Wrangling API Security Amid Rapid Growth
Digital Transformation is driving the use of APIs. An API, or Application Programming Interface, is a set of protocols, routines, and tools that sits between different software applications and allows them to communicate with each other. Think of searching in a web browser for weather information—the information displayed is drawn from API connections to other weather data providers.
API use by businesses ventures well beyond weather information. According to Harvard Business Review, “Determining which APIs to develop and what products and solutions they’ll enable requires a digital mindset.”
With the exponential growth of APIs come security concerns. The Cloud Security Alliance noted the risks of the increase in cloud use, specifically regarding APIs: “Companies should embrace automation and employ technologies that monitor continuously for anomalous API traffic and remediate problems in near real-time.”
According to Kate Larson, co-founder and COO of WEBGAP (browser isolation technology), “124 million Americans use the browser to do their jobs every day.” And mobile app use is ever-increasing. API use is not just obvious and prevalent, but it’s essentially ubiquitous and will become even more pronounced as digital transformation continues.
APIs are an open attack vector for an organization's network and data. Some of the dangers of keeping APIs secure amidst their rapid growth include:
- Complexity and lack of visibility: As more APIs are added, keeping track of them and how they interact becomes exponentially more difficult. This lack of visibility leads to security issues going unnoticed.
- Lack of security measures: The rapid development and deployment of APIs mean there may not be enough time or resources to properly implement security measures. This leads to vulnerabilities that can be exploited by attackers.
- Insufficient testing: In the rush to get APIs to market, thorough security testing may be missed, leading to unforeseen security issues.
What Can Happen When APIs Aren’t Properly Secured?
- Optus, an Australian telecommunications company, suffered a data breach in September 2022 that leaked the sensitive data of 10 million Australian customers. In April 2023, Optus was facing a class-action lawsuit for that same breach. The cause of the breach? Common API vulnerabilities that include Broken Object Level Authorization (BOLA) and Unrestricted Resource Consumption.
- APIs of the dating site, Bumble, exposed the personal information of 100 million users. The cause included BOLA and Broken Authentication.
Securing APIs is daunting, but there are established ways to protect from common vulnerabilities. Let’s explore some strategies for avoiding these common risks.
Keeping Track of It All
In a 2023 survey, 54% responded that “zombie” APIs were their biggest concern. Inventory is vital—you can’t protect what you don’t know about, and it’s easy to lose track as APIs are tested, deprecated, and replaced.
Some ways that organizations can inventory APIs include using:
- An API gateway: An API gateway can be used to manage and track all of the APIs within an organization. The gateway can be configured to log API usage and performance, and it can also be used to enforce security policies and rate limits.
- API management and documentation tools: API management software can be used to inventory, document, and manage APIs within an organization. Management tools typically include features such as API discovery and monitoring, leading to a reduction in complexity. Documentation includes API endpoints, parameters and response format. Proper management and documentation make the API ecosystem easier to understand.
- API discovery tools: API discovery tools can be used to scan the organization's network to identify and inventory all of the APIs within it. These tools are useful for organizations with numerous APIs that may be distributed across multiple systems and give a comprehensive view of the resources.
- API design patterns: design patterns can be used to standardize the way that APIs are developed and deployed. An example is this guide to REST API design.
Some Security Measures for APIs
Here are some best practices to secure APIs (note: no single one of these is sufficient—work toward defense-in-depth):
- Rate limiting: Rate limiting can be used to prevent API abuse and D/DoS attacks by limiting the number of API requests that a client can make within a specific time period.
- Input validation: Input validation ensures that data passed to the API is in the expected format and meets certain criteria. This can prevent malicious input from being passed to the API.
- Use web application firewalls (WAFs): A WAF (especially one that is more than just a WAF, such as a Web Application and API Protection (WAAP) technology) can be used to monitor and protect APIs by blocking malicious traffic and helping to prevent common web attacks such as SQL injection (SQLi) and cross-site scripting (XSS).
- Regularly update APIs and related systems: It’s hard to overstate the importance of keeping APIs and related systems up-to-date with the latest security patches and updates to prevent security vulnerabilities from being exploited.
- Runtime security and continuous discovery capabilities purpose-built for APIs: Most security tactics in place now, including WAFs and rate limiting, can detect traditional application attacks, but they cannot identify or block today’s low-and-slow API attacks. Attackers understand the tricks they need to play to avoid detection by those devices, so organizations need technology designed specifically with the OWASP API Top 10 list in mind, for example.
How Can APIs Be Tested More Thoroughly?
There are several best practices that organizations can follow to test APIs more thoroughly:
- Automated tools: Automated testing tools can be used to quickly and efficiently check APIs for a wide range of security vulnerabilities.
- Manual testing: Manual testing is a good addition to automated tools for more thorough API testing. This will involve testing functionality and trying to identify potential security vulnerabilities.
- Test for common vulnerabilities: There are many common vulnerabilities that affect APIs, such as Broken Object Level Authorization, Broken User Authentication, and Excessive Data Exposure. One can’t go wrong with reviewing OWASP’s API Top Ten.
- Test API security measures: Security measures implemented to protect APIs, such as authentication and authorization mechanisms, should also be tested to ensure that they are working properly.
- Test API performance: API performance, especially runtime, needs to be tested to ensure that it can handle the expected load and traffic. Poor performance can lead to security issues, such as DDoS attacks.
- Deploy runtime security: Shift left tactics will never catch all the problems, because they cannot prevent business logic abuse, which is the core of most API attacks. Organizations need to employ anomaly detection built for API attacks to protect their businesses.
At some point in your API security journey, it’s very much a “choose your own adventure” idea—what step will you take next to make security a reality for your data?