APIs are the hottest attack vector in modern software. In this blog, we’ll look at how APIs add risk and best practices for securing them.
For anyone who doesn’t know, API stands for Application Programming Interface. APIs provide a way for software programs to communicate with the external world. And securing these interfaces is a growing problem.
Historically, security teams have focused on securing the platform (networks and infrastructure) on which applications run. Today, teams use CWPP and CSPM solutions to help secure their cloud environments and workloads. And while these security tools are essential, they’re only one piece of the puzzle.
A bulletproof platform or cloud infrastructure is still vulnerable to insecure APIs. Why? Because developers are using APIs to punch holes through your otherwise secure cloud network (and feeding data directly to the outside world). Those security holes are valuable to hackers and bad actors.
When things go wrong, the fines resulting from API-related breaches can be hefty. For example, British Airways was fined over $200 million in 2018. And with 90% of developers using APIs, these security risks are everywhere.
Let’s take a look at some prominent examples of API-related data breaches.
Industry Examples of API Data Breaches
1 – Twitter API Data Breach (2022)
In August of this year, Twitter announced that a hacker accessed 5.4 million of its user records. The official reason for the data breach was “a code change introduced by a developer.” After the data breach, the records appeared for sale on a hacking forum.
Unfortunately, most solutions on the market don’t understand application architecture and can’t flag dangerous code changes at release time. Instead, teams wait for a (virtual) bomb to explode before they know unsafe code is running in production.
Twitter API request/response exposed user IDs
2 – Peloton API Data Breach (2021)
A security researcher found an unauthenticated API in Peloton’s software that allowed unauthorized access to personal identification information (PII) data. The hack enabled users to look up anyone registered for a class.
Luckily for Peloton, this vulnerability was discovered by white hat hackers, so they avoided fines. The bad news is that Peloton stock decreased by 15% when the press release came out.
Peloton API response showing private account data
3 – Facebook API Data Breach (2021)
A security researcher found a bug that allowed Facebook users to create posts on other users’ accounts. The researcher found that he could bypass authorization checks when making “unlisted” (invisible) posts.
This API vulnerability also allowed bad actors to share the posts they created, allowing misinformation to spread from any user account.
Facebook paid out a $30,000 bug bounty for this vulnerability. That’s a massive win for them because they’ve previously been fined over $5 billion (that’s billion, with a B) for consumer privacy violations.
A Facebook POST request allows the creation of posts on other user accounts.
How to Handle API Sprawl
Can you answer a simple question, “How many APIs exist in your production environment today?”
To increase the stakes, do you know how many of those APIs access sensitive data (PII, PCI, or PHI)?
This issue plagues security teams at organizations of all sizes. In fact, according to Gartner, “By 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools.”
Beyond management, asking security teams to explain each API’s architectural context (and potential business impact) is a Herculean task.
So, where should security teams start?
Common Mistakes in API Security
Whether you’re starting an API security program from scratch or improving your existing process, it’s essential to feel confident in these three areas:
- API Discovery & Inventory
- Secure the API infrastructure
- Continuous API Security Testing
Here are some common pitfalls to avoid:
Analyzing API traffic/requests leads to incomplete API discovery
Shadow APIs (APIs that exist in production but are unknown to the organization) are a common concern for security teams. These are APIs created by development teams that aren’t appearing in API inventory tools.
Unfortunately, many teams cannot create their API inventory directly from the code running in production. Instead, they generate their inventory by watching network traffic and API calls. And these shadow APIs are not being called frequently (or at all) – hence why they’re in the shadows.
When hackers finally discover shadow APIs, the consequences can be immense. If an access point is unmanaged, there’s a high likelihood that it’s vulnerable.
Security teams can’t only rely on WAF, API Gateways, or IAM
Developers are human, and mistakes happen.
API vulnerabilities result from a variety of errors, including:
- Unauthenticated APIs
- Unsecured or Hardcoded API keys
- Broken Object Level Authorization
- API Logic Flaws
- Excessive API Data Exposure
- Lack of API Encryption
Unfortunately, there isn’t a single tool capable of protecting companies from these vulnerabilities. So, while WAF, API gateway, and access management solutions are all critical, they can’t guarantee your applications are secure. API testing is crucial for detecting these errors.
APIs testing is incomplete and infrequent
Mature software teams are good at testing their code logic before release. The bad news is that, often, APIs validation looks for intended (rather than unintended) functionality.
It’s essential to expect the worst from both your North-South (outside) and East-West (inside) traffic. An API testing strategy that validates it’s impossible to extract additional data is crucial.
Furthermore, API testing should occur every time a code change affects them. If your security program only tests APIs during l development, there’s a higher likelihood they will drift over time and become exploitable.
API Security Solutions on the Market
As API security occupies more real estate in tech professionals’ brains, it’s natural that solutions continue entering the market. Let’s look at some popular approaches.
API Discovery and Inventory
One popular approach to API discovery relies on a combination of developer diligence and runtime traffic. Combining OpenAPI (formerly Swagger) with an open source project, APIClarity provides an inventory of discoverable APIs, but it’s not guaranteed to capture all of them. There are also commercial solutions that monitor traffic to create an inventory.
An alternative API discovery solution increasing in popularity is analyzing the compiled code running in production. This approach ensures complete coverage of APIs but does not provide insights into user interactions.
API Threat Prevention
Just like a firewall on your operating system, it’s possible to intercept malicious traffic using a WAF (Web Application Firewall) and an API gateway. For this to be successful, it’s crucial to have a complete API inventory and an established API schema so your firewall behaves as expected.
Many vendors exist in this space, including specialty API security companies.
API Security Assessments and Scanning
API security assessments require sending incorrect or malicious requests to APIs to find bugs or problems. One popular open-source fuzzing solution is RESTler. Many ‘freemium’ and commercial tools are also available for API testing.
Conclusion
As API-driven software continues to expand, protecting sensitive data becomes increasingly crucial. Maturity in API security requires a complete inventory of APIs, followed by infrastructure that supports secure API data flows, and an automated test program.
If you’d like to learn more about ensuring you have a complete inventory of your APIs in production, learn more about Application Security Posture Management.
