API-fication can always create a new risk that cannot be addressed by dedicated solutions alone. The root cause behind this is a lack of visibility into API specs, deep at the payload level or at the components within the gateway management catered options or during design/implementation stages.
The digital transformation imperative while driving the proliferation of APIs. Some of the significant factors like Cloud-based services, zero trust security models, and rapid development cycles are common sources of these ubiquitous APIs. It is unacceptable for security to slow the progress of these initiatives, even if DevOps engages in risky anti-patterns to meet hard and fast deadlines. Organizations now face internal, external, and third-party risks to this growing API attack surface. Unattended or undocumented shadow APIs may be lurking in any application. While exposed applications are expected to protect themselves from attacks yet are unequipped to do so. Abuse of trust uses stolen or fraudulent credentials to gain unfettered access to the most valuable enterprise data.
APIs have become the de facto data transport because their customized specification enables maximum flexibility for customized business applications.
However, such a quick evolution of apps has not translated to a commensurate change in app infrastructure and security. On the contrary, rapid app development has been made possible by the commoditization of infrastructures, including core security functionality, which were once considered as advanced features.
For example, most cloud infrastructure providers now offer OS/container platform security, segmentation, and data encryption at rest and in transit. Common Web protection against DDoS, Bot, and OWASP Top 10 type attacks are now baseline features. However, a major limitation of gateways is that they are only useful for north-south traffic because they are only deployed at the perimeters.
One example of such a common function is the “login” action. Some advanced API protection solutions include inspection and monitoring of the login action to detect abuses such as credential stuffing. Another example is the detection of bad bot behaviors based on telemetries such as the source of calls and call volume. As these solutions only mitigate the risks that are common to all APIs, they do not address any specific risks to individual application API transport. So essentially, these solutions are only providing API infrastructure security.
However, even in a state-of-the-art cloud environment with all of its infrastructure security enabled, there are still risks specific to custom APIs themselves. Left unaddressed, this is the new risk surface for data breaches.
Key Observations
- Continuous API discovery and risk identification
- Deeper protection against OWASP APIs
- Framework and security model built from OpenAPI specifications
- Real-time API state for any change or abuse to optimize performance
The What, Why and How of API Security
APIs make the job easier to integrate and connect people, places, systems, and data to create digital experiences, share data, and authenticate people and services. They enable interconnectivity regardless of the users’ platform and data structures. This potential has led businesses to realize that APIs are, in fact, critical components of every enterprise software solution out there. This has created the API economy which refers to the business models and practices that APIs - along with the digital transformation - have created in modern business environments.
In fact, the impact of APIs as business drivers can be felt in three different ways:
- For the consumer: The shift from single-channel experiences to omnichannel experiences has created a need for APIs to connect these devices.
- For developers: APIs have made possible the shift from the monolithic architecture to an API-first and microservices-based software architecture.
- For infrastructures: APIs make cloud deployment possible and facilitate quick data provisioning with faster outcomes when compared to on-premises deployment.
One of the central tenets of the API economy involves exposing a company’s digital services and assets through APIs in a controlled manner. Here’s where API security becomes a concern: If APIs are important as a business driver, then their security shouldn’t be an afterthought. Let’s take a closer look at the concept of API security.
API Security – what, why, and how
We’re living in an increasingly connected world. According to Akamai, API calls make up for 80% of overall internet traffic. Since an API exposes an interface to a web application, they operate on two levels. Firstly, they act as a bridge between you and the interface. Secondly, they access both the application and the database. This gives cybercriminals two potential attack surfaces to gain access to your assets.
Therefore, you need to think of API security in two layers: the API and application layers.
- On the API layer, you need proper authentication, authorization, and access privileges to ensure that only people with the right credentials can use your interface and they can execute only those applications that you allow them to access.
- You need to ensure that your application endpoints (the URLs you’re using to access the API interface) aren’t vulnerable to cyberattacks that could extend beyond the interface on the application layer.
As we mentioned earlier, businesses use APIs to connect services and transfer data. Broken, exposed, or hacked APIs can expose medical, financial, and personal data. However, API security depends on the kind of data that’s being transferred.
For instance, REST APIs use HTTP and support Transport Layer Security (TLS) encryption, a standard encryption that keeps your internet connection secure, and check that the data shared between the two systems and APIs is encrypted and unmodified. This means that it won’t be possible for someone else to access your information or expose your details.
Key Benefits
- Solution should be agnostic to the technology or infrastructure
- Complete protection and round the clock visibility
- Auto discoverable and classified security
- Should connect well with governance and operating model
Why Do APIs Get Attacked?
Before APIs, legacy IT security practitioners secured the whole system and the perimeter using firewalls. Now with the API economy and cloud infrastructure, there is no traditional security perimeter. APIs are the last line of defence, making them a easy target for cybercriminals.
Did you know?
A recent report on API security conducted by Salt Security found that 91% of the companies surveyed suffered an API security breach last year and that 54% of them reported vulnerabilities. 40% of those vulnerabilities pointed to authentication issues, and 20% were caused by malicious software bots and data scraping tools.
