the OWASP Top 10 API Security Risks, includes the following:

  1. Broken object level authorization.
  2. Broken authentication.
  3. Broken object property level authorization.
  4. Unrestricted resource consumption.
  5. Broken function level authorization.
  6. Unrestricted access to sensitive business flows.
  7. Server side request forgery.
  8. Security misconfiguration.
  9. Improper inventory management.
  10. Unsafe consumption of APIs.

An API risk assessment should, at a minimum, examine each of these potential weaknesses. The key is to determine which API or specific aspect -- e.g., security -- is being analyzed. Then, a list of risks, threats and vulnerabilities can be identified for the analysis.

Without regular assessments, API security may be compromised or totally bypassed by savvy hackers.

Preparing for an API risk assessment

As with any risk assessment, preparation is often the key to obtaining useful results. Here are some steps to take when preparing for and conducting an API risk assessment:

  1. Identify the business purpose and scope of the API risk assessment.
  2. Review the proposed assessment with senior management and IT leadership to secure approval and support.
  3. Prepare a project plan for the risk assessment, identifying the information the assessment plans to obtain and how and why it will be used -- e.g., to reduce security risks.
  4. Establish a project team.
  5. Identify and review relevant documentation, such as API log data, with a particular focus on security performance.
  6. Identify sensitive data and systems the API can access.
  7. Identify authentication and authorization mechanisms.
  8. Identify common API vulnerabilities -- e.g., the OWASP Top 10.
  9. Establish a testing process to review how the API handles security.
  10. Consider using a risk assessment tool to conduct the assessment and prepare the reports.

Conducting the API risk assessment

Once preparations have been made, gather all available and relevant API data. Look for situations that could affect API security, such as those involving OWASP Top 10 vulnerabilities.

Compute risk metrics, such as a potential security failure's likelihood of occurrence, level of impact on the organization and, optionally, the impact to financial and operational security.

The following is a list of possible API risk assessment questions:

  • What external risks and threats affecting the API can be identified that could disrupt company operations?
  • What vulnerabilities -- for example, the OWASP Top 10 -- could external threat actors exploit?
  • What internal risks and threats could disrupt API performance and affect company operations?
  • What vulnerabilities could internal threat actors exploit?
  • Within IT, who is responsible for managing API risk?
  • How does the organization currently manage API risks, threats and vulnerabilities?
  • In the past six months, what API security events have occurred that affected the organization?
  • What happened to the organization and its ability to operate during and after recent API security events?
  • How did the organization respond to recent API security events?
  • What were the outcomes of the company's responses to recent API security events?

The following are some general risk assessment questions:

  • How much of a role does risk management play in the organization?
  • What formal process does the organization have to identify risks?
  • What formal process does the organization have to analyze risks?
  • What formal process does the organization have to evaluate risks?
  • What formal process does the organization have to treat risks?
  • What formal process does the organization have to mitigate risks?
  • How often are risk assessments performed?
  • When are risk assessments typically performed, e.g., new system or change in the business?

Sample API risk assessment methodology

Software and systems aimed at facilitating risk assessments are worth considering, especially for their analytical and report writing capabilities.

Less sophisticated approaches may also be used to provide a "guesstimate" risk analysis. They may use simple mathematical or graphical values in ranges, such as the following:

  • 1 is the lowest risk, and 5 is the highest risk.
  • Red is the highest risk, yellow is a moderate risk and green is the least risk.
  • 0.00 is the lowest risk, and 1.00 is the highest risk.

The table here, for example, shows a hypothetical risk assessment using a range of 0.0 to 1.0, with 0.0 representing the lowest risk and 1.0 representing the highest risk. These estimates would be based on a review of API data and interviews with IT security management.

The highest calculated values in Column D indicate the highest-risk issues, which the organization should address first. In this example, high-priority API risk events include API security breaches and loss of critical data stemming from such a breach.

Risk event A. Likelihood of occurrence B. Level of security C. Severity of damage to operations D. Calculated value (A x B x C)
API security breach 0.5 0.9 0.8 0.36
Loss of critical data through an API breach 0.5 0.9 0.8 0.36
Security misconfiguration 0.4 0.6 0.7 0.17
Failure of access authentication 0.3 0.8 0.8 0.19
API code design failure 0.2 0.7 0.7 0.10

Risk management systems

A variety of risk assessment tools -- cloud-based, web-based and on premises -- are available. These include the following:

  • LogicGate Risk Cloud.
  • Resolver Enterprise Risk Management (ERM).
  • Fusion Framework System.
  • HighBond Diligent One Platform.
  • StandardFusion Governance, Risk and Compliance (GRC).
  • Aperitisoft ERM Information System.
  • Continuum GRC.
  • Tracker Networks' Essential ERM.

Standards for risk management

A number of organizations, including ASIS International, ISO and NIST, publish guides that can help companies demonstrate compliance with standards when performing risk assessments.

Paul Kirvan is an independent consultant, IT auditor, technical writer, editor and educator. He has more than 25 years of experience in business continuity, disaster recovery, security, enterprise risk management, telecom and IT auditing.

Next Steps

API security testing tools to mitigate risk

Dig Deeper on Application and platform security