API Categorization (suggestion)

[irvan hendrik]

Hi,

I have a suggestion for the OWASP top 10 API.

Is it possible to distinguish which of the top 10 that refer to host to host and which are client to host?

Because several of them might not relevant to host to host setup for the API.

Thank you.

[Ozioma Aghamba]

Hi Irvan,

I would like to know, from your experience, what differences between host-host and client-host API setups present unique considerations for API vulnerabilities.

[Raphael Hagi]

Hello,

From my point of view, every call on my API is considered a client, doesn't matter what kind of it is. It's a kind of "zero trust" concept.

[Paulo Silva]

The API security standards should be the same regardless of who the client is.
Even a trustworthy host (client) can get compromised at some point in
time, but this event should not compromise the API.

Sometimes it may seem overkill, especially if one of the clients runs
on the same host than the API server but exceptions to the API
workflows, especial authN and authZ, tend to lead to security
weaknesses.

Cheers,

> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/c5a4179e-75ec-4951-b1e8-f4c62d56b11c%40owasp.org.



--
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

[Keith Casey]

+1 to what Paulo and Raphael said.

To be concrete, in both the Target credit card hack and Marriott breach, attackers gained access to the underlying systems and became another "host" within the network. Therefore any client-host vs host-host distinction was irrelevant because the attackers were inside the perimeter.

Systems should not be trusted until they prove otherwise. And then only trusted to do exactly what they're allowed for that specific use case for a very specific window of time.

Zero trust is both a buzzword and a useful concept. ;) 

(There are dozens of other breaches that match this pattern, those are super easy to find details on.)

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAN%3DxGgMfv0n%3Dn93rrZz3QqD6srhRk11_%3DKBD_difoZ0JqtJLXg%40mail.gmail.com.

-- 

D. Keith Casey, Jr.

http://CaseySoftware.com/

Check out my book "A Practical Approach to API Design"

available now: http://bit.ly/restfulapis

and the API Developer Newsletter: http://bit.ly/apiWeekly

[Ozioma Aghamba]

Thanks for the clarification. I was of the opinion that except there are unique considerations that in the different setups that impacts security then it shouldn't matter but what do I know? Lol

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/c5a4179e-75ec-4951-b1e8-f4c62d56b11c%40owasp.org.

-- 

Paulo Silva

OWASP API Security Project - Project Main Maintainer

OWASP Go Secure Coding Practices Guide - Project Co-Leader

-- 

You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAN%3DxGgMfv0n%3Dn93rrZz3QqD6srhRk11_%3DKBD_difoZ0JqtJLXg%40mail.gmail.com.

[Nathan Aw]

Think the differentiation might be potentially useful as there are obvious benefits to differentiating between client to host, host to host.

One such benefit is the different audience to which API security is targetting. Developers vs Infra.

Thus, I am for categorization for the purpose of effective messaging.

Nathan Aw

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/c5a4179e-75ec-4951-b1e8-f4c62d56b11c%40owasp.org.

-- 

Paulo Silva

OWASP API Security Project - Project Main Maintainer

OWASP Go Secure Coding Practices Guide - Project Co-Leader

-- 

You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAN%3DxGgMfv0n%3Dn93rrZz3QqD6srhRk11_%3DKBD_difoZ0JqtJLXg%40mail.gmail.com.

-- 

D. Keith Casey, Jr.

http://CaseySoftware.com/

Check out my book "A Practical Approach to API Design"

available now: http://bit.ly/restfulapis

and the API Developer Newsletter: http://bit.ly/apiWeekly

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/52aa4b94-6707-4fef-a8e6-590c9cf860c3%40owasp.org.