Living in the world of APIs and the inherited risk
With APIs becoming fundamental to modern app development, the attack surface refers to all entry points through which an attacker might gain unauthorized access to a network or system to extract or enter data or to carry out other malicious activities. Is continually increasing. “Gartner estimates that “by 2022, API abuses will move from infrequent to the most frequent attack vector The path available and means by which an attacker can gain unauthorized access to a network, system, program, application, or device for malicious purposes. , resulting in data breaches for enterprise web applications.”
APIs are being used more than ever to connect services and transfer data. Adding to that, the pressure that developers are under to produce code faster could easily be a recipe for a security disaster.
The most critical API security risks include: Broken object level, user- and function-level authorization, excessive data exposure, lack of resource, security misconfiguration, and insufficient logging and monitoring.
Some of the biggest security breaches of late were because of an API exposure. This includes the infamous Cambridge Analytica breach, a Facebook API security vulnerability that exposed personal information about over 50 million people.
Identify Vulnerabilities
It is important to consider the whole API lifecycle. Developers must follow a complete lifecycle, including maintenance and retirement of the interface. Many vendors like Microsoft and Oracle will sunset APIs in due time. The vendors will develop next-generation APIs to align more with new software standards, adaptive security controls, and leverage more available open source library connectors. These new APIs also come with new vulnerabilities and dependencies.
Use an API Gateway
A good gateway will allow organizations to authenticate traffic, as well as to control and analyze how APIs are used.
Living with Coding Mistakes
Broken Object Level Authorization (BOLA) is a common API flaw with potentially catastrophic effects. Many APIs use unique identifiers to retrieve records.
BOLA can occur when changing the number at the end of the URL results in viewing someone else’s profile as that person. When something like this happens with sensitive information, such as in medical records or banking applications, a significant data breach could occur, costing millions to the offending company.
Coding in the DEVOPS Model With Security Sprints
- Security is best implemented at the lower levels of an API, and the developer and product owners with the DEVOPS team should secure the code, the API, and the dependencies.
- API developer-centric security means that developer scrums own the versioning and dependencies, properly handling authentication and authorization, and properly handling delegation and federation of authentication, and authorization.
What are common misconceptions around developing with publicly accessible APIs?
- Trust every site you’re uploading your data to.
- The API is easy to use.
- Anybody can upload anything
- There is no access to your documents. Security controls are not needed.
Securing the API Stronghold
By understanding these basic security risks and adequately responding, API security risks can be largely mitigated. While no system is ever going to be truly perfect, they can at least be complex enough and complete enough to deter all but the most ardent and dedicated hackers.
The Role of Pen Testing and Vulnerability Scanning of APIs.
“Gartner has observed the major driver in the AST’s evolution market is the need to support enterprise DevOps initiatives. Customers require offerings that provide high-assurance, high-value findings while not unnecessarily slowing down development efforts. Clients expect offerings to fit earlier in the development process, with testing often driven by developers rather than security specialists.”
APPSEC or application security is a well-defined framework under AST or Application security testing marketplace. Pen test companies like CYBRI develop tools to test applications during the product life cycle. Pen testing and vulnerability is a critical component of APPSEC. When companies enable APIs for the clients to access, the pen testers will come into the environment and run a series of exploits, including:
- Code injection attacks
- Cross-site request forgery
- Zero port attacks
- Buffer overflow exploits
- Malicious sources attack
- API user authentication
Conclusion
APIs are at risk of too many attacks that defenders have been fighting in their networks and web-based apps for years. None of the following attacks are new but can easily be used against APIs.
Don’t wait until an actual attack happens to develop a security operations plan. Allow ample time for security testing and remediation. Pen testing isn’t a one-and-done process. With every change to the API, scanning and pen testing should be part of the agile work sprint, not an afterthought.