Application programming interfaces (APIs) provide a foundation for modern applications and services to communicate with each other and exchange information. Developers become far more efficient and productive when they code in an API-driven world, which ultimately sparks innovation.
Today’s API economy sees entire applications built using API calls to other services. Your typical ride-sharing app might call the Stripe API for credit card processing, a Google Maps API for driver routing and a social media API for user registration. These under-the-hood communications impact and improve the lives of billions of people each day, most of them without realizing it.
The widespread use of APIs also attracts threat actors seeking to exploit any API security flaws they can find. Attacks on APIs can lead to data breaches, fraudulent transactions, denial of service and many other adverse outcomes. This article focuses on API security with a particular emphasis on why it’s a growing problem and what approaches might help improve API security.
You could check out the OWASP API Security Project and scan through the top API security risks, but this would miss the more salient perspective gleaned from considering exactly why APIs are a growing attack vector. In fact, Gartner estimated that by 2022 (the time of this writing) APIs will be the number one attack vector. Here are some reasons for the growing prevalence of API attacks.
The complexity of today’s IT environments complicates protecting APIs. Virtual machines, microservices architecture, containerization and cloud infrastructure all contribute to this complexity. Security misconfigurations can easily arise within this complexity and put valuable data, such as PII, at risk.
Aside from infrastructural complications, the dynamic API ecosystem itself creates security risks. While many companies build their own APIs, arguably more businesses integrate with other apps and services via third-party APIs. The risk here is that this digital supply chain expands the potential attack surface in organizations. A threat actor could find a way inside your environment by compromising a third-party API over which you have little visibility into its code.
Overemphasizing front-end security gives only an illusion of protection. When you have customer-facing APIs that communicate with mobile apps, hardening the mobile application doesn’t necessarily improve API security. You don’t have any control over the other APIs called on those endpoint devices from the internet, and many of them might lack effective security.
Furthermore, it’s a prudent assumption that threat actors will try to unpack or decompile application binaries from front-end code. The target will be the get to the back-end services, which include your APIs. Rather than thinking front-end security keeps the API safe, it’s arguably better to assume compromise at the client-side level and always build security out from the API.
A crucial weakness within API security is the reliance on rule-based approaches to detect threats. One example is an account lockout policy that requires a user password reset after a certain number of login attempts. It’s easy for attackers to get around this rule by simply delaying their hacking attempts and logging in at a frequency that’s unlikely to trigger any rule-based detection.
Another related issue stemming from rule-based approaches is the use of static security testing during the build and design phase. While these static tools are useful for finding common vulnerabilities and misconfigurations, they don’t find everything. It’s useful to incorporate dynamic approaches, such as fuzzing unexpected inputs into the API and analyzing for evolving and missed vulnerabilities.
Another important contributing factor is that it’s trivial for malicious actors to conduct automated attacks against APIs. All they need are some Python scripts or command line tools and they’re good to go.
Credential stuffing and other brute force attacks attempt to expose authentication flaws and hijack sessions. With so many APIs being internet-facing, there’s also an extremely wide attack surface for automated scraping. These scraping attacks take advantage of APIs that share too much data or fail to impose rate limits on API calls.
While you could easily fill a book on how to strengthen API security, here is some high-level guidance on what’s needed.
Enhanced detection capabilities need to move beyond rule-based approaches and focus more on attacker behavior. Analytics can power better detection through correlating API traffic, attacker behavior and relevant threat campaigns.
These detection capabilities should extend to fending off automated “bot” attacks. It’s critical to be able to track slight changes in API consumption patterns that deviate from baseline. These changes could include an increase in errors or single requests versus the usual multiple requests made to APIs. Whatever the deviations, behavioral analysis and anomaly detection help to enhance detection capabilities and respond faster to API attacks.
An accurate and up-to-date inventory of all the APIs in your environment is critical in providing the visibility you need for effective API security. This inventory must include any third-party APIs as these are part of your attack surface, as they provide a potential path into your network. Any discovery solution should span your entire environment across all cloud services in use at your business.
API discovery should ideally extend to both unknown (shadow) APIs and forgotten (zombie) APIs in your environment. Both of these present security risks because they may go unmonitored or unprotected. In fact, one study found zombie APIs were the top API security concern among security leaders.
Some APIs don’t check authentication status, which makes it far too easy to hijack user sessions. Others rely on API keys for authenticating users, when they should only be used to authenticate the client application. An effective authentication and authorization solution controls access to sensitive data and to general API functionality.
Modern authentication and authorization should be continuous and account for in-session behavior rather than only safeguarding the initial login. A protocol combination you can’t go wrong with if implemented correctly is combining OpenID Connect and OAuth.
Tracking and analyzing attacker behavior when using APIs is critical in detecting and stopping attacks before they result in adverse business outcomes, such as stolen money, exfiltrated sensitive data or downtime for vital applications. This need for accelerated detection and response reflects a wider cybersecurity requirement to identify and contain threats faster.
One of the best ways to do this is by levering managed detection and response (MDR) services to continuously monitor your environment and detect and respond to threats using real-time, proprietary analysis and threat data.