How to Address Shortcomings in API Security

The application programming interface (API) economy is the commercial exchange of data, services and functionality between companies. These APIs allow different software systems to communicate and work together, enabling businesses to offer new services, improve user experiences and streamline operations.

According to Akamai, 83% of internet traffic now comprises API calls. This number has been steadily rising and shows no signs of slowing down.

Companies like Amazon provide APIs that allow other businesses to list products, track shipments and process payments, enabling a vast ecosystem of online stores. Fintech companies offer APIs for payment processing, fraud detection and financial data aggregation as part of a new generation of financial apps and services. APIs are the glue that joins disparate systems, allowing them to function as one.

However, as APIs proliferate, they pose some severe risks. A study conducted by the Marsh McLennan Cyber Risk Analytics Center in June 2022 found that API-related security incidents cost global businesses as much as $75bn annually.

The latest version of the PCI Data Security Standard (PCI DSS), which provides technical and operational requirements for organizations that store, transmit, or process credit cards, specifically mentions APIs and the need to secure them. In 2021, Gartner predicted that APIs would become the top attack vector, and that prediction is rapidly becoming true.

Read now: Insecure API and Bot Attacks Cost Global Firms $186bn

How to Address Shortcomings in API Security

Specific Security Strategies Needed for APIs

APIs have direct access to data, are often over-permission and are vulnerable to logic attacks. Many of our existing secure software development tools, like SAST and DAST, cannot find many vulnerabilities in APIs, such as logic attacks.

APIs require strong governance and a security program. They start with knowing your APIs and ensuring you have a complete inventory. Organizations must discover and document all the APIs in their environment and categorize them according to the sensitivity of the data to which they have access.

You can’t secure something if you don’t know it is there, and you don’t see the risk it poses unless you understand the data the API has access to, which will impact the controls you implement.

Authentication methods have not caught up with the pace of technological progress, as the Global Digital Trust Association ISACA explored in a recent white paper. One big problem with APIs is they