“Authorization issues are typically difficult to detect in an automated fashion. Talking about authorization issues, Hakluke and Farah Hawa wrote the following for Detectify: To access reporting APIs the authorizing user must have Reports access and for Payroll APIs the authorizing user must be a payroll admin.” “Apps using the API have the permissions of a Standard or Adviser level user. *When connecting with other pieces of software, it’s always a smart idea to set proper access levels and grant different permissions for different tasks like Xero does: Apply rate limiting to reduce the risk of brute force attacks.Use Two-Factor Authentication (2FA) and OAuth 2.0 for access control.Disable obsolete APIs through versioning and remove deprecated features.Shrink your attack surface by scoping API users.*.It’s worth pointing out, however, that many of the API security best practices listed below actually fit pretty well under the umbrella of POLP: How To Implement Least Privilege?Įffective API security consists of many different measures, and POLP is just one concept in that toolbox. This is just one case of many where granting fewer privileges would have avoided exploits. It would appear that trade permissions weren’t disabled by default, and, as a result, hackers were able to use API keys to trade away balances in unprofitable trades to accounts that they had set up. This is particularly important in the API space because it’s not just your customer data that’s at risk, but potentially data from other sources as well.Ī CyberNews report, for example, found that some third-party apps connected to cryptocurrency exchanges via API keys left some users vulnerable to fraudulent withdrawal attempts even when withdrawal permissions were disabled by default on those cryptocurrency exchanges. In simple terms, don’t expose any more information than you need to. In cases where those permissions need to be expanded, they should be revoked afterward. It’s a fairly generic term, but its most obvious association with the API space is probably permissions.ĪPI consumers should be granted permissions for actions they’re authorized to carry out. In computing, privilege typically refers to whether or not an app, user, or piece of code can perform security-relevant functions. While tools like the OpenAPI Specification are helpful for standardization, they don’t really help when it comes to assigning appropriate permissions and privileges.īelow we’ll look at why Least Privilege is important to APIs and consider how this rule can be approached in the context of APIs. The idea of Least Privilege takes on a new level of importance when it comes to APIs because there are more sources of data and more developers in play. Better system security: The less access to a system a program has, the less likely its vulnerabilities can be used to exploit a system or machine.Easier deployment: When an application doesn’t require much access to a system, it can be deployed without the need for additional steps like installations or passwords.Improved system stability: The fewer privileges a piece of code or an app has, the less likely it will be to perform actions that can interfere with other apps or the machine.In cybersecurity, Least Privilege is a digital cousin of the idea of operating on a “need to know” basis. And Michael Gegick and Sean Barnum wrote about Least Privilege for the US government’s Cybersecurity and Infrastructure Security Agency (CISA) back in 2005. The Principle of Least Privilege (POLP) has been around for some time - the term appears in the Department of Defense’s Computer System Evaluation Criteria, published in 1985.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |