Audit and Assurance

Expand all | Collapse all

Security assessment of API

Jump to Best Answer
  • 1.  Security assessment of API

    Posted 31 Oct, 2019 06:43

    Hello members,

    I am currently assessing the proposal for the interconnecting internal system with 3rd party cloud-based applications. The system uses API to exchange data.

    This is the first time I am performing such assessment so could you please advise which key areas I should focus on asses security aspects of APIs.



    ------------------------------
    Pratik Shah
    Information Security Manager
    ------------------------------


  • 2.  RE: Security assessment of API
    Best Answer

    Posted 31 Oct, 2019 07:14

    Hi Pratik,

    Some things I would check:
    - How do you authenticate to the API? Is it a user/password based thing? Is it certificate based authentication? If so, how are those certificates managed, replaced, discarded, and who is responsible for doing this?
    - Can anyone connect to the API or can you limit connections to a specific IP or range of IP's
    - Who has access to the API?
    - What kind of data is transmitted? Does this meet compliance requirements, such as GDPR/PCI/HIPAA ?
    - Is the data transmitted "minimal"? That is, are only data transmitted that are absolutely necessary?
    - Is the data passed encrypted? Symmetric, Asymetric? Who manages the encryption keys?
    - Is the API protected by SSL/TLS? Does it use standard ports such as HTTPS?
    - Are tests being done to check for vulnerabilities? For example, fuzz testing, where oversized, large chunks of data are pushed, that may lead to outages or corrupt data, or even worse, buffer overflows and potentially system access. That is, how is it protected from malicious activities?
    - Is the usage of the API monitorred? In terms of use, connections/sec.... that is baselining, to potentially see irregularities (when the number of connections/sec suddenly goes up, or when the API is used off-hours, or by a different set of IP addressess)
    - Are there notifications when the API is updated/changed? Does this pose a risk to the functionality?
    - How is the reputation of the cloud provider? Is it trusted? Are they certified?
    - How is the support rated, when things do go bad?
    - Is it a High-available/load-balanced solution, so availability is maximized ?
    - What does the SLA say? What are their RTO/RPO?
    - What would be the outcome of a failure in this API? Would the business be disrupted? halted? is this a minor issue?
    - Are there any requirements you have for storing the data at the provider? (encryption, segmentation,.....)
    - Is it a public/private/community/hybrid cloud? Where a breach of other customers could potentially also result in data loss for your company?
    - Who is responsible internally for building and managing the API ?
    - How is the documentation/change management going to be for this project?
    - Who are the stakeholders and what are their expectations/requirements?


    There is probably more to it, but these are the first things that pop-up in my mind.

    I hope this helps.



    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce
    ------------------------------



  • 3.  RE: Security assessment of API

    Posted 01 Nov, 2019 03:57
    I must confess that Sven's response to the Pratik is very useful.

    I would keep a record of this to do API assessment when the need arises.

    Cheers.

    ------------------------------
    Abiola Akinrinmade
    Information System Auditor
    ------------------------------



  • 4.  RE: Security assessment of API

    Posted 01 Nov, 2019 08:17
    Hi Sven,

    I think this is the best answer once possibly get. I will appreciate if you can publish a security paper on AP security. This will be helpful to many members.

    Regards
    Pratik Shah

    ------------------------------
    Pratik Shah
    Information Security Manager
    ------------------------------



  • 5.  RE: Security assessment of API

    Posted 04 Nov, 2019 13:12
    Hi @Pratik Shah,

    I followed your recommendation, created an article and submitted it to ISACA for review. ;)
    I've tried to keep it simple though, so that people new to the auditing and management functions will have an idea on where to start. The article itself is far from "complete", but it should provide a starting point.

    Thanks for your support.​ :)

    All the best,

    ------------------------------
    Sven De Preter

    Sr. Network & Systems Administrator
    Corporate DPO Team Member

    Certs:
    - CompTIA CSCP (Stackable)
    - CompTIA CCAP (Stackable)
    - CompTIA Cloud+ ce
    - CompTIA Security+ ce
    - CompTIA Network+ ce
    ------------------------------



  • 6.  RE: Security assessment of API

    Posted 16 Mar, 2020 04:47
      |   view attached
    @Sven De Preter

    I developed an API Audit program in the same regard. See attached.

    ------------------------------
    Veronica Rose, CISA
    Information Systems Auditor
    ------------------------------

    Attachment(s)



  • 7.  RE: Security assessment of API

    Posted 01 Nov, 2019 08:47
    Thank you Sven, very helpful!

    I am looking for information on how 3rd party vendors can connect apart from API's and VPN? If there is no inventory of 3rd party vendors and how they connect to the companies network, what are the possible ways to identify all the connections?

    Shobana

    ------------------------------
    Shobana Swaminathan
    Senior Internal Auditor
    ------------------------------



  • 8.  RE: Security assessment of API

    Posted 01 Nov, 2019 17:43
    Hi Pratik,

    There is a best practices to protect API Server : Owasp Top 10 Api Security Server

    Kind Regards

    ------------------------------
    Hector Jimenez
    IT & Cybersecurity Auditor
    ------------------------------



  • 9.  RE: Security assessment of API

    Posted 06 Feb, 2020 06:39
    Hi all,

    I am looking for an API audit program. Kindly share a template if available.

    ------------------------------
    Veronica Rose, CISA
    Information Systems Auditor
    ------------------------------



  • 10.  RE: Security assessment of API

    Posted 06 Feb, 2020 09:30
      |   view attached
    Hi,

    I recommend to you use the Top 10 OWASP Security Guide to API


    Greetings



    Héctor E. Jiménez
    ISACA, San Salvador
    CSX Liaison



    Attachment(s)



  • 11.  RE: Security assessment of API

    Posted 16 Mar, 2020 10:18
      |   view attached
    Hi,

    I suggest to use Owasp Top 10 API Security (see document attached).

    Regards,

    ------------------------------
    Hector Jimenez
    IT & Cybersecurity Auditor
    ------------------------------

    Attachment(s)