Since the launch of APIs by Salesforce and eBay in 2000, APIs have had important roles in the development of IT- powered business. Websites, social media, mobile, cloud computing—APIs became enablers of these global advances in IT.
For the past several years, API security (or the lack of it) has been making headlines. JustDial, Venmo, Facebook, Salesforce, and Panera are just a few familiar names of companies that didn’t secure their APIs. The increase of web API security breaches occurred when organizations discovered new ways to use APIs to generate traffic and revenue. These new capabilities increased API popularity, and naturally brought out the cyberattackers.
Trends in API breaches
What happened? Security researchers have identified three use patterns directly associated with API data breaches and incidents These include:
High-traffic sites, which offer a wide range of services and include many third-party integrations.
These systems rely on APIs to collect data from third parties and serve it to users. The many
hundreds of APIs used on these sites offer a smorgasbord of attack opportunities.
Most mobile apps, which rely on APIs to pull data from servers. Given the challenges built into mobile app security, there’s no surprise that an energetic community of attackers is ready to
reverse-engineer mobile apps for weaknesses or opportunities.
These scenarios usually followed the same pattern: injection or access attacks against the API authentication surface and exploitation of too-lenient permissions.
However, a third pattern discovered in the first half of 2019 includes another scenario: poorly configured APIs. Security researchers monitoring API-related events from November 2018 to mid-2019 noticed that nearly all new events were caused by badly configured access controls. Evidently, site owners were unaware of the API or took few if any authentication steps to protect it.
APIs: The newest easy target for hackers
If you ask why API breaches occur so frequently, look no farther than these sad facts:
APIs are everywhere—and difficult to find and maintain. A large site with many interconnected
capabilities can use hundreds of APIs scattered throughout the network.
Developers often use lax permissions. Because APIs provide almost unrestricted data access, exploits
give potential attackers visibility into just about everything.
Many IT site owners aren’t API-aware. Most API attacks are undetected and therefore aren’t visible to
most organizations. APIs are often buried deep in web servers, their locations and architectures known only to developers. Sometimes, no one knows they exist at all.
Despite these cautionary scenarios, there are many ways that site owners can defend their networks from API miscreants.
Defense and Control Measures
The breaches we’ve seen so far have been attributable not to genius hackers, but instead to failures to apply basic security principles to new tasks. A first things-first approach to inhouse API security starts with inventories.
Inventory your APIs and keep them current
Know which APIs are where and what they contribute to your business. Security experts recommend that site
Conduct perimeter scans, which provide API status information and a hacker’s view of the network.
Perform in-depth API discovery interviews with development and operations teams. This approach helps site owners understand ideal and actual network states and enables them to prepare risk assessments for either possibility.
Keep API inventories current. The growing complexity of information systems and rapid rate of IT and business change make this a significant task, one that requires patience, discipline, and support resources.
Apply authentication, authorization, and encryption measures
How permissive is corporate API security? In a recent API security report, 25 percent of organizations surveyed didn’t authenticate their APIs at all. To combat this problem, security specialists recommend that network managers consider the pros and cons of each type of authentication and prioritize these measures based on company-specific risks. Other API security measures include:
Implementing API authorization measures with the principle of least privilege. Researchers suggest using role-based access control for all types of API accounts.
Monitoring APIs. Because brute force attacks often go unnoticed, it’s best to log all API connections and review those logs via cloud services, bots, or humans. Also, it’s prudent to monitor assets that APIs serve to ensure their integrity.
Encrypt API traffic. It’s best to encrypt API connections and validate their certificates as for any service. Apply the same security mindset with APIs as with website traffic.
Consider security tools and services. There’s been a surge of advanced API security services and appliances. Security specialists suggest API-aware firewalls or proxies designed to discover, confirm and neutralize harmful API requests. Also, API security services can identify an attack’s originating client and determine if a request is legitimate or malicious.
But what about third-party solutions? There’s plenty that API security services can do to discover and control API data breaches and incidents.
The Best Protection that API Security Solutions Can Provide
API security solutions must manage massive volumes of data traveling through many hundreds of API connections with mobile or laptop devices and their browsers. The need for high-speed, high-volume data handling makes API security a big data analytics problem. That’s why advanced security solutions use machine learning to protect API infrastructures from cyberattacks and misuse. The most advanced solutions:
Provide comprehensive threat protection across many types of attacks.
Detect and block API-related cyberattacks, often before any damage can be done.
Build an inventory of each API and how it is accessed and used.
Identify and categorize atypical behavior without predefined policies, rules, or attack signatures.
Stop new attacks, which present new or changing behavior.
Now, companies can benefit from these capabilities by subscribing to advanced API security services. By monitoring many behaviours in a wide range of data sources, these services can detect and prevent data incidents before they occur. Organizations can use these convenient, cost-effective cloud services to avoid the security risks of fast-changing IT and business operations.