Securing application program interfaces (APIs)
• On June 30, 2022, Google announced a new offering to combat against API security threats.
• The average cost of a data breach, according to a 2019 article published in Forbes, is $8.19 million USD.
• Gartner predicts that by (the end of) 2022, application programming interface (API) attacks will become the most-frequent attack vector.
What is an API?
Have you ever wondered why you can be playing Pandora, check the weather on your phone, look at your email, and use navigation all at the same time? All these things rely on APIs, and APIs are woven into the fabric of most things end users do on their devices. An application program interface is a connection between computers or between computer programs.
There are multiple offerings for APIs, each of which has unique use cases and common vulnerabilities:
APIs are essentially the pipes, or connection paths, that connect servers, applications, and databases from different companies and allow them to talk to each other. APIs enable two endpoints to communicate with each other in a standard format. An API is a smart, customizable endpoint for developers to access data.
Typically, APIs are internet exposed, allowing two endpoints to communicate using the internet as the path of communication. APIs typically communicate via authenticated HTTP requests, and most APIs are JSON-formatted text for developers to use in the languages of their choice.
As the world becomes more connected and more cloud dependent, connectivity between services is accomplished using APIs. Akamai has seen an explosion of API calls, which make up 83 percent of all web traffic on their platform. Gartner predicts API attack surface is 40% of all attacks vs attacks on web interfaces.
Is the API public, partner, or private?
It’s estimated that over 15,000 public APIs are in service today, and the number is growing every year. Public APIs span across multiple industries and providers. Industries are realizing the growth potential of creating a public API. New revenue streams and expanding a business customer base are attractive reasons to create public APIs.
Partner APIs are designated exclusively for partner-to-partner communication. Partner APIs are not publicly available or exposed.
Private APIs are used for interactions between microservices for internal use only. Private APIs are used in cloud-based services that rely on several other services to function. Microservices are an architectural approach to building applications where individual core functions and services are built and deployed independently. Microservice architecture is distributed and loosely coupled, so one component’s failure won’t cause the entire application to fail.
Examples of well-known API attacks
• SQL injection, shell injection
o Ensure data from the source is validated and sanitized.
o Validate incoming requests and block malicious requests.
• Denial of service attacks
o Implement rate, resource, and size limits and brute force protections.
o Multiple requests from one source should be dropped.
o Well-known attacker IPs, TOR relays, and geographical regions or countries that generate unwanted attacks should all be added to a blocked IP list.
o Load balancers and API gateways also help with unwanted requests.
• Broken authentication
o Use modern authentication to avoid broken authentication attacks, such as OAuth 2.0, JWT, or revocable access tokens if MFA is not available.
o Ensure that the authorization mechanism checks for permissions to perform specific actions.
o Use randomly generated GUIDS as object identifiers for client requests.
Examples of how to secure your APIs
1. Never use production data for testing. Production and testing APIs should always remain separate.
2. Inventory and document your APIs, and monitor and scan your APIs for changes continuously. One example of an API monitoring tool is APIClarity.
3. Ensure your APIs are behind a single static IP or domain, protect your APIs with authentication keys or tokens, and add IP filtering. Use an API firewall if possible.
4. Limit object properties, record size, and queries returned in your API. Only return requested information to the client.
5. Validate API responses using a central schema and filter object properties from the requesting client.
6. Default permissions should always be set to deny all access. Access control rights and permissions should be set for least privilege.
Securing your APIs and environment is extremely important. Reducing risk and attack surface should be top-of-mind for any company. Securing an environment is always about layers upon layers of defense. Depending on the breach, your company may be facing fines and reported in the news. After a breach and potential loss of business and customers, regaining customer trust can be a long process. If you have questions on how to secure your environment, reach out to us.
Steven Wood is a Consulting Manager focused on enterprise security in the Logic20/20 Digital Transformation practice.