Cyber Security

How do we secure our API endpoints against the OWASP Top 10 API security threats in 2025?

JA Asked by Jason Miller · 10-03-2023
0 upvotes 11,079 views 0 comments
The question

 

Our mobile app relies heavily on REST APIs, and I’m concerned about "Broken Object Level Authorization" (BOLA). It seems like every major breach lately involves an API vulnerability. What are the most effective ways to automate API security testing in our CI/CD pipeline? Should we be using a dedicated Web Application Firewall (WAF) or focus more on code-level input validation?

 

3 answers

0
RI
Answered on 14-03-2023

Are you using API Keys or JWT (JSON Web Tokens) for your authentication, and how are you handling the secure rotation of those credentials to prevent long-term leaks?

WI 15-03-2023

Richard, we use JWTs with a very short expiration time—usually only 15 minutes. We also implemented "Scopes" so that a token used for the mobile app cannot be used to access administrative functions. For rotation, we use a vault system that automatically generates new keys every 30 days. This significantly limits the "Blast Radius" if a key ever gets checked into a public GitHub repo by mistake. It’s a bit more complex for the developers, but the peace of mind regarding our API security is worth the extra effort in the long run.

0
SU
Answered on 12-03-2024

BOLA is the #1 threat because it’s a logic flaw, not just a technical bug. A WAF can catch basic injections, but it won't know if "User A" is allowed to see "User B’s" data record. You must implement strict authorization checks at the code level for every single request. For automation, integrate DAST (Dynamic Application Security Testing) tools into your pipeline that specifically crawl API endpoints. Use "Contract Testing" to ensure your API only accepts the exact data types you expect. Never rely on the client-side app to filter data; always assume the API request is coming from a malicious actor and validate everything on the server. 

0
NA
Answered on 16-03-2024

Rate limiting is a must. It prevents attackers from "Scraping" your entire database by making thousands of small requests to your API in a short period of time. 

JA 17-03-2023

Spot on, Nancy. Rate limiting and throttling are your first line of defense against brute force attacks and automated data harvesting via your endpoints.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session