API or Application Programming Interface is a software intermediary that allows two applications to talk to each other. Organisations that suffer data breach undergo reputational as well as operational damage. Therefore, protection against such attacks is a top priority, and hence the primary focus should be on API’s.
With more companies using API’s, they are fast becoming the weak link and an easy target for cybercriminals. Surprisingly, despite the rise in the use of API’s they are grossly ignored and fly under the radar of security professionals most of the time.
Hence APIs are easy to target, and many attack incidents will continue to occur until the risks associated with the openness of the API’s are not addressed.
Why are APIs vulnerable?
The rise in the use of APIs provides a large attack surface that is exposed to the threat actors. Other factors that force the attackers to intensify their attacks on APIs are that the APIs use the client hardware for their mobile and web apps to do data processing which results in a large amount of client-server traffic.
The APIs are constantly used or leveraged to serve up data to many browsers and mobile endpoints, which results in the processing of many HTTP payloads, each of which offers a perfect opportunity for an attacker to exploit the openings.
It is a common belief that APIs are protected by server-level monitoring gateway and logging functions. The organisations assume that if a web server is under the protection of a robust firewall, then the APIs going through and from are also protected by the firewall, which is seldom the case.
The server boundaries do not cover the potentially huge surface area of attack the APIs provide outside the server.
The recent API breaches such as that of Equifax, which cost them $1.14 billion alone and that of Capital one, in which threat attackers hacked the system through APIs, which cost them $150 million, are prime examples of why API security is the need of the hour.
Protecting against API-level attacks requires inclining your attention towards security culture and infrastructure. The following recommendations will help:
Build cross-functional teams
Cross-functional teams improve and bolster API security. The cross-functional team allows everyone on the team to be familiar with different codes used in an API structure, which translates to fewer APIs.
Fewer APIs mean a low exposed surface for an attack. Cross-functional teams benefit from understanding different APIs and downstream systems, enabling them to modify the APIs quickly.
Have a robust API model
APIs must be built to the best of practices. A coherent training and communication program that instructs how to build a strong API structure should be undertaken that strategically checks for security lapses and regularly updates and modifies the APIs as per the best practices.
A robust API model lays a solid foundation and is in no way affected even if there is a change in members of the security teams or if there is attrition.
Use predefined mechanisms
By using predefined repeatable processes and standards such as predefined security patterns, code structures, design standards and reference architectures, you can ensure the best and most secured practices are being used.
Enforce a zero-trust model
A zero trusted ensures that the APIs accessed within or outside the network perimeter is always authenticated and monitored to prevent breaches or intrusions.
The zero trust model should be enforced from the beginning of the API life cycle and should be carried out at the consequent stages.
Manage your APIs and maintain an inventory
A company may have many APIs which it is not even aware of sometimes. The organisation should make an inventory list of its APIs and then move on to secure and manage them individually. Conducting perimeter scans helps you to discover all your APIs.
Have a strong authentication and authorisation API process
Many of the company’s APIs are publicly available, which don’t have a strong authentication process. Since public APIs provide an accessor an entry point to the attackers to the organisation’s database, the organisation must enforce a strong authentication and authorisation mechanism to control and deny access.
Enforce the least privilege principle
The least privilege access states that only minimum access to the system be granted to users, processes, programs, or system devices. Only minimum access needed to complete a stated request should be granted, which minimises the risk of system infiltration.
Encrypt APIs using transport layer security and share only limited data
Some APIs contains payload data that is sensitive and contains critical information like login credentials, credit card or bank information. Such APIs should TLS encrypted so that there are no data leaks.
Remove information such as login details, passwords, keys from APIs that are not meant to be shared. Incorporate scanning tools to limit the accidental exposure of sensitive data.
Use rate limiting
Ensure that there is a limit to the subsequent requests that can be processed at a particular given time. This rate-limiting process ensures that the server is not flooded with requests and hence prevents Denial of Service attacks.
Implement flexible governance
Each APIs come with a different set of issues like differing concerns, set of risks and standards that need to be examined and then determine whether that API is compliant with the security policies.
A flexible policy like just in time, just enough approach ensures that for the APIs that are categorised as low risk, automation is used to process the compliance faster. This ensures fast response and enables a risk-oriented approach.
Implement robust API logging mechanisms
Implementing robust API logging mechanisms that run in line with the server-level tracking. This captures or documents the details of who, what, and how users interact with your systems. This data can be used to respond swiftly to a prevalent cyber threat or risks like outages and errors.
APIs have become the go-to mechanism or the preferred method for building modern applications, especially web and mobile applications. The APIs follow the concept that extracting data from a completely different source is risky and prone to attacks.
Some organisations are not aware of the potential risks involved with APIs, whereas some organisations ignore the risks completely. API protection is the need of the hour, and organisations should have measures in place to combat API breach.
An organisation’s ultimate goal using APIs should be to have robust API policies in place and manage them proactively over time.
Cyril has a solid foundation in the Information Technology and Communication industry with over 13 years of experience. His expertise lies in Information Security, specialising in network, web and mobile applications, and cloud penetration testing across various industry domains like banking, insurance, energy, telecom, IT products and services, and others. He is well-versed in penetration testing methodologies including OWASP, OSSTMM and PTES. He has solid understanding of technical concepts of cloud computing, machine learning, and various programming languages. Cyril is a visionary and strategy-builder, has good communication skills, and is great with managing teams. He has founded and currently leads SecureTriad, a Leading API Penetration Testing Company.
Social Media Profiles: