--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
Hi Abid,Good point.When it's come to the performance, which on is more fast? API integration or DB-links?Regards,Suresh Rupasinghe
On Fri, 20 Sep 2019, 12:04 abid khan, <abid2...@gmail.com> wrote:
Hi, as we know API is used for the integration between two systems where two different kind of methodologies used for the same, SOAP API and REST API, now im not gonna get into those methodologies but the point i would like to highlight is... listed below,--now there is a sub-component exist which is largely used by the developers to connect services that is called "DB-links" ( i my self seen in many large financial origination's)now if we miss that area in the Owasp API stranded which is a sub-components (technically seen) its mean there is security whole we are leaving behind, despite of releasing the Owasp API top 10.note: i have personally seen such connectivity using DB-links and developers usually avoid using API to connect there services ( im talking about internal systems/services hosted on internal Networks),now please advise so i can share my findings and some core technical stuffs that how these links works and what would be the counter measures against those risk/vulnerabilities associated with DB-links.Regards:ABID
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
Hi Abid,
The DB-links technology you're introducing is the one that allows connections to
an external/remote database from within another database? True but the point im trying to highlighting is the actual concept/Objective of API can be retrieve using DB-Link as well, so why not to included in Owasp API as sub components? i can do "Title fetch, granting access to any user to any role depend on allow functions, also fetching user details etc, note: the remediation steps are as of API controls such as service authentication,Authorization, therefor i believe we cannot separately entertain the DB-link security.
Something like what Oracle [1] and PostgreSQL [2] offer?
Considering the broader concept of API (Application Programming Interface) I
do not doubt that DB-links establish an interface so that two databases can
communicate. Nevertheless, I am not sure DB-links are in OWASP API Security
Project scope: Web APIs [3]. im not sure about Scope of OWASP API but im sure (technically specking) the interface using API or DB link are whatsoever the objective of both are the same or you can say a little bit different, as of now i can do the same job using DB links so i guess the topic should be covered with at least a slide to let the security professional/Developers know how DB-links work and how harm it is for the organizations,
How do you see DB-links in the OWASP API Top 10? im sure it can be covered in a single slide (for those who prefer to us DB-Links as compare to API) so far we (when i say "We" mean Owasp community) we dont have any suggestions so far for DB-links users. as everybody knows the objective of API and DB-links are almost the same (in few cases) so the suggestion should be something like to cover every associated sub-components that is linked with API objective.
* What weakness would you remove from the actual Top 10? i dont see OWASP Top API 10 from weakness aspect, i suggest something as addition to that we need to Ad suggestion for DB-link user, so far there is no any suggestion found in current release of Owasp API TOP 10.
* What kind of weaknesses do you usually find in DB-link interface? i see 3 major security issues (listed below) using DB-links.
* How frequent/severe are DB-links issues?
[1]: https://docs.oracle.com/cd/B28359_01/server.111/b28310/ds_concepts002.htm#ADMIN12083
[2]: https://www.postgresql.org/docs/9.3/dblink.html
[3]: https://en.wikipedia.org/wiki/Web_API
Cheers,
On Fri, Sep 20, 2019 at 8:55 AM Suresh Thivanka Rupasinghe
<suresht...@gmail.com> wrote:
>
> Hi Abid,
>
> Good point.
> When it's come to the performance, which on is more fast? API integration or DB-links?
>
> Regards,
> Suresh Rupasinghe
>
>
> On Fri, 20 Sep 2019, 12:04 abid khan, <abid2...@gmail.com> wrote:
>>
>> Hi, as we know API is used for the integration between two systems where two different kind of methodologies used for the same, SOAP API and REST API, now im not gonna get into those methodologies but the point i would like to highlight is... listed below,
>>
>> now there is a sub-component exist which is largely used by the developers to connect services that is called "DB-links" ( i my self seen in many large financial origination's)
>>
>> now if we miss that area in the Owasp API stranded which is a sub-components (technically seen) its mean there is security whole we are leaving behind, despite of releasing the Owasp API top 10.
>>
>> note: i have personally seen such connectivity using DB-links and developers usually avoid using API to connect there services ( im talking about internal systems/services hosted on internal Networks),
>>
>> now please advise so i can share my findings and some core technical stuffs that how these links works and what would be the counter measures against those risk/vulnerabilities associated with DB-links.
>>
>> Regards:
>> ABID
>>
>> --
>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.
--
Paulo Silva
OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/e5035f01-e0c7-452b-ba26-c5429d051b7e%40owasp.org.
>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.
--
Paulo Silva
OWASP API Security Project - Project Main Maintainer
OWASP Go Secure Coding Practices Guide - Project Co-Leader
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>>>>>>>> >> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>>>>>>>> >> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/0d64f7a7-5db8-40f8-b45a-50bf4ab74262%40owasp.org.
>>>>>>>> >
>>>>>>>> > --
>>>>>>>> > You received this message because you are subscribed to the Google Groups "API Security Project" group.
>>>>>>>> > To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>>>>>>>> > To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/CAOOaJ1aur36qzWWXKvKCrTvqciWSBUjKeczEEMc5w9ufxWN6-Q%40mail.gmail.com.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Paulo Silva
>>>>>>>>
>>>>>>>> OWASP API Security Project - Project Main Maintainer
>>>>>>>> OWASP Go Secure Coding Practices Guide - Project Co-Leader
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Groups "API Security Project" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.
>>>>> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/e5035f01-e0c7-452b-ba26-c5429d051b7e%40owasp.org.
>
> --
> You received this message because you are subscribed to the Google Groups "API Security Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to api-security-project+unsub...@owasp.org.