2025 03 14

GCP – Protecting your APIs from OWASP’s top 10 security threats

APIs are an integral part of modern services, and the data they exchange is often highly sensitive. Without proper authentication, authorization, and protection against data leakage, your organization and your end users will face an increased risk of cyberattacks.

The Open Worldwide Application Security Project (OWASP) develops and publishes community-led documentation and standards for critical areas of software security, including APIs. APIs are estimated to comprise over half of internet traffic today.

That number is likely to climb as AI adoption grows, because AI already relies heavily on APIs for building foundation models, streamlining integration of AI capabilities into applications, facilitating interoperability between models running on different platforms, and providing continuous access to the real-time data needed to train and improve AI models.

Given the already large and growing reliance on APIs, organizations should implement an API security strategy. OWASP’s guidance on top 10 API security threats provides a starting point. We have taken their list and added mitigation recommendations for each risk they’ve identified. Our new whitepaper, Mitigating OWASP Top 10 API Security Threats, provides more details on each threat and how Apigee, Google Cloud’s API management platform, can help manage API risk.

aside_block: <ListValue: [StructValue([(‘title’, ‘$300 in free credit to try Google Cloud security products’), (‘body’, <wagtail.rich_text.RichText object at 0x3e24539fe670>), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, <GAEImage: Google Cloud>)])]>

What you can do about the OWASP top 10 API security risks

For organizations who are just getting started with their API security program, OWASP’s list of top 10 API security risks provides a good starting point. It represents the most critical vulnerabilities that organizations should address to protect their API systems. These threats are broadly categorized into themes of authorization, authentication, resource management, security misconfiguration, and third-party risks.

Authorization flaws, including Broken Object Level Authorization (BOLA), Broken Object Property Level Authorization (BOPLA), and Broken Function Level Authorization (BFLA), are particularly concerning as they allow attackers to bypass access controls and manipulate data or functionalities.

BOLA occurs when an API fails to enforce proper access controls on individual data objects, enabling attackers to access or modify data without proper authorization. BOPLA, on the other hand, arises when access control measures are not effectively enforced on individual properties within a data object, allowing attackers to manipulate sensitive attributes. BFLA occurs when specific functions or operations within the API lack adequate access control mechanisms, enabling attackers to perform unauthorized actions.

Authentication weaknesses, such as broken authentication, can lead to impersonation and unauthorized access. Unrestricted resource consumption and unrestricted access to sensitive business flows can also disrupt operations and expose critical data that can be exploited by attackers.

Security misconfiguration and improper inventory management of APIs can create additional vulnerabilities that attackers can exploit. Finally, unsafe consumption of third-party APIs introduces external risks, as vulnerabilities in those APIs can compromise the security of the consuming API.

Addressing these threats requires a multi-layered approach, including robust access controls, secure authentication mechanisms, proper resource management, thorough security configurations, and careful integration of third-party APIs.

Mitigating security risks with Apigee and Advanced API Security

Apigee, Google Cloud’s API management platform, enables API platform teams to program and deploy secure API proxies that can protect your backend services from these kinds of attacks. The chart below highlights some specific capabilities in Apigee and Advanced API Security that can help you keep your APIs protected from OWASP’s Top 10 API Security risks.

