Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
As data-driven enterprises rely heavily on their software application architecture, application programming interfaces (APIs) occupy a significant position. APIs have revolutionized the way web applications are used, as they aid communication pipelines between multiple services. Developers can integrate any modern technology with their architecture by using APIs, which is highly useful for adding features that a customer needs.
By nature, APIs are vulnerable to exposing application logic and sensitive data such as personally identifiable information (PII), which makes them an easy target for attackers. Often available over public networks (accessible from anywhere), APIs are typically well-documented and can be quickly reverse-engineered by malicious actors. They are also susceptible to denial of service (DDoS) incidents.
The most significant data leaks are due to faulty, vulnerable or hacked APIs, which can reveal medical, financial and personal data to the general public. In addition, various attacks can occur if an API is not secured correctly, making API security a vital aspect for data-driven businesses today.
Why API security is essential
API development has astronomically increased over the past few years, fueled by digital transformation and its central role in mobile apps and IoT development. Such growth and a variety of possible attacks make API security highly essential.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
As microservices and serverless architectures have become more widespread, attacks include bypassing the client-side application to disrupt the functioning of an application for other users or to breach private information. Furthermore, broken, exposed or hacked APIs can also lead to breaches of the backend system.
In its API Security and Management report [subscription required], Gartner predicts that by 2023, API abuses will move from infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications, and by 2025, more than 50% of data theft will be due to unsecure APIs.
“At Gartner, we regularly speak with organizations which have suffered breaches of their APIs,” Mark O’Neill, VP analyst at Gartner, told VentureBeat. “APIs are particularly vulnerable because many security teams are less skilled in API protection. This is particularly concerning for newer API types such as GraphQL.”
Given the critical role they play in digital transformation and the access to sensitive data and systems they provide, APIs now demand a dedicated approach to security and compliance.
API security vs. application security
API security focuses on securing this application layer and addressing what can happen if a malicious hacker interacts with the API directly. API security also involves implementing strategies and procedures to mitigate vulnerabilities and security threats.
When sensitive data is transferred through API, a protected API can guarantee the message’s secrecy by making it available to apps, users and servers with appropriate permissions. It also ensures content integrity by verifying that the information was not altered after delivery.
“Any organization looking forward to digital transformation must leverage APIs to decentralize applications and simultaneously provide integrated services. Therefore, API security should be one of the key focus areas,” said Muralidharan Palanisamy, chief solutions officer at AppViewX.
Talking about how API security differs from general application security, Palanisamy said that application security is similar to securing the main door, which needs robust controls to prevent intruders. At the same time, API security is all about securing windows and the backyard.
“A weak point in such areas will affect the application. API security, in essence, is a subset of the complete application security without which the application as a whole cannot be secured,” he said.
Erez Yalon, VP of security research at Checkmarx, says that API security is not different from traditional appsec, but it adds more areas that organizations need to pay attention to.
“API-centric architecture has more endpoints that a potential attacker can try to abuse; we call this ‘growth of attack surface,’” he said. “In addition, the way that data is transferred and shared through APIs makes it easy to unintentionally expose sensitive data to prying eyes.”
Yalon said that APIs could be made more secure when security is considered from the first step and the first line of code written, instead of added as an additional layer later in the game.
“Every API endpoint needs to be documented, and organizations must have clear guidelines on deprecating old and unused APIs. Making sure an updated SBOM [software bill of materials] exists makes it simpler,” said Yalon.
Critical API vulnerabilities and attacks
APIs have quickly established themselves as the preferred method of building modern applications, especially for mobile devices and the internet of things (IoT). However, in the face of constantly changing application-development methods and pressures for innovation, some companies still need to fully grasp the potential risks associated with making their APIs available to the public. Before public deployment, businesses must be wary of these common security mistakes:
- Authentication flaws: Many APIs reject authentication status requests from a genuine user. An attacker can replicate API requests by exploiting such deficiencies in various ways, including session hijacking and account aggregation.
- Lack of encryption: Many APIs lack robust encryption layers between the API client and server. Due to such flaws, attackers can intercept unencrypted or poorly protected API transactions, steal sensitive data or alter the transaction data.
- Flawed endpoint security: As most IoT devices and microservice tools are designed to communicate with the server through an API channel, hackers attempt to gain control over them through IoT endpoints. Doing so can often resequence the API order, resulting in a data breach.
