Fortify API Security and Data Privacy
Protection Across New Attack Surfaces 

To mitigate mounting application, service and API attacks, including OWASP API vulnerabilities, and sensitive data leakage requires development organizations to gain continuous API security, access and data scope for ingress and egress traffic. Cloudentity complements WAF technologies by enabling organizations to see, control and monitor access and data exchange between APIs and services. With Cloudentity, development and DevSecOps personnel can partner to fortify the enterprise security posture, improve API hygiene, and reduce data breach and compliance risks.

SOLUTION BRIEF

 

By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.”

Gartner Research

OWASP

TOP 10

 

“Most of the OWASP Top Ten API Security vulnerabilities are related to authentication, authorization and access control”
OWASP

API1 2019 — Broken object level authorization

API2 2019 — Broken authentication

API3 2019 — Excessive data exposure

API4 2019 — Lack of resources and rate limiting

API5 2019 — Broken function level authorization

API6 2019 — Mass assignment

API7 2019 — Security misconfiguration

API8 2019 — Injection

API9 2019 — Improper assets management

API10 2019 — Insufficient logging and monitoring

OWASP THREAT MITGATION GUIDESOLUTION BRIEF

How We Solve

OWASP Top Ten API Security Vulnerabilities

Broken Object Level Authorization
  • Privacy & Permission Service
  • Object-level access management and enforcement
  • Intent-based Authorization
  • Secure Token Service
  • Object-level validation
  • Modern OAuth 2.0 implementation
  • Identity-aware brute force protection
  • Integrations with strong authentication vendors
  • Multi-factor authentication enforcement at API authorization and access
  • STS capabilities
  • Risk based Token Time-to-Live(TTL)
  • Strong service identity using SPIFFE standard
Broken authentication
  • SPIFFEE and OAuth based service/API identity
  • Short lived and transactional tokens
  • Enforcement of AMR and ACR for strong user Authentication
  • Rate-limiting for Authentication
  • External secret and password storage in Key Vault
Excessive Data Exposure
    • Response level validation
    • Audit of the data responses
    • Integration with data classification vendors
    • JSON schema validation
    • Service classification based on PII and sensitive data access
Lack of Resources & Rate Limiting
  • Rate limiting in context of identity and connection (IP, header value, user agent)
  • Rate limiting at the token minting level
  • IMDG enabling shared state
  • API Throttling based on IP address, client ID and user
Broken function level authorization
  • Fine-grained API access control
  • Default blocking policy
  • User identity context validator
  • Authorization insights based on the service and data sensitivity
Mass assignment
  • Open API integration
  • JSON schema enforcement & validation
  • Ability to transform request and response content
Improper assets management
  • Insight into each service protected by the Cloudentity products
  • Metatag based API access
  • Micro segmentation policies
  • Distributed policy enforcement
  • STS capabilities
  • Risk based Token Time-to-Live(TTL)
Insufficient logging and monitoring
  • Robust monitoring
  • Easy to read logs with JSON format support
  • Tamper-proof audit and privacy logs
  • Sensitive data masking

MSIRobot