Broken Function Level Authorization (BFLA) is a type of security vulnerability in web applications where an attacker can access functionality or perform actions they should not be authorized to perform. This problem happens when an application doesn’t check access control on functions or endpoints correctly. This lets users do things that are not allowed.

In this article, we are going through API5 item from OWASP Top 10 API Security risks and exploring F5 BIG-IP Access Policy Manager (APM) as a role in our arsenal

Let’s consider our test application for each retail agent to submit their sales data, but without the ability to retrieve any from the system. In HTTP terms, the retail agent can POST but not allowed to perform GET, while the manager can perform GET to check agents performance, and collected data. 

Mitigating Risks with BIG-IP APM

BIG-IP APM per-request granularity: with per-request granularity, organizations can dynamically enforce access policies based on various factors such as user identity, device characteristics, and contextual information. This enables organizations to implement fine-grained access controls at the API level, mitigating the risks associated with Broken Function Level Authorization.

 Key Features:

1. Dynamic Access Control Policies: BIG-IP APM empowers organizations to define dynamic access control policies that adapt to changing conditions in real-time. By evaluating each API request against these policies, BIG-IP APM ensures that authorized users can only perform specific authorized functions (actions) on specified resources. 
   
   
2. Granular Authorization Rules: BIG-IP APM enables organizations to define granular authorization rules that govern access to individual objects or resources within the API ecosystem. By enforcing strict permission checks at the object level, F5 BIG-IP APM prevents unauthorized functions.

Related Content 

• F5 BIG-IP Access Policy Manager | F5
• Introduction to OWASP API Security Top 10 2023
• OWASP Top 10 API Security Risks – 2023 - OWASP API Security Top 10
• API Protection Concepts
• OWASP Tactical Access Defense Series: How BIG-IP APM Strengthens Defenses Against OWASP Top 10
• OWASP Tactical Access Defense Series: Broken Object-Level Authorization and BIG-IP APM
• F5 Hybrid Security Architectures (Part 5 - F5 XC, BIG-IP APM, CIS, and NGINX Ingress Controller)
• OWASP Tactical Access Defense Series: Broken Authentication and BIG-IP APM
• OWASP Tactical Access Defense Series: Broken Object Property-Level Authorization and BIG-IP APM 
• OWASP Tactical Access Defense Series: Unrestricted Resource Consumption