On Sep 28, 2021, at 9:17 AM, em mazzon <mazz...@gmail.com> wrote:
Hi
Does anyone have any recommendations of the main API GW's that can manage the majority of the OWASP API security risksThanksMatt
--
You received this message because you are subscribed to the Google Groups "API Security Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-security-pro...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/api-security-project/a8a92029-26d4-46d2-a03c-9af3ac634a7an%40owasp.org.
APIsec.io resolves to apisecurity.io (operated by 42Crunch), which is a security awareness resource. APIsec.ai is a security testing vendor.
The
original poster was asking about API gateways though. The short answer is
that no API gateway can fully address the API Security Top 10 since they are
mediation mechanisms. Mitigating all the risks described in the API Security
Top 10 requires many techniques and tooling that encompasses discovery, mediation, security testing, access control, observability, runtime protection, etc. In this context, any API gateway, irrespective of vendor, functions as an enforcement point for some security controls like authentication, authorization, and message filtering, but more is required to fully address the OWASP API Security Top 10.
I'm staying vendor neutral here in the spirit of OWASP, but that last answer needed clarification.
--
Understood. I put a couple sentences out of order that introduced ‘firewall’ before I made the connection to an API Gateway. Thank you for the opportunity to correct that.
In the environment I am working in the API Gateway is a full-fledged reverse proxy that has access to see and alter all data in the request. That is to say FORWARD is an internal application implemented function (to my understanding per the specifications). Therefor there is plenty of security that can be done there, however the purpose is much broader than the API service itself as well as the fact that the gateway then passes the request back onto the network that should have limited trust (some may say it is tantamount to a DMZ, thus another nod to a firewall). So in my circumstances, FORWARD does not bypass the gateway, but the web services still treat the request nearly the same as if they were directly facing the public web.
Not saying that anyone here does this, but I feel like there are development teams that fall into the rut of using microservice style as an excuse to just trust user input all too freely. As well as business types that still look for security-in-a-box. I definitely run into vendors trying to sell such solutions. I am glad that there are critical minds like the ones here that see past the marketing.
--
Alton Crossley