As the software industry relies more heavily upon APIs, API-related vulnerabilities are becoming more pervasive. And no risks are more common — or hazardous — than broken authentication and object-level authorization flaws.

According to Judith Kahrer, these ‘top of the top’ API risks occur frequently in practice and can cause severe damage if left unchecked. Successful attacks could lead to account impersonation, data exfiltration, privilege escalation, and more. Therefore, learning how to plug these gaps is of prime importance.

Catch Judith Kahrer’s upcoming session at Platform Summit 2023.

Leading up to this year’s Platform Summit, we’re catching up with a handful of speakers to gather their insights on the API economy and to catch a glimpse of what their sessions will cover.

Judith Kahrer, one such Platform Summit speaker, has a keen interest in identity as it relates to API security. She began as a developer and moved on to being a security engineer and consultant before taking her current role as Product Marketing Engineer at Curity.

Below, we’ll share an interview with Judith along the theme of her upcoming session, Addressing Top API Security Risks. We’ll explore the state of API security at large, check in on the updated OWASP API security list, and see why an OAuth-driven architecture is the answer to mitigating the ‘top of the top’ API risks.

What is the state of API risks in 2023 as you see it?

I find it devastating that in 2023, authentication and authorization are still considered the main concerns in API security. It shows that there is still a lot of work for security professionals. I hope to contribute to some small improvements with my talk.

In the long term, developers, operators, and security personnel need to work together on an everyday basis to mitigate risks and create secure products. It is together that we are strong and innovative. Lists like the OWASP Top 10 API Security Risks help to focus our efforts, and hopefully, there will be major changes in response to the recent update. 😊

Does the updated OWASP list match the new conditions we’re seeing in the wild? How so?

The community does great research when assembling these lists, and they did a good job. The list is generic enough to be long-lived and should thus cover new and unknown exploits. Indeed, some risks took on a broader meaning to include even more cases. For example, “Broken User Authentication” was renamed to “Broken Authentication,” which covers any authenticating entities like users, workloads, and machines.

Why do you think authorization issues are so prevalent in the OWASP top ten for API risks?

Authorization is a challenge because it is business-related. The number of different authorization risks in the new list shows that authorization covers many aspects. There is no ready-to-use, plug-and-play solution. Instead, you have to adapt the tools to your specific needs. As with any technique, things can go wrong in that process. The thing is, when authorization fails, the impact can be big. That’s why authorization-related risks are often rated high and consequently find themselves on the OWASP top ten API risks.

What are the ‘top of the top’ risks, as you call them in your session description?

The top of the top are what the name suggests, the highest risks in OWASP’s top 10: API1 – Broken Object Level Authorization and API2 – Broken Authentication. Those risks are highly likely to occur and have a potentially huge impact. Therefore, addressing those risks is a high priority.

Why is OAuth the answer to mitigating these top risks? How can we use it properly to do so?

OAuth is a protocol that describes the messages for a client (a user-facing application) to request access to a resource server (the API). Instead of having the API (or a frontend to it) identify and authenticate users, this work is outsourced to a component called the authorization server. The authorization server can implement different and complex methods for user authentication. In that way, OAuth can mitigate broken authentication risks. Access tokens provide the API with adequate authorization information and thus help handle the risk of broken object-level authorization.

Why are you excited about PS23? Assuming you are… 😉

Due to circumstances, Platform Summit paused for some time. But finally, Platform Summit 2023 is going to happen! It is my first Platform Summit, and I am happy to be a part of it. I look forward to rewarding discussions, and gaining and sharing insights concerning APIs.

Without giving away too much, what can attendees expect from your talk?

I’ve already given away some details in my previous answers. 😊 Attendees should leave the talk believing that OAuth is a must-have for API security, and I want to provide them with some building stones so they can get started with (or look over) their OAuth adoptions.