Most of today’s digital experiences are powered by APIs, however security remains a primary concern for CXOs. API adoption is being driven by digital transformation in every sector, and in turn motivates an increasing malicious threat that target APIs. The security needs of organizations continue to outpace their implementation of API security. The organizations have been struggling to decipher the complicated attack surfaces, and often without having a clear strategy to mount a defense. In this article, we will explore the many different challenges and threats imposed on the API ecosystem and provide the best practices to secure the APIs.
API Security Challenges
APIs are at the center of just about every digital experience. They make up the core functions of mobile and web apps, websites, micro-service architecture, regulatory requirements, etc. In short, APIs are the way that applications communicate and share data with each other. From text messaging to e-commerce, to simply checking the news, these simple procedures depend on API support.
According to statistics from Akamai Technologies, API requests account for 83% of all application requests. There is an expectation that the actual number of API requests will exceed 42 trillion by 2024. Malicious attackers have increasingly preferred APIs over more traditional web forms, because API performance is higher and the cost of performing an attack is lower. Industry analysts at Gartner predict that by 2022, API attacks will become the most common method of attack.
Protecting your APIs can be difficult because APIs are ubiquitous and vendor specific. Here are just a few challenges to API security:
Expanding attack surfaces brought on by increasing cloud migration.
With the wide application of cloud computing technology, more and more SaaS are migrated to the cloud, while providing services for more users. These cloud services are using more API, compared with the traditional data center. As a result, both East-West and North-South traffic may become the attack surface of API.
Enterprise growth and technological advancements optimize for speed and agility, at the expense of API security.
Agile model is the mainstream development model. Agile development emphasizes interaction, working software, customer cooperation, and quick response to change. Although this model improves the speed of innovation and flexibility, it relies on the developers to incorporate API security in the coding. In many cases, developers overlook the API security aspect in the software development process.
The API interface is invisible to users, but not to attackers.
APIs are written by programmers, which means that they are the only ones in the organization who know of the internal APIs in an application or system. This lack of visibility makes it hard for security teams to detect the potential security loophole during routine security maintenance. There are many ways to find unprotected APIs, such as using network traffic, reverse code, or known security vulnerabilities.
Organizations might not have known of the public expose and undocumented APIs that exist in their systems and applications, potentially leaving a back door open for hackers. Similarly, it’s also easy to overlook APIs security exposure from 3rd party component and it is very time consuming to identify these APIs to close the loophole.
API attack vectors
Attacks targeting APIs are three times more common than those targeting HTML applications. Attacks using weak password, authorization and injection vulnerabilities are still common. Meanwhile, the risk of parser-based attacks, such as JSON and XML, and third-party API integration is increasing. All of which can cause tremendous disruption to businesses.
The three main types of API attacks are:
Attackers obtain API login credentials through purchasing, phishing, vulnerability exploitation and other ways, and then use botnets to access customer site API to steal customer data or personal information. According to statistics, from 2018 to 2020, there were over 100 billion credential attacks. The complexity and number of attacks continue to increase every year. The cost by credential attacks is as high as 22.8 million US dollars, with an average of one victim every 30 seconds.
Network Availability Attacks
When the API is exposed, an attacker can use DDOS or target the API parser, which renders the API unable to provide services. Attacks against API parsers are more targeted, which may cause hash value conflicts or deserialization anomalies, and then reject API requests. These attacks are nothing new, security teams have been fighting them off for years, however in addition to standard anti-DDoS devices, you need to also be aware of the DDoS attack tolerance of the partner APIs. Your original APIs will not be protected if you rely solely on partner security measures.
All applications are vulnerable to exploitation, and that includes APIs driven applications. By embedding malicious code in API function parameters, JSON, XML and other payload, common API attacks such as directory conversion, command injection, SQL injection, XSS, bypassing identity authentication are implemented to achieve the purpose of stealing sensitive data or destroying the system. Furthermore, API attacks have been instrumented, enabling attackers to use tools to gather a list of domain names and APIs used in attacks, and then use other tools to find or delete sensitive data.
Best Practices for Protecting APIs
API security defense is a systematic project. While the traditional defense focusing on access control, signature, rate adjustment, encryption and other specific technical means, the new security practice needs to emphasize on the API governance, new solutions and systematic review and validation of the API security.
First, in order to quickly respond to API-based attacks, use open-source automation management tools and automatically generate the API documents with detail API changes. Then automatically check data traffic to find and analyze unknown or change API
Secondly, understand the relationships between API calls and identify the obsolete APIs to prevent the omission of security protection measures. This step can also be implemented with tools.
Finally, regularly perform white box testing to detect logical vulnerabilities.
New solutions for an ever-changing landscape
New solutions are available to provide security protection to APIs. Including:
- Use advanced testing tool to verify pre-login and intercept API unauthorized access.
- Deploy an API gateway to perform authentication, authorization and access control on API requests.
- Validate API parameters by using positive and negative security modes;
- Use tools to discover API traffic behavior and provide rapid integration with WAF/DDoS.
Routinely API Security Review
No matter how many publicly available APIs an organization might have, security teams need to be aware of all of them in order to manage their security. Once a comprehensive list has been established, schedule a routine security inspection to continuously seek out hidden threats. A suggested strategy to implement your protection solution.
- Monitor: Review API development, testing, and deployment of security measures.
- Protection: Check whether the user ID, DDOS attack protection measures, data verification black and whitelist are complete.
- Analysis: Assess API risk and inspect API audit logs for anomaly
With the rapid development of information technology, API security protection is also evolved continuously. The API security protect has focus from single vulnerability protection to gateway, application and system protection. However, the API attack methods will also evolve to multi-vector, automated and weaponized artificial intelligence attacks. Security for APIs will be an ongoing challenge and require the use of automation, deep learning, and intelligent tool to counter these threads.