API security is a critical concern for every developer in today's digital landscape. The Open Worldwide Application Security Project (OWASP) plays a vital role in highlighting the most significant security risks associated with APIs. The latest 2023 OWASP Top 10 API Security Risks Report offers valuable insights into the evolving threat landscape. Among the various risks identified, one item stands out as the most crucial: broken access control, and, specifically, authorization. In this blog post, we will delve into the latest OWASP report, focusing on the importance of authorization, and what best practices you should implement to avoid potential security risks.
Broken-Access-Control Remains the Number 1 Concern
The OWASP Top 10 API Security risks for 2023 provide a comprehensive understanding of the most critical vulnerabilities that organizations face. These risks evolve over time, and it is crucial for businesses to stay up to date with the latest security concerns. As in the previous lists (OWASP 2019 Top 10 API Security Risks, and OWASP 2021 Top 10 Web Application Security Risks), the top two items remain broken access-control-related risks: Broken Object Level Authorization, and Broken Authentication.
These items are described in the OWASP Top 10 API Security risks for 2023 in the following way:
API1:2023 - Broken Object Level Authorization
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface of Object Level Access Control issues. Object level authorization checks should be considered in every function that accesses a data source using an ID from the user.
API2:2023 - Broken Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user's identities temporarily or permanently. Compromising a system's ability to identify the client/user, compromises API security overall.
Despite ongoing efforts to improve API security, broken access control continues to be a significant concern. Its consistent position at the top of the OWASP Security risk list underscores its relevance and the urgent need for organizations to address this vulnerability effectively. The OWASP community is not the only one concerned about this issue - the NSA “Advancing Zero Trust Maturity Throughout the User Pillar” cybersecurity information sheet discusses similar issues - mainly the importance of implementing proper access control.
What can you do about it?
Developing secure systems is a challenge for every developer. To truly excel in this field, it is essential to learn from the identified threats, adapt to them, and continuously enhance our knowledge and skills. By following best practices for secure access control, and only using the right tools and OSS which utilize them, developers can ensure that the systems they build are robust, resilient, and reliable.
Best Practices for Avoiding Broken Access Control
To mitigate the risks associated with broken access control, we must adopt best practices and implement robust access control measures. Here are some key practices to consider:
Mapping Your Authorization Layer in Advance:
Take the time to plan user roles and authorizations in advance. Understand your application-level roles and identify the actions each role should be able to perform on specific resources. This helps establish a solid authorization layer and ensures that access to data is granted only to those who need it. Don’t know where to start? Check out this guide.
Choose an Authorization Model that fits your needs:
Choosing the appropriate authorization model is crucial for effectively managing permissions in your application. The two primary models to consider are Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). RBAC provides a straightforward solution for determining authorization based on predefined roles, while ABAC offers a more comprehensive approach by incorporating attributes into the decision-making process. By selecting the appropriate authorization model and leveraging the right tools, you can establish a robust and flexible access control framework that aligns with your organization's needs. Remember that access control is not a one-size-fits-all approach, and it requires continuous evaluation and adaptation as your application and security requirements evolve. To make the right choice, learn more about RBAC VS ABAC.
Build a flexible authorization system:
Implementing and maintaining authorization can in itself be quite challenging. Creating a structure that allows you to switch from one model to another or use them together is even more complicated. The best solution is to use an authorization solution that allows for this flexibility.
Don’t mix application code with authorization logic:
Coupling the code of the authorization layer into the application code is a bad idea for several reasons. Each upgrade or added capability would require us to refactor large areas of code that only drift further from one another.
There are several solutions that allow you to both create a separate microservice for authorization and decouple policy and code, such as Open Policy Agent (OPA) and AWS’ Cedar + Cedar Agent. Which you can use to manage authorization in a separate service.
Utilize event-driven authorization:
In addition to granular access rules, keeping your authorization layer up to date in real-time is a must for every modern application. OPAL (Open Policy Administration Layer), for example, is an open-source project that makes policy engines like OPA and Cedar event-driven. This allows you to respond to policy and data changes instantly as they happen, push live updates to your agents, and bring open policy up to the speed needed by live applications.
Authorization, particularly broken access control, remains a top concern in API security. The 2023 OWASP Top 10 API Security Risks report emphasizes the importance of addressing this vulnerability effectively. By following best practices such as mapping your authorization layer, choosing the right authorization model, building a flexible authorization system, separating application code from authorization logic, and utilizing event-driven authorization, you can significantly enhance your API security.
Authorization is a critical aspect of securing your APIs. By implementing the recommended best practices, you can build a robust access control layer that ensures only authorized users can access sensitive resources and avoid major access control pitfalls. Stay proactive, stay secure!
Want to learn more about Authorization and access control? Join our Slack Community, where world-class authorization specialists and hundreds of devs are discussing, building, and implementing authorization together.