August 19, 2022

Last Updated on January 18, 2024

Back in the good old days (think back to, like, 2019) when web applications had a 3-tier client-server-database architecture, application security testing centered around trusted frameworks like the OWASP Top 10 or OWASP Application Security Verification Standard (OWASP ASVS).

But are those security approaches still valid in today’s new API-centric world, where apps consist of code calling code all over the internet with no real trusted client in the mix? Or does the new architecture bring new attack vectors? And what does all this mean for your software development lifecycle (SDLC) and application security program?

To talk about the new API-centric development approaches, how they’ve changed the SDLC and what they mean for application security, a recent episode of The Virtual CISO Podcast features Rob Dickinson, CTO at Resurface Labs. Hosting the podcast as always is John Verry, Pivot Point Security CISO and Managing Partner.

More attacks than ever

If you were hoping the demise of the trusted client would mean a smaller attack surface, no such luck.

“I would say that APIs inherit the same security issues that have plagued web-based systems forever, and then add some more on top of that,” Rob laments.

APIs are generally implemented atop web-based microservices. These microservices are effectively little web servers that run our API-centric apps. All the traditional attack vectors for web apps can likewise target those microservice containers, such as code injections, protocol manipulations, and so on.

Layered on top of those threats are API-level attacks, many of which impersonate users, like user rights escalations at the app level.

“Take GraphQL as an extreme example,” says Rob. “I can pass in a GraphQL query that itself is so intensive to process that it takes down the endpoint. You can also typically attack a GraphQL API through method injection, broken authentication… All those kinds of things still apply just like they always do with web applications.”

Extending the SDLC into production

How does API-centric application security impact the SDLC?

“I think part of this is acknowledging that the SDLC extends into production,” asserts Rob. “The SDLC doesn’t just stop when things get pushed into production. You actually need better feedback loops to say, ‘This is what’s actually happening in production. Let’s feed this back into the design process.’”

“When you think about it, one of the things that scares me a little about this API landscape is we’ve taken a step back in visibility,” Rob shares. “If you’re web-centric and web-first, anybody in your company can go to your website and see what’s going on with it. When you go to APIs, now the development organization owns that, so there’s more gatekeeping around it. But it’s fundamentally harder to just understand what’s there, right? Even that presents a problem. What you see a lot is cases where those APIs work on the developer’s machines, they work in these sanitized test environments, QA environments, staging environments… Then they get out into production and it’s a very, very different picture.”

Expanding the attack surface

John likens web-centric app dev to a gated community, where a limited number of people had the ability to login to the app frontend. This meant less exposure. Whereas APIs are designed to be called in diverse ways, from mobile apps to web apps to direct calls. So, the functional code that formerly was shielded by the trusted client concept is now exposed to attack, like a subdivision you can drive straight into.

“It’s always been core security dogma to reduce your attack surface as much as humanly possible,” states Rob. “But let’s face it—the move to microservices and APIs is completely counter to that idea. It’s exactly the opposite of that. It’s saying, ‘We’re going to open this up to anybody that wants to use it, without prequalification.’ And that sounds scary. It really is.”

What’s next?

To listen to the podcast with Rob Dickinson in its entirety, click here.

Still using the OWASP Top 10? Is it enough? This podcast examines that question: EP#15 – Andrew van der Stock – The OWASP Top Ten is Great, but is it Enough?

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!