Among the most sobering findings:
- 95% of the more than 250 survey respondents said they’ve experienced an API security incident in the past 12 months
- Only 11% of respondents have an API security strategy that includes dedicated API testing and protection – 34% lack any security strategy at all for APIs
- Shift-left tactics are falling short, with more than 50% of respondents saying developers, DevOps, or DevSecOps teams are responsible for API security while 85% acknowledge their existing tools are not very effective in stopping API attacks
- When asked their biggest concern about their company’s API program, 40% of respondents highlighted gaps in security as their top worry
- 94% of API exploits are happening against authenticated APIs, according to Salt customer data
- Stopping attacks tops the list of most valuable attributes of an API security platform
- 40% of respondents are grappling with APIs that change at least every week, with 9% saying their APIs change daily
Reference: https://salt.security/blog/
Hackers have long used forged or stolen credentials to exploit applications on the internet. In this respect, APIs provide another avenue to apply the same attacks. However, APIs also open unique attack vectors leveraging identity. A number of these attacks exploit standard bad practices originating in the web app development community.
As developers move into API development, they often bring bad habits from conventional web development. Other attacks result from widespread confusion about how APIs differ from traditional web app development. Many applications publishing APIs require clients to use an API key to access their functionality.
Now that you know the importance of API security and why APIs are such an important attack vector, let’s see how you can protect yourself against cyberattacks by following some API security best practices.
How to ensure API Security?
APIs provide the highest level of security for our products and customer sites.
We demonstrate that commitment by internally reviewing and scanning all our code for vulnerabilities, keeping up with the latest security concerns and tools, and addressing security issues and potential vulnerabilities proactively.
Some of the best approaches are:
Continual Improvement: Since security is always changing, it is best to take an approach of continual improvement. Therefore, even if it is not possible or practical for you to implement all of these best practices immediately, we recommend that you implement as many as you can now, and then progressively implement additional practices as you are able to.
Layered Security: Individual security measures may be defeated by determined attackers, and vulnerabilities may be discovered at any time in even long-standing security protocols. This means it is best to implement multiple layers of security for every potential access point, to ensure that one or more layers of security remain even if one layer is compromised or defeated.
White List Access: It is very difficult to anticipate all possible attacks and vulnerabilities that may be attempted or exploited in the future. This makes it extremely difficult to implement security using a “black list” approach, attempting to filter or limit malicious behavior. It is instead both easier and more secure to implement a “white list” approach, where you only allow a small set of acceptable behavior, and reject all access or behavior which does not meet your requirements.
Disable All Unused Services and Applications: You should run only those minimum required services, and install only the minimum applications (and plugins) which are required for your operating system, database, and application server. Disable all unused applications and services with immediate effect when known to the custodian or the administration.
Key Considerations
- Build a threat model and mitigate risks during the project design stage
- Identify the weakness of your code by proper coverage against the attack vectors
- Ensure Build Pipelines and Deployment Jobs are scanned, if needed use DevSecOps
- PEN Test Is Must
API Security Best Practices
Take these security best practices into account every time you’re designing or using APIs.
- Always Use HTTPS: HTTPS is a secure protocol that generates a random-access token every time you enter a website, and a session is created. That way, your session stays private and safe from cybercriminals every time you access a site. If you notice you’re accessing an HTTP site, be careful as it might introduce unwanted vulnerabilities into your system.
- Use Password Hash: Protecting your passwords and login data using hashing helps you keep your system safe and safeguards against any damages from hackers. Consider different hashing algorithms such as PBKDF2, bcrypt, and scrypt to keep your APIs and login data secure from evil eyes.
- Never Expose Information On Your URLs: There can be occasions when usernames, passwords, session tokens, and API keys may appear in the API call’s URL. This kind of information presents a vulnerability that can be captured in web server logs, which makes them easily exploitable by hackers.
- Leverage OAuth: OAuth enables you to connect to other services without using a password. Using OAuth for your APIs helps keep them secure because the consumer isn’t giving their credentials to the server. Instead, it gives the API a token provided by a third party, preventing the consumer from disclosing their information while at the same time protecting the API provider from malicious attacks looking to steal API users’ information.
Conclusion – The Next Generation of API Security
Digital transformation initiatives encompass cloud migrations, application delivery as a service, zero trust identity and access management, and so much more.
Sensitive data is constantly in motion. APIs have experienced explosive growth as the new underlying fabric of computing, but are still not tightly managed. As a result, they represent a vulnerable and growing attack surface. In fact, some of the largest attacks in recent years have been focused on APIs. It is time to close this security gap. APIs that are properly identified and cataloged, monitored for anomalous behavior, and secured with granular policies can protect enterprises from advanced API attacks.
Organizations have to realize that the need for API security is very real, and that their existing solution providers cannot solve it. It takes a fundamentally unique solution in order to address the fundamentally unique architecture of an API.
To know more about how you can benefit from Nagarro's API expertise, click here.
References: