Leaving the Business Security Burden to LiSEA: A Low-Intervention Security Embedding Architecture for Business APIs

Abstract

In the evolving landscape of complex business ecosystems and their digital platforms, an increasing number of business Application Programming Interfaces (APIs) are encountering challenges in ensuring optimal authorization control. This challenge arises due to factors such as programming errors, improper configurations, and sub-optimal business processes. While security departments have exhibited proficiency in identifying vulnerabilities and mitigating certain viral or adversarial incursions, the safeguarding of comprehensive business processes remains an intricate task. This paper introduces a novel paradigm, denoted as the Low-Intervention Security Embedding Architecture (LiSEA), which empowers business applications to enhance the security of their processes through judicious intervention within business APIs. By strategically incorporating pre- and post-intervention checkpoints, we devise a finely grained access control model that meticulously assesses both the intent of incoming business requests and the outcomes of corresponding responses. Importantly, these advancements are seamlessly integrated into the existing business codebase. Our implementation demonstrates the effectiveness of LiSEA, as it adeptly addresses eight out of the ten critical vulnerabilities enumerated in the OWASP API Security Top 10. Notably, when the number of threads is less than 200, LiSEA brings less than 20 msec of latency to the business process, which is significantly less than the microservice security agent based on the API gateway.