Modern web application development has become crucial in this digital age as organizations look to expand their web architecture. Most are increasing the number of web and mobile services that are made available in order to provide a better overall service to customers and key to the success of this is managing the security risks posed by Application Programme Interfaces (APIs).
The rise of API risks
At its core, APIs enable applications to connect services and transfer data. It’s a communication vessel that allows applications to talk to each other. While this is beneficial for business management, security issues do persist. Whenever an API is produced and used, there’s an endpoint that connects to the application which could be exposed and leave data vulnerable to theft by cybercriminals. In fact, in 2019, research found 83 percent of web traffic was dominated by API calls which indicates hackers have clocked onto how to target API weaknesses – bot/scraping and denial of service attacks were most prevalent. Lapses and misunderstandings around API security and the risks have also led to data breaches.
For example, a high-profile API breach involved Facebook in 2018 after a photo API bug exposed private photos in a breach impacting over 6 million users, allowing criminals to take command over up to 50 million accounts.
Suffering an API breach can have serious consequences for an organization’s reputation and finances, as this would fall under non-compliance with many data security and privacy laws. If a company is found to be non-compliant then severe penalties could be enforced.
The industry cannot ignore the negative impact API exploitation can have, especially as Gartner predicts that by 2022, API attacks will be the most common attack vector in web application data breaches. Moreover, most organizations have potentially thousands of APIs within their digital architecture, so securing this element and identifying the different routes of attack has never been more important.
Understanding the challenges with API security
Currently, the demand for APIs is growing amongst the developer community. As the demand grows, so too will the risk and frequency of attacks. In an attempt to mitigate these threats, developers conduct dedicated API testing and protection which involves Static Code Analysis and Static Application Security Testing (SAST) to detect common coding issues from the beginning of the application development process. DevOps teams would also add a second layer of security in the form of application firewalls to examine network traffic and highlight any anomalies or attacks.
However, these techniques are relatively insufficient in locating and preventing API logic issues which are commonly found in API breaches. Some may look to penetration testing, but this requires the testers to fully understand API code and this procedure can be drawn out and costly. To get API security right, organizations must incorporate three key factors:
Firstly, scanning must be comprehensive to ensure coverage reaches all API endpoints.
Secondly, testing must be scalable as each API endpoint could have over 250 endpoint-method permutations that must be analyzed. If not, the attack surface will be engulfed by thousands of potential threats.
Lastly, speed has become key in the DevOps process. With organizations often in a race to get applications to market, security cannot be a hindrance to this process. Yes, APIs have a myriad of complexities within the architecture but testing speed must be efficient.
OWASP framework for API security
With API security risks becoming a noticeable issue, in 2019, OWASP created a dedicated API Security framework to help organizations tackle these issues. The OWASP Top 10 API Security coincided with the OWASP Top 10 for web application security risks to give a fundamental baseline to address API Security threats including security misconfigurations, excessive data exposures, improper assets management, and other issues related to authentication and authorization. All of the top 10 security threats are unique to the organization which created the API and requires a different scenario-based API security test to check how the API can be used each time. Reinforcing the notion that traditional application security testing methods will not be sufficient in remediating specific API threats
API security best practises
As previously mentioned, API vulnerabilities cannot be fixed using traditional methods; nor should they be considered as classic security threats. Business logic flaws and loopholes within the API are common and, in the haste to produce more code into the production cycle, developers often introduce unintended access API vulnerabilities. Unfortunately, without the appropriate tools, it’s virtually impossible for developers to meet the fast production demands of the organization while also testing against every possible attack scenario.
A new approach is required to help development teams tackle API security. One that involves building the knowledge base on the API, cataloging all available endpoints and identifying supported methods so that the vulnerabilities are addressed before production. This defense strategy goes a step further by offering more analysis and security than SAST, API firewalling and manual pen testing.
Moreover, API Security testing must be integrated at the earliest stage of the development process and should be automated, continuous, scalable and comprehensive. This will help reveal vulnerabilities that may have been missed by static analysis and firewalls while creating detailed tests to evaluate an organization’s entire API footprint.
There are dedicated API security solutions that have these attributes and will help developers see shortened test cycles when addressing API vulnerabilities which will ensure faster application release times and reduce the risk of API breach. DevOps teams want to see fluid production and these tools will reduce any delays to the deployment workflow.
Once API security testing has been integrated within the overall defense and automated into the development cycle, organizations can be notified of API-related issues before progressing to the next stage in the development process. To better understand the severity of the API risk, and the necessary remediation efforts, each threat should be given a severity score using the Common Vulnerability Scoring System (CVSS) enabling the business to make better-informed decisions on their remediation efforts.
Given most traditional web application defenses are not a viable option to shield against API threats, organizations must take the necessary steps to ensure these are being remediated to reduce the overall attack surface. It must be reiterated that the importance of APIs will continue to grow and protecting them has never been so critical.
Simon Roe, product manager, Outpost24