What’s the deal with API security?
In January 2023, a social media database of over 200 million users’ names, emails, and phone numbers went public after criminals repeatedly exploited an API vulnerability. “This data was originally scraped by exploiting an API vulnerability that was exposed from June 2021 to January 2022… and resulted in multiple ransomware attempts and leaks in the latter half of 2022.”
In April 2023, an undisclosed number of email addresses were found to have been compromised by an Application Programming Interface (API) vulnerability. “There was no intrusion into any system for this exploit. The bad actors used an API access.”
Even a minor misconfiguration of an API can lead to getting one’s name in the news. Not only do businesses face technical API security challenges, but not addressing security up front can lead to reputational damage and financial harm.
Why are APIs necessary?
When the Internet became available to the public at large, it was a novelty to have a webpage. Today, having an entire website is necessary. In much the same way, APIs are no longer a nice-to-have; multiple types of APIs will be needed by most businesses in the near future to service both infrastructure and customer demand.
APIs act as intermediaries by allowing different software systems to communicate and exchange information in a standardized and controlled manner. They define a set of rules and protocols that govern how applications can request and access data or services from each other.
The significance of APIs in today’s digital landscape can be attributed to several key factors, some of which are:
Connectivity and integration
APIs enable seamless connectivity and integration between disparate systems, applications, and platforms. This sharing allows businesses to create more comprehensive and integrated solutions.
Mobile and web applications
APIs enable developers to access backend functionalities and data through well-defined APIs, simplifying the development process and promoting faster time-to-market.
Data monetization and innovation
By exposing APIs to external developers or partners, organizations can create new revenue streams, foster innovation, and leverage the creativity and expertise of others to build new applications or integrate their offerings into third-party solutions.
Agile development and collaboration
APIs allow front-end and back-end developers to work independently, as long as they adhere to the API specifications. This promotes parallel development, accelerates time-to-market, and enhances overall development efficiency.
Addressing major issues
Securing APIs is filled with challenges. It takes careful planning, consideration of present and future business needs, and a lot of resources (personnel, maintenance, money). Here’s an overview of some of those challenges and how to address them.
Challenge 1: API sprawl. As businesses adopt more and more APIs, it becomes difficult to track and manage them all. This leads to security vulnerabilities because outdated or misconfigured APIs are left exposed to attack.
Solution: Implement a central API management platform to help them track, manage, and secure their APIs. This platform should provide features such as API discovery, versioning, and security testing.
Challenge 2: Lack of visibility. Businesses often lack visibility into how their APIs are being used. This can make it difficult to identify and address security vulnerabilities.
Solution: Implement API monitoring and logging solutions to gain visibility into API usage. This data can then be used to identify suspicious activity and to pinpoint security vulnerabilities.
Challenge 3: Outsourcing. Many businesses outsource the development and maintenance of their APIs to third-party vendors. This can introduce security risks, as the vendor may not have the same level of security expertise as the business itself.
Solution: Carefully vet and select third-party vendors, and they need to have a clear understanding of the security controls that the vendor has in place.
Challenge 4: API complexity. APIs are becoming increasingly complex, as they are used to integrate a wide variety of systems and applications. This complexity can make it difficult to secure APIs, as there are more potential attack vectors.
Solution: Use a layered security approach to protect APIs. This approach should include a combination of technical controls (such as authentication and authorization), as well as operational controls (such as training and awareness).
Common security issues
Beyond the behind-the-scenes challenges, businesses need to guard against external technical threats. According to a recent survey, “94% had some security issue with their production APIs over the past year, with vulnerabilities topping the list at 41%, followed closely by authentication problems at 40%.”
There are numerous threats and risks (this is where subject matter experts enter the scene), but here are the first three risks from the OWASP Top 10 API Security Risks – 2023.
Broken object level authorization
This occurs when APIs do not properly restrict access to objects, such as users, files, or data. This can allow attackers to access objects that they should not have access to, such as sensitive data or administrative functions.
This risk occurs when APIs do not implement strong authentication mechanisms, such as passwords or OAuth. Attackers can gain unauthorized access to APIs, using them to steal data or perform malicious actions.
Broken object property level authorization
This occurs when APIs do not properly restrict access to object properties (e.g., name, email address, phone number). Attackers can then modify object properties that they should not be able to modify, such as changing a user’s password or deleting a file.
Mitigating the known vulnerabilities and threats requires adopting robust security measures and best practices. These may include:
- Implementing input validation and output encoding to prevent injection attacks.
- Applying proper input validation and output encoding to mitigate XSS attacks.
- Employing strong authentication methods, such as multi-factor authentication and secure token-based authentication.
- Implementing fine-grained authorization controls to ensure only authorized actions and data access.
- Encrypting sensitive data-at-rest and in-transit using proper encryption protocols.
- Conducting regular security assessments, penetration testing, and code reviews to identify and address vulnerabilities.
- Keeping APIs and associated software components up to date with security patches and updates.
- Regularly monitoring and auditing API activity and logs.
- Here’s a good story about the usefulness of monitoring: In November 2022, a major wireless network operator’s API vulnerability was exploited, ending in the breach of 37 million accounts. “The mobile carrier detected the malicious activity on January 5, 2023, and cut off the attacker’s access to the API one day later.”
- Educating developers and maintaining a strong security culture.
What to do next?
While API security is a challenge, it’s both possible and necessary to secure them. Create a roadmap and take the next step.