Partner POV | Akamai Defends Against the OWASP Top 10 API Security Risks
In this article
This was written by Abigail Owed at Akamai.
Application programming interfaces (APIs) have become the standard for building and connecting modern applications, especially with the increasing move to microservices-based architectures.
When organizations have more APIs, however, they can experience API sprawl, which means that the location of their APIs (and what those APIs are doing) get more difficult to track. This can lead to the proliferation of vulnerable APIs, or even API abuse, which can ultimately expose sensitive data and harm an organization's reputation.
When a potential attack surface grows, that area can seem more difficult to protect. The challenge to see all of the APIs in your environment can seem impossible.
Ideally, APIs would be built so effectively and securely that there would be no need to monitor them. However, with the pressure to innovate faster, and because many organizations rely on other businesses' APIs (which may not be well-protected), it's critical to know which vulnerabilities to look for and to continuously monitor your API activity in case those vulnerabilities are exploited.
This is why Akamai offers what you need to protect your organization from the most common API security risks identified by the Open Worldwide Application Security Project (OWASP). With the recent announcement of Akamai API Security, formerly known as Neosec, Akamai's customers will be able to have discovery, detection, and response for their APIs and API activity.
Of course, protection across the entire API lifecycle is critical, so we encourage organizations that are partnering with Akamai to leverage our broad portfolio of API protections, including Akamai App & API Protector.
Let's review OWASP's current 2023 list so you can be better informed on your journey to secure your APIs.
API1:2023 — Broken Object Level Authorization: BOLA vulnerabilities can occur when a client's authorization is not properly validated to access specific object IDs.
API2:2023 — Broken Authentication: BA refers to broad vulnerabilities in the authentication process, exposing the system to attackers that can exploit these weaknesses to compromise API object protection.
API3:2023 — Broken Object Property Level Authorization: BOPLA is a security flaw where an API endpoint unnecessarily exposes more data properties than required for its function, neglecting the principle of least privilege.
API4:2023 — Unrestricted Resource Consumption: This is a type of vulnerability, sometimes called API resource exhaustion, where APIs do not limit the number of requests or the volume of data they serve within a given time.
API5:2023 — Broken Function Level Authorization: BFLA can occur when access control models for API endpoints are implemented incorrectly.
API6:2023 — Unrestricted Access to Sensitive Business Flows: This risk arises when an API exposes critical operations like business logic without sufficient access control.
API7:2023 — Server Side Request Forgery: SSRF allows an attacker to induce the server-side application to make HTTPS requests to an arbitrary domain of the attacker's choosing.
API8:2023 — Security Misconfiguration: This refers to the improper setup of security controls, which can leave a system vulnerable to attacks.
API9:2023 — Improper Inventory Management: This is a challenge for every organization managing APIs. API security solutions can protect known APIs, but unknown APIs — including deprecated, legacy, and/or outdated APIs — may be left unpatched and vulnerable to attack.
API10:2023 — Unsafe Consumption of APIs: This refers to the risks associated with the use of third-party APIs without putting proper security measures in place.
Defending against vulnerabilities of any kind identified by an OWASP Top 10 requires a trusted partnership between organizations. Akamai also defends against the OWASP Top 10 list of the most common vulnerabilities seen in web applications.
API Security complements our flagship web application and API protection (WAAP) offering, App & API Protector, which protects websites, applications, and APIs by blocking incoming malicious traffic in real time. Together, API Security and App & API Protector deliver the most comprehensive global protection, combining enterprise-wide visibility, behavioral analysis of API activity, and the prevention of attacks and abuse.