Table of Contents
1. Why Attackers Increasingly Exploit APIs
2. API Security Pros Are Hard To Find
3. API Security Best Practices
As businesses move to cloud-native and modern software development, they are using APIs to make calls back to the server. The success and ease of these processes have spurred businesses to embrace APIs in other areas of the business, as well. Those areas include application integration, task automation, and improved customer service. APIs, which allow two applications to connect and share data, enable so much innovation that most executives today consider APIs to be mission-critical, according to a 2021 Vanson Bourne study.
While the benefits are clear, the explosion in API use has led to a rise in API-based attacks. A recent survey found a 117% increase in malicious API traffic over the past year. At a high level, it’s because as API use has increased, companies have had trouble keeping up with threats that target the APIs.
There are countless examples of API breaches. During the past year, for example:
- Dropbox was the victim of an attack where API credentials were stolen;
- A hacker broke into crypto-trading platform 3Commas’s system via an API;
- Optus, the second-largest telecommunications provider in Australia, faced a $1 million extortion threat from attackers who infiltrated the system due to an unauthenticated API; and
- Lego Group narrowly escaped a major attack when Salt Labs found vulnerabilities in a Lego subsidiary that could have resulted in user account takeover via cross-site scripting and the discovery of sensitive data.
Why Attackers Increasingly Exploit APIs
If attackers are getting through, companies aren’t doing enough to secure their APIs. According to a report from Enterprise Strategy Group, the No. 1 reason for cybersecurity incidents is loss of data due to insecure use of APIs. Other top reasons included inconsistent adoption of API specifications, the use of multiple API management tools, misconfigured APIs, and failure to use application security tools built specifically for API security. The Open Web Application Security Project also has a Top 10 list of API vulnerabilities, topped by cryptographic failures, injection, and insecure design.
Typically, companies will either rely on whatever the web application firewall (WAF) or web application and API protection (WAAP), a security tool specifically designed to protect APIs and web applications, catches without worrying about business logic, but that’s the wrong approach, said Gadi Bashvitz, CEO of Bright Security, a dynamic application security testing (DAST) platform vendor. Usually caused by a flaw in an API’s initial design, a business logic vulnerability can let an attacker access or manipulate legitimate data, workflows, or functionalities for their purposes.
“Let’s say you have two different users who have the same rights even though one is an administrator and the other is the lowest level user, but nobody took that into consideration in the API,” Bashvitz said. “That becomes a business logic vulnerability because all you need is to get access to the lowest level user and suddenly you can do everything in the organization.”
API Security Pros Are Hard To Find
Another problem is the shortage of API security professionals. There is already a lack of qualified cybersecurity personnel, but the API security subset is even more specialized and hard to acquire. API security specialists not only need proficiency in application security, but they must understand the capabilities that each specific application needs. API specialists also must have coding skills to interact with the rest of the team and test the APIs appropriately.
Some API query languages also demand extra expertise, and not everybody has that. One of the biggest culprits is the popular GraphQL query language for APIs, which has replaced older SOAP and REST technologies.
“The problem with GraphQL APIs is that there is only one endpoint, so checking whether or not the user should be authorized or doing things they aren’t supposed to do requires writing deep packet inspection rules that understand your API schema,” explained Erick Galinkin, principal AI researcher at Rapid7.
API Security Best Practices
While there is plenty that can go wrong with APIs, IT pros have ways to prevent or at least drastically reduce problems. Here are some of the most important best practices.
1. Know what you have
With so much development going on, it’s not uncommon for companies to lose track of what APIs they have. Unknown APIs can’t be secured.
What’s more, companies may use older versions of APIs alongside newer versions. “A lot of organizations have no idea of how many APIs they have because they don’t have any kind of mapping,” said Melinda Marks, a senior analyst at ESG Research. “No matter what developers are doing, security needs the visibility and control to make sure they can secure it.”
One way to increase visibility is through API mapping, which creates an inventory of the APIs. API mapping is typically included as a feature in API security posture tools.
Another option is to use your existing WAF or WAAP provider, which already has visibility into all your traffic. That provider may communicate with your application’s security technology to discover the APIs.
Either way, taking the time to clean house will eliminate problems.
2. Build in security from the start
Security controls should be built into the design from the beginning, not as an afterthought. Do it as early in the software development lifecycle as possible. “Do it in the development phase or at least in the testing phase, because if you wait until it’s in pre-productions, it’s too late – the vulnerabilities are already entrenched,” Bashvitz said.
3. Use standard schemas
If you aren’t using standard schemas, it’s much harder to test and validate your APIs. Instead, use a tool like Postman or Cucumber, which relies on standard processes and schemas.
4. Choose the right API security tools
There are many types of API security tools available today. In addition to API security posture tools, options include API runtime security tools to detect and prevent malicious requests to APIs, API vulnerability scanning tools, and API security testing tools, usually through some type of DAST.
Whatever tools you use, make sure they are proactive instead of reactive, Galinkin said. “A proactive solution should poke and prod at your APIs to see if things look right instead of relying on a passive solution like a WAF, because a lot of times, the actual API is evolving faster than the security team can learn about it and write detections for it,” he said.
5. Change your processes to reflect today’s realities
After evaluating current vulnerabilities, organizations should revamp processes and procedures to ensure that APIs are designed, documented, and mapped correctly.
Documentation is more important than it might seem. Many companies fail to document the full functionality of an API, which leads to undocumented functionality falling through the cracks, Galinkin noted. For example, if an API endpoint isn’t documented and requests are made against it, the security team won’t realize that there may be something going on. To solve that problem, conduct a design review process with the security team.
A Work in Progress
What the industry needs, Marks said, is more advanced API security tools, especially tools that can perform multiple functions. The market isn’t there today. An ESG survey found that only 44% of organizations believe that API security tools are completely effective, while an additional 36% said they were somewhat effective.
“We’re getting there,” Bashvitz said. “There are still manual parts that will eventually be automated, which will make API development easier. But today, you still need actual people with good eyes and a good understanding of the subject matter along with tools to make sure that everything is secure.”
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.