API Categorization (suggestion)

40 views
Skip to first unread message

irvan hendrik

unread,
Feb 27, 2020, 4:24:28 AM2/27/20
to API Security Project
Hi,
I have a suggestion for the OWASP top 10 API.
Is it possible to distinguish which of the top 10 that refer to host to host and which are client to host?
Because several of them might not relevant to host to host setup for the API.

Thank you.

Ozioma Aghamba

unread,
Feb 27, 2020, 8:28:13 AM2/27/20
to API Security Project
Hi Irvan,

I would like to know, from your experience, what differences between host-host and client-host API setups present unique considerations for API vulnerabilities.

Raphael Hagi

unread,
Feb 27, 2020, 8:44:00 AM2/27/20
to API Security Project
Hello,

From my point of view, every call on my API is considered a client, doesn't matter what kind of it is. It's a kind of "zero trust" concept.

Paulo Silva

unread,
Feb 27, 2020, 9:39:44 AM2/27/20
to Raphael Hagi, API Security Project
The API security standards should be the same regardless of who the client is.
Even a trustworthy host (client) can get compromised at some point in
time, but this event should not compromise the API.

Sometimes it may seem overkill, especially if one of the clients runs
on the same host than the API server but exceptions to the API
workflows, especial authN and authZ, tend to lead to security
weaknesses.

Cheers,
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/c5a4179e-75ec-4951-b1e8-f4c62d56b11c%40owasp.org.



--
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

Keith Casey

unread,
Feb 27, 2020, 9:52:55 AM2/27/20
to api-securi...@owasp.org

+1 to what Paulo and Raphael said.

To be concrete, in both the Target credit card hack and Marriott breach, attackers gained access to the underlying systems and became another "host" within the network. Therefore any client-host vs host-host distinction was irrelevant because the attackers were inside the perimeter.

Systems should not be trusted until they prove otherwise. And then only trusted to do exactly what they're allowed for that specific use case for a very specific window of time.

Zero trust is both a buzzword and a useful concept. ;) 


(There are dozens of other breaches that match this pattern, those are super easy to find details on.)


-- 
D. Keith Casey, Jr.

Check out my book "A Practical Approach to API Design"
and the API Developer Newsletter: http://bit.ly/apiWeekly

Ozioma Aghamba

unread,
Feb 27, 2020, 10:01:38 AM2/27/20
to API Security Project
Thanks for the clarification. I was of the opinion that except there are unique considerations that in the different setups that impacts security then it shouldn't matter but what do I know? Lol
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.



-- 
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

-- 
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.

Nathan Aw

unread,
Mar 1, 2020, 8:49:13 PM3/1/20
to Ozioma Aghamba, API Security Project
Think the differentiation might be potentially useful as there are obvious benefits to differentiating between client to host, host to host.

One such benefit is the different audience to which API security is targetting. Developers vs Infra.

Thus, I am for categorization for the purpose of effective messaging.

Nathan Aw

> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.



-- 
Paulo Silva

OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader

-- 
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.

-- 
D. Keith Casey, Jr.

Check out my book "A Practical Approach to API Design"
and the API Developer Newsletter: http://bit.ly/apiWeekly

--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/52aa4b94-6707-4fef-a8e6-590c9cf860c3%40owasp.org.
Reply all
Reply to author
Forward
0 new messages