As APIs are a favorite target for threat actors, the challenge of securing the glue that holds together various software elements is becoming ever more pressing.
Application programming interfaces (APIs) are the unsung heroes of the digital revolution. It provides the glue that holds the various software components together to create a new user experience. But in providing a direct path to the back-end database, APIs are also an attractive target for threat actors. It doesn’t help that they have exploded in numbers over the past few years, causing many deployments to be undocumented and insecure.
Based on one recent study, 94% of global organizations have experienced an API security issue in production over the last year with nearly a fifth (17%) experiencing an API-related breach. It’s time to gain visibility and control of these digital building blocks.
How bad is the API threat?
API is the key to configurable company: a Gartner concept where organizations are encouraged to break down their applications into business capabilities package (PBC). The idea is that assembling these smaller components in different ways allows companies to move more agile at higher speeds – creating new functionality and experiences in response to rapidly evolving business needs. The API is an important component of PBC whose usage has soared recently with the increased adoption of microservices architectures.
Nearly all (97%) are global IT leaders therefore now agree that the successful execution of the API strategy is critical to future revenue and growth. But the growing volume of APIs and their distribution across multiple architectures and teams is a source of concern. There may be tens or even hundreds of thousands of customer- and partner-facing APIs in large enterprises. Even medium-sized organizations may run thousands.
What is the impact on the company?
The threat is also far from theoretical. This year alone we have seen:
- T-Mobile USA acknowledged that 37 million customers had their personal and account information accessed by bad actors via APIs
- Misconfigured Open Authorization (OAuth). implementation on Booking.com which could enable a serious user account takeover attack on the site
It’s not just the company’s reputation and bottom line that are at risk from API threats. They can also hold important business projects. More than half (59%) of organizations claim that they have to slow down new app launches due to API security issues. That’s part of the reason why it’s now a C-level topic of discussion for half of the board.
Top three API risks
There are dozens of ways hackers can exploit the API, but OWASP is the go-to resource for those looking to understand the biggest threats to their organization. He OWASP API Security Top 10 List for 2023 details the following three main security risks:
- Corrupt Object Level Authorization (BOLA): The API failed to verify whether the requester should have access to an object. This can lead to data theft, modification or deletion. The attacker just needs to realize that the problem exists – no hacking of stolen codes or passwords is required to exploit BOLA.
- Broken Authentication: Lost and/or mis-implemented authentication protection. API authentication can be “complex and confusing” for many developers, who may have a misunderstanding of how to implement it, OWASP warns. The authentication mechanism itself is also exposed to anyone, making it an attractive target. API endpoints responsible for authentication should be treated differently from others, with increased protection. And any authentication mechanism used must be compatible with the relevant attack vector.
- Damaged Object Property Level Authorization (BOPLA): Attackers can read or change object property values that they are not supposed to have access to. API endpoints are vulnerable if they expose object properties that are considered sensitive (“data overexposure”); or if they allow users to change, add/or remove sensitive object property values (“bulk assignment”). Unauthorized access can result in data disclosure to unauthorized parties, data loss or data manipulation.
It is also important to remember that these vulnerabilities are not mutually exclusive. Some of the worst API-based data breaches are caused by a combination of exploits like BOLA and data overexposure.
How to mitigate API threats
Given what is at stake, it’s important that you build security into any API strategy from the start. That means understanding where all your APIs are located, and adding tools and techniques to manage endpoint authentication, secure network communications, mitigate common bugs, and address malicious bot threats.
Here are some places to start:
- Improve API governance by following an API-centric app development model that allows you to gain visibility and control. By doing so, you will shift security to the left to implement controls early in the software development life cycle and automate them in the CI/CD pipeline
- Use the API discovery tool to eliminate the number of shadow APIs already in the organization and understand where the APIs are and whether they contain vulnerabilities
- Implement API gateways which accepts client requests and directs them to the proper backend services. These management tools will help you authenticate, control, monitor, and secure your API traffic
- Add a web application firewall (WAF) to enhance your gateway security, blocking malicious traffic including DDoS attempts and exploits
- Encryption of all data (i.e., via TLS) travels through the API, so it can’t be intercepted in a man-in-the-middle attack
- Use OAuth to control API access to resources such as websites without exposing user credentials
- Apply rate caps to limit how often your API can be called. This will reduce the threat from DDoS attacks and other unwanted spikes
- Use monitoring tools to log all security events and flag suspicious activity
- Consider a no-trust approach stating that no users, assets or resources within the perimeter can be trusted. Instead, you need to request proof of authentication and authorization for each operation
Digital transformation is the fuel that drives sustainable growth for modern companies. It puts the API front and center of every new development project. They must be strictly documented, developed with safe design principles and protected in production in a multi-layered approach.