Today’s world is software-driven — from banking to posting on social media, all the most common activities are built on digital foundations. And, increasingly, that software is held together by an intricate web of application programming interfaces (APIs).
No matter your organization’s size and industry, it’s likely running numerous API-powered software tools. In fact, you may be surprised just how many APIs are running under the hood of your networks, applications, and databases.
This ubiquity of APIs raises an important question: What are you doing about API security? This is the kind of query every company has to find an answer to because it’s no longer enough to assume that the access and security control methods developed to protect software are up to the task of detecting or closing an API vulnerability.
When an IT security team is unable to keep up with API security — due to a variety of factors from distributed development or poor coding practices to a lack of process documentation — these interfaces can be a large and risky attack surface. Bad actors won’t hesitate to exploit such a target. Developing an actionable strategy to protect your APIs is an essential response to the security climate as it exists right now.
The Importance and Challenges of API Security
APIs are everywhere, and the numbers back it up. Cequence’s research has revealed that out of 21.1 billion app requests made over six months, 70% came from APIs — that’s 14.4 billion requests.
Developers are rolling out new software functionality and iterating as quickly as possible. Many have turned to APIs as a favored method of creating seamless communication between different systems. Building out online functionality is much simpler with an API, which contains all the necessary commands, payload and data to build out an engaging experience in a way that’s both fast and effective.
The convenience of API-based design has led to them becoming part of every type of business application imaginable, from e-commerce inventory solutions to mobile app connections and payment portals. Companies are turning to API-based solutions to handle increasingly large numbers of business-to-business transactions — they are now the lingua franca of machine-to-machine communications.
This is where the importance of APIs can be most acutely felt: Since businesses’ underlying processes now run on these technologies, they’re the key to keeping the lights on and revenue coming in.
Of course, the fact that these APIs are used to transmit information highlights their potential as an attack target. Companies are turning to APIs to handle their most essential and mission-critical functions. From user authentication to e-commerce and financial functionality, there is sensitive data constantly moving through API-based applications, and compromising API security could allow attackers to take account authentication credentials en masse.
It’s not just the APIs themselves that open up risk. Old-fashioned human error can cause issues — if a developer doesn’t follow best practices regarding authentication or data security on an API-based project, that could present another attack surface.
The potential danger hasn’t been enough to stop companies from embracing APIs as account registration and login tools: According to Cequence’s research, though 80% of attacks blocked in the second half of 2021 were focused on APIs, the use of APIs in account management tools rose 95% during that same time period.
Most security and application developers are aware of Open Web Application Security Project (OWASP) and their ongoing efforts to evangelize security best practices through their Top 10 lists, the most well-known being the Web Application Security Top 10. In December 2019, OWASP published the OWASP API Security Top 10, highlighting how APIs have become the target du jour for attackers.
Why Is API Security So Difficult to Achieve?
Since APIs are so widespread and used for such sensitive purposes, it’s clearly important to protect them from attack, but not necessarily easy. There are a few issues that tend to expose companies to elevated security risk, and they’ve proven difficult to resolve. For example:
- Companies may be unaware of the APIs they’re using: Can you protect something if you don’t know it’s there? This is not a hypothetical question. The IT security team may not know about all the APIs developers have employed over the years, making it hard to develop protective measures.
- Common frameworks may attract attacks: When an API uses a well-known framework such as OpenAPI or Swagger, it can give the project a reliable level of consistency, quality and security. However, using this code means hackers are aware of some of its underlying code. They can use this public knowledge to develop sophisticated attacks.
- Accidental exposure is a constant risk: It’s relatively common for APIs to accidentally expose companies to risk. Even apps that are internal or not in production are inadvertently exposed to the public, introducing a potential attack surface.
- Persistent monitoring is needed: Even if an API doesn’t represent an outsize risk when a company first implements it, that may change over time. Attackers can and will continue to probe APIs for weaknesses, and a problem with configuration or a connection to a less secure system could introduce new vulnerabilities over time.
Businesses are operating vast numbers of APIs, and It’s clear that API security is too critical to be dismissed as just another component of general IT security or API management — it deserves its own strategy.
Best Practices for API Security
When it comes to API security, there are a few legacy methods companies may consider, but these aren’t likely to provide the level of protection today’s digital environments really demand. To find the ideal security method, businesses will have to go beyond the basics.
Traditional API security approaches may include using a web application firewall (WAF) or an API gateway. These each come with limitations that could stop them from being comprehensive in today’s environment when so many APIs are in use, and the attacks on them are so constant.
A WAF is a third-party software tool added on top of a company’s technology stack. Designed to block known hazards, such as those identified by the Open Web Application Security Project (OWASP), a WAF may fail to recognize newly developed threats, especially those designed to look like legitimate traffic. These firewalls tend to fall short when it comes to threat prevention, risk assessment and visibility.
An API gateway is an aggregation and management tool for APIs that can handle access control, rate limiting, IP blocking and other functionality. A gateway can be deployed at an infrastructure or department level or in a cloud computing environment. As with WAFs, these tools don’t enable the level of visibility, inventory tracking or threat prevention that today’s companies need.
As an added issue around WAFs or API gateways, using these technology tools can create slight performance issues. They act as an added layer between API-based systems, introducing potential latency without delivering comprehensive security.
Companies that implement API testing are on the right track — but they must go further. Testing APIs to keep aware of emerging vulnerabilities is a valuable part of web API security, but security tests alone can’t be considered to be a strategy. There should also be fully developed strategies for risk prevention and response.
The ideal approach to API security is a native approach that complements the organization’s development processes. This means treating API visibility, threat detection and blocking as additions to the DevOps effort of shifting left. While the focus is on making sure as few API vulnerabilities make it into production as possible, protection is still required as even a perfectly coded API can be attacked.
Key Elements of API Security
Creating a truly modern API security solution that’s up to the challenges presented by today’s tech landscape means building both power and flexibility into the solution. Such a fully-featured approach brings together multiple capabilities to manage and protect the vast array of APIs powering a given company’s applications.
The ideal solution will be one that delivers these essential functions:
- API Attack surface discovery: What does a potential attacker see when they scan your company’s APIs? This is the point of view that will help you develop suitable API security. You may discover accidental and unknowing exposure to APIs or related resources. Seeing these risks helps your IT security team get their priorities in order.
- API inventory and risk assessment: Cataloging APIs can be a revelation for an IT security team, revealing just how many APIs the business is using. The inventory should determine not just which APIs are in use, but what department owns each one, and whether there are any known risks associated with them. This is also the time to make sure API use is compliant and appropriate.
- API Attack detection: There are numerous ways for attackers to take advantage of weak API authentication or any other API vulnerability. A good detection process will scan for business logic abuses, data leaks and other common attack types. The OWASP API Security Top 10 Risk Factors is a list of the most prominent threats to watch out for — a suitable API security approach will guard against these and more.
- API Attack response: Once you have controls in place to detect API attacks and general API abuse, the question is not if your IT security team will find them, but when. Any API, even one that is coded perfectly, can be subject to an attack. Your response tool kit should include blocking capabilities that can cope with threats that range from business logic abuses to persistent automated attacks carried out by bots and beyond.
- APIs and Build-time application security testing: When API security testing and scanning are part of the DevOps process, the chances of an API vulnerability making it into production decrease dramatically. Your organization should make sure its focus on API security controls starts before applications go live.
No matter your industry or the size of your organization, there’s a good chance your level of API usage demands a comprehensive response. Anything less could leave your vital applications and sensitive data vulnerable, as API attacks aren’t slowing down.
Your Best API Security Option
Finding a partner that can full analyze, detect, protect, and secure your APIs is a good way for an organization to avoid working with multiple vendors on a potentially incomplete solution. Rather than having to pick detection, monitoring or response, selecting an all-in-one provider gets you all of the above.
The Cequence Unified API Protection solution is the best way to secure your APIs that exist in your cloud, on-premises or hybrid environments. With the ability to perform a complete API inventory, detect potential risk factors and mitigate any API vulnerability, you’ll be ready to face whatever new threat types attackers create in the months and years ahead.
The Cequence Unified API Protection solution currently mitigates billions of API attacks every day, serving as the primary line of defense to secure APIs for Fortune 500 organizations with thousands of APIs and API transactions and traffic across the network.
Schedule a free API security assessment using the Cequence Unified API Protection solution for you cloud, on-premises or hybrid environments. Visit www.cequence.ai/assessment/
Never miss an update!