API security is the process of protecting APIs from attacks. As APIs are very commonly used, so it is prone to attackers. API vulnerabilities are a common thing that can break down your whole system if not treated. APIs may have vulnerabilities like broken authentication and authorization, improper assets management, lack of rate limiting, etc. Regularly testing APIs will help you to identify vulnerabilities, and address them.
According to the Open Web Application Security Project (OWASP), there are ten API vulnerabilities that should be taken care of when you build an API. In this guide, let’s look at the Improper Assets Management vulnerability.
Most vulnerabilities on the OWASP API top ten revolves around coding flaws. Contrary to this, improper assets management is not a coding mistake, but a human or management problem. This vulnerability allows older APIs to be in place long after they should have been replaced by newer, more secure versions.
Attackers find non-production versions of the API that are not as well secured as the production API. These versions are used by them to launch their attacks.
When APIs that are still in development before they are fully hardened against threats are exposed to the production environment, then there is a high chance of this vulnerability to take place. If these issues are not taken care of then the overall API’s security is compromised.
You can prevent improper assets management in multiple ways.
- To prevent the attackers from finding the non-production versions of the API to launch attacks, you need to control access to production data, and segregate access to production and non-production data.
- By deleting APIs which aren’t being used. There is no reason to keep them online and accessible either internally or externally if they are no longer in use and implement additional external controls e.g. API firewall etc.
- Improper asset management’s vulnerability can be addressed by having an API rollout strategy with strong documentation and inventories.