An Application Programming Interface (API) is software code that allows applications to communicate with each other and request each other for information. APIs are found everywhere – whether you’re checking the weather on your phone or using your car GPS to navigate – apps are constantly interacting with each other through APIs and exchanging important and often sensitive information. This information can include your location, personally identifiable information, your preferences, or even your app usage data.
Since APIs act as gateways to critical software functions and the data of both users and enterprises, they are often prime targets for attacks. Every organization with a microservices architecture needs to invest in API security, by regularly monitoring and testing for vulnerabilities as well as implementing security best practices. Without ensuring observability into these building blocks of distributed modern applications, organizations risk catastrophic business failure should a breach occur.
Common API Security Concerns
Salt Security released its API security report, titled “The State of API Security” for the third quarter of 2021, with some alarming findings. Over the past six months, API attacks have increased by a whopping 348 percent. An astounding 94 percent of respondents reported an API security incident over the past 12 months. In fact, APIs are currently the primary attack vector for applications, often seen as low-hanging fruits for hackers. Despite this, the majority of organizations reported having either no or just a basic strategy for API security.
In 2019, OWASP released its API Top 10 2019 list of security vulnerabilities, which continues to be relevant today. A summary of the list is in the table below. The top two concerns reflect major issues with access control rules and weak authentication, which are the primary causes of most API security incidents. The third concern is a result of insufficient data governance, which affects data accessibility, usability, and protection. The first step toward API security is understanding, identifying, and mitigating these vulnerabilities in your own application environment.
|OWASP’s Top 10 API Security Vulnerabilities
|API1:2019 Broken Object Level Authorization
|API2:2019 Broken User Authentication
|API3:2019 Excessive Data Exposure
|API4:2019 Lack of Resources & Rate Limiting
|API5:2019 Broken Function Level Authorization
|API6:2019 Mass Assignment
|API7:2019 Security Misconfiguration
|API9:2019 Improper Assets Management
|API10:2019 Insufficient Logging & Monitoring
Major API Breaches
To give you a more practical picture of the risks of unsecured APIs, we’re going to take a brief look at some major data breaches.
Facebook’s Developer API was compromised in September 2018, exposing millions of users. It was found that the “View As” function in the Developer API delivered users’ authentication tokens to developers. In December, Facebook faced another breach through a Facebook photo API, which affected over 6.8 million users. Even worse was the discovery of a publicly accessible database with over 267 million Facebook IDs, names, and phone numbers, which likely had been scrapped due to an API leak.
Much of the issues with the Facebook API breaches can be pinned down to the high levels of access given to Facebook applications by users who “opted in” to have their profiles accessed by these apps. With data mining being a core feature of Facebook’s design, it is no surprise that unsecured APIs have allowed malicious actors to take advantage of this freely flowing data.
Venmo reported that an API that shares transaction descriptions had been unsecured. This led to data from 200 million transactions being scraped, including senders’ full names, the value of each transaction, and the memos included with each transaction. The issue, in this case, was that the data was not treated with enough importance to be secured, even though it could have been used by malicious actors to track users.
The USPS reported in 2018 that its web API had a major flaw that allowed hackers to scrape the data of over 60 million users, including their email addresses, account numbers, phone numbers, and addresses. This issue could have easily been prevented if the web API had an in-built anti-scraping system. Unfortunately, the automated access and lack of rate-limiting meant that the attack was able to proceed on a massive scale.
These examples all illustrate one major point: apathy toward API and database security is the biggest issue in API security. If enterprises don’t think their APIs and databases are worth securing, they won’t shift API security to the left. The key is to ensure that all possible functions and features of an API are secured in development and to keep a roving eye for vulnerabilities and suspicious activity post-deployment.
API Security Solutions
To enforce API security, there are several tools and resources that enterprises can leverage. Since API Gateways and Web Application Firewalls (WAFs) alone don’t appear to be sufficient to protect against breaches, companies need more comprehensive solutions. This includes monitoring, predicting, and mitigating zero-day attacks.
Noname’s API Security Platform is one such solution that discovers and inventories legacy and rogue APIs, analyzes suspicious behavior and misconfigurations through AI learning, remediates API attacks in realtime, and actively tests and verifies APIs before they are deployed to production. This provides organizations crucial insight and visibility into their APIs and ensures that any API breaches that do occur have minimal impact.
APIClarity is another useful tool created by CISCO that gives you visibility into your APIs. APIClarity is an open-source, cloud-native tool that captures and analyzes API traffic for potential threat using a service mesh architecture. Since cloud-native applications often expose APIs, APIClarity can improve your APIs’ observability and generate actionable insights, which you can then leverage to boost your web applications’ security.
As APIs slowly become the dominant attack vector for applications, organizations need to shift left to prioritize API security and start implementing API security best practices at all stages of production.
If you have questions related to this topic, feel free to book a meeting with one of our solutions experts, mail to firstname.lastname@example.org.