Current challenges in API security
According to Yannick Bedard, head of penetration testing, IBM security X-Force Red, one of the current challenges in API security is them being tested for safety, as intended logic flows may be challenging to understand and test for if not clearly defined.
“In a web application, these logical flows are intuitive through the use of the web UI, but in an API, it can be more difficult to detail these workflows,” Bedard told VentureBeat. “This can lead to security testing missing vulnerabilities that may, in turn, be exploited by attackers.”
Bedard said that as pipelining of APIs becomes more and more complex, there often arises questions of which service is responsible for what aspect of security and at what point the data is considered “clean.”
“It is common for services to inherently trust data coming from other APIs as clean, only for it to turn out to not be properly sanitized,” he said.
Bernard says that an example of this was the initial discovery of the Log4J vulnerability, where most companies focused primarily on what they had directly internet-facing.
“Malicious data would eventually flow to backend APIs, sometimes behind many other services. These APIs would, in turn, be vulnerable and could provide the attacker an initial foothold into the organization,” he said.
“The top challenge is discovery, as many security teams just aren’t sure how many APIs they have,” said Sandy Carielli, principal analyst at Forrester.
Carielli said that many teams unknowingly deploy rogue APIs or there may be unmaintained APIs that are still publicly accessible, which can lead to several security hazards.
“API specifications could be outdated, and you can’t protect what you don’t know you have,” she said. “Start by understanding what controls you already have in your environment to secure APIs, and then identify and address the gaps. Critically, make sure to address API discovery and inventory.”
Best practices to enhance API security
The strength of API security depends entirely upon how one’s data architecture enforces authentication and authorization policies. Thanks to technological advances like cloud services, API gateways and integration platforms now allow API providers to secure their APIs in unique ways. The technology stack on which you choose to build your APIs affects how you secure them.
Several approaches may be used to effectively defend your system against API intruders:
- API gateway: An API gateway is the foundation of an API security framework since it makes it simple to develop, maintain, monitor and secure APIs. The API gateway can defend against various threats and provide API monitoring, logging and rate limitation. It can also automate security token validation and traffic restriction based on IP addresses and other data.
- Web application firewalls: A web application firewall or WAF, acts as a middle layer between public traffic and the API gateway or application. WAFs can offer additional protection against threat actors, such as bots, by providing malicious bot detection, the ability to identify attack signatures, and additional IP intelligence. WAFs can be beneficial for blocking bad traffic before it even reaches your gateway.
- Security applications: Standalone security products that support features such as real-time protection, static code and vulnerability scanning, built-time checking, and security fuzzing can also be inculcated within the security architecture.
- Security in code: Security code is a form of protection implemented internally into the API or applications. However, the resources required to ensure all the security measures are implemented correctly in your API code can be difficult to apply consistently across all your API portfolios.
The future of API security
Roy Liebermann, head of customer success at Surf Security, believes that zero trust can be another alternative to defend against internal and external threats.
“When it comes to APIs, zero trust is relevant for both clients and servers,” he said. “An API-driven application can have an enormous number of microservices, making it difficult for security leaders to track their development and security impact. Adopting zero-trust principles ensures that each microservice communicates with the least privilege, preventing the use of open ports and enabling authentication and authorization across each API.”
Liebermann recommends that CISOs extend zero trust to APIs to reduce the risk of hackers exploiting API communication to steal data.
Likewise, Palanisamy says that as zero-trust security and zero-trust architectures gain momentum, API security will be one of the main focus areas, especially with SaaS and other cloud services used today.
“The key is to look at this with an enterprise-wide approach. API security cannot be solved by just focusing on a few applications,” he said.
“We’re most likely going to see a different software paradigm shift in the next five years that combines features from REST and SOAP security. I believe there will be a software development paradigm where features from each method are used to create a combined superior method,” Nabil Hannan, managing director at NetSPI, told VentureBeat. “This combination will take security out of the hands of the developers and allow for better ‘secure by design’ adoption.”
Hannan said that the concept of identity and authentication is changing, and we need to move away from usernames and passwords and two-factor authentication, which relies on humans not making any errors.
“The authentication workflow will shift to what companies like Apple are doing around identity management with innovations like the iOS16 keychain. This will be developed through APIs in the near future,” he said.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.