Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Secure OWASP API Top 10 with F5 products | Start here

Kin
F5 Employee
F5 Employee

‎20-Nov-2022 18:00 - edited ‎22-Nov-2022 10:49

What is API

Application programming interfaces (APIs) are software components that provide a contract for client devices to interact with the server-side of an application. For example, a client can use APIs to send a GET request to retrieve data from a server. The server processes the request according to pre-defined functions and responds to the client with the application data. This differs from traditional web application requests where clients communicate with servers through web browsers and servers respond with HTML web pages. 

Kin_0-1667956730931.png

API security requires its own set of security strategies

Each API request (GET /userinfo, DELETE /userId/item and so on) that provides functionality for users exposes API endpoints that have become a target for attackers. As an application grows and becomes more complex, the number of API endpoints increase and so does the attack surface of the application. Compared to traditional web application where the client's main responsibility is to render the web page, API applications can rely more on the client side such as to maintain session state. In addition to that, APIs by nature exposes application logic and sensitive data. As a result, vulnerabilities due to API security are different from what you have in the OWASP top 10 for web applications (2021). API security vulnerabilities have their own unique details and require their own set of security strategies and solutions; therefore, that group of vulnerabilities has its own: OWASP top 10 for API security (2019)

Secure your APIs with F5 products

The responsibility of securing your APIs does not fall solely on application code on the client and server systems. F5 products are strategically positioned in this line of (client-sever) communication as they can see parameters in the API requests, orchestrate data flow, and understand the business logic of the application. The range of BIG-IP modules (Advanced WAF, BIG-IP APM, BIG-IP LTM) and NGINX products provide you with granular control to implement specific API protections (such as content validation, access control, rate limiting, and so on) that you need to protect against the OWASP API security Top 10 (2019).

To find out more on to protect how your APIs with F5's range of BIG-IP and NGINX products, refer to K08446517: Guide introduction and contents | APIs and the OWASP Top 10 guide or jump directly to the chapter that you're most interested in:

F5 Distributed Cloud WAAP

In addition to BIG-IP and NGINX products, you can use F5 Distributed Cloud Web App and API Protection (WAAP) to secure your APIs. For more information, refer to Mitigating OWASP API Sec Top 10 API7:2019 Security Misconfiguration using F5 Distributed Cloud WAAP.

Labels:
Version history
Last update:
‎22-Nov-2022 10:49
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC