Moving Fast Without API Guardrails?

June 2, 2020

In 1999, Bruce Schneir wrote, “complexity is the worst enemy of security.” Today, I’d argue that speed may be overtaking that top spot or coming darned close. There were two stories published recently about security and privacy issues arising out of apps deployed too quickly.

The first disclosure involved North and South Dakota’s COVID-19 contact tracing app, which violated the app’s privacy policy by sharing location data with a third-party app, Foursquare. The second was the realization that the state of Alabama’s pandemic unemployment app had exposed social security numbers and banking information for thousands of applicants. In both cases, it was indicated that, in a rush to build and deploy the applications, organizations likely skipped necessary security tests and reviews (Colorado, Illinois, and Ohio also disclosed similar issues).

These kinds of stories are nothing new. Four years ago, cloud vulnerabilities were a reoccurring theme. Often in those cases, developers new to working and securing the cloud resources would inadvertently leave AWS S3 buckets open or ports exposed as they deployed new applications and features without security oversight.

Over time, after many public breaches, and countless news articles, cloud service providers started building in more guardrails so organizations could avoid those mistakes. Also, more tools came to market, providing security teams with broad visibility into the risk posture of their organizations’ cloud environments.

Fast-forward to 2020, and COVID-19 is quickly changing how we work, shop, dine, learn, entertain, and seek medical attention—really all parts of our lives. We’ve all likely encountered some new app or feature that didn’t exist in February, from new food or grocery ordering apps to contact tracing apps and unemployment assistance apps.

This makes me wonder how many apps, rushed to market to accommodate the reality of shelter-in-place and quarantine, are leaving our data or the businesses exposed?

It’s of particular concern when those apps leverage easy-to-build and easy-to-consume APIs to speed development further. When secured, these APIs are a smart way to interconnect endpoints (and systems) to pass data and deliver critical features and functionality. But, when left unprotected or misconfigured, they can open the flood gates, giving hackers access to data and making it easier to wreak havoc and commit fraud. Targeting the API instead of scripting a form fill allows a bad actor to leverage the same benefits of ease of use, efficiency, and flexibility that APIs bring to the development community.

Many enterprises are rapidly moving towards consolidating all their business logic behind APIs, where the web and mobile applications are just user-interface shims around those APIs. This rapid movement, as highlighted with several examples above, exposes new vulnerabilities, which are waiting to be exploited.

So, with guardrails in place (and hopefully you’re using them), it’s time for organizations to turn their attention to APIs. You can start by asking some simple, but often hard to answer questions:

  • Do you know all the APIs in use across your organization, including shadow APIs?
  • Does security have the ability to assess API risk across both cloud and on-premises environments?
  • Can you protect your APIs from automated attacks and malicious activity?
  • Have the APIs drifted from their original specification and has that increased your risk?
  • Are the APIs accidentally, even in the form of error responses, leaking sensitive information?

If you’d like some help devising your organization’s API security program, we’d be glad to help you. And, stay tuned, because we’ll be providing new tools to help you answer these questions soon. Meanwhile, I urge everyone who quickly published apps in response to the COVID-19 pandemic to do a security review.

Like the virus, you may be asymptomatic today, but that doesn’t mean you’re not vulnerable.

Tags

API AttackAPI SecurityApplicationDevelopment

About the Author

Ameya Talwalkar

Ameya Talwalkar

Co-Founder and Chief Product Officer

4 August 2020

API Security Need to Know: Questions Every Executive Should Ask About Their APIs

Read More
17 July 2020

API Security Need-to-Know: Ramifications of Weak API Authentication

Read More
13 July 2020

I’ve Got 99 Problems and API Visibility Ain’t One of ‘Em

Read More
Ground Hog
9 July 2020

Kasa Camera Vulnerability Discovery: Responsible Disclosures Feel Like Groundhog Day, Again

Read More
OWASP API Top 10
2 July 2020

OWASP AppSec Training Day: API Attacks Beyond the OWASP API Top 10

Read More

Subscribe to our blog