OWASP Top 10 API Security Risks (2023)	Apigee and Advanced API Security mitigation capabilities
Broken Object Level Authorization (BOLA)	Quota management OAuth 2.0 and OpenID Connect Sensitive data protection API proxy security configuration checks and alerting Abuse and anomaly detection rules and machine learning models Security actions, to automatically flag and block suspicious traffic
Broken authentication	Authentication OAuth 2.0 and OpenID Connect API key verification JSON Web Token (JWT) support Abuse and anomaly detection rules and machine learning models API proxy security configuration checks and alerting
Broken Object Property Level Authorization (BOPLA)	Data masking OpenAPI specification validation API proxy security configuration checks and alerting Abuse and anomaly detection rules and machine learning models Traffic analysis and reporting
Unrestricted resource consumption	Quota management Spike Arrest policy Caching Abuse and anomaly detection rules and machine learning models (to identify activity that could signal a DoS attack or resource exhaustion) API proxy security configuration checks and alerting (e.g., check to ensure all proxies have a Spike Arrest policy)
Broken Function Level Authorization (BFLA)	API products (for granular access control) Quota management Spike Arrest policy OpenAPI specification validation API keys and OAuth support for API authentication Message validation for XML and SOAP payloads, validation of RESTful API requests, and GraphQL validation API proxy security configuration checks and alerting Abuse and anomaly detection rules and machine learning models
Unrestricted access to sensitive business flows	Authentication and role-based access control (RBAC) OAuth 2.0 and OpenID Connect API key verification and JSON Web Token (JWT) support Rate limiting Payload inspection for SQL injection attacks or cross-site scripting (XSS) attacks API proxy security configuration checks and alerting Abuse and anomaly detection rules and machine learning models
Server-Side Request Forgery (SSRF)	Input validation SIEM and WAF integrations API proxy security configuration checks and alerting Abuse and anomaly detection rules and machine learning models
Security misconfiguration	API proxy security configuration checks and alerting, to check and alert on security misconfigurations across proxies (and you can use our API to integrate proxy security score checks into your CI/CD pipeline) Comprehensive built-in security policies, including rate limiting and CORS policies Access control (including API key verification) Monitoring, logging, and alerting (supported through a native integration with Cloud Monitoring and support for 3P tools) Real-time protection against attacks, to prevent exploits of security misconfigurations
Improper inventory management	Versioning and lifecycle management Centralized API inventory and governance via API hub Shadow API discovery Monitoring, logging, and alerting (supported through a native integration with Cloud Monitoring and support for 3P tools) API proxy security configuration checks and alerting
Unsafe consumption of APIs	API products (for granular access control) Use an API gateway Access control policies, including OAuth 2.0, API key verification, and quota management Message validation for XML and SOAP payloads, validation of RESTful API requests, and GraphQL validation Monitoring, logging, and alerting (supported through a native integration with Cloud Monitoring and support for 3P tools) SIEM and WAF integrations Abuse and anomaly detection rules and machine learning models Real-time visibility into API consumption and risk, and threat response

Teams who want to take a layered approach to API and application security can use Apigee and Advanced API Security together with a Web Application Firewall (WAF) like Cloud Armor. Cloud Armor’s robust protection against DDoS attacks — including L3/L4 DDoS defense and DDoS thresholds — can help increase protection against unrestricted resource consumption and other security threats.

aside_block: <ListValue: [StructValue([(‘title’, ‘Hear monthly from our Cloud CISO in your inbox’), (‘body’, <wagtail.rich_text.RichText object at 0x3e24539fe850>), (‘btn_text’, ‘Subscribe today’), (‘href’, ‘https://go.chronicle.security/cloudciso-newsletter-signup?utm_source=cgc-blog&utm_medium=blog&utm_campaign=FY23-Cloud-CISO-Perspectives-newsletter-blog-embed-CTA&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: Cloud CISO Perspectives new header July 2024 small>)])]>

Get started on API security with Apigee

To learn more about how Apigee can help mitigate the OWASP top 10 API security threats, read our free whitepaper. It explores each threat outlined above in more detail, including specific product capabilities that can help protect against each threat.

You can also learn more about Apigee’s built-in security policies and Advanced API Security’s capabilities in our docs. If you’re attending Google Next this April, check out our session on mitigating API and AI security risks with Google Cloud.

GCP – Protecting your APIs from OWASP’s top 10 security threats

What you can do about the OWASP top 10 API security risks

Mitigating security risks with Apigee and Advanced API Security

Get started on API security with Apigee

Related Posts

AWS – AWS Verified Access achieves FedRAMP High and Moderate authorization

AWS – Announcing support of AWS Glue Data Catalog views with AWS Glue 5.0

AWS – Amazon RDS for PostgreSQL, MySQL, and MariaDB now supports M8g and R8g database instances in additional AWS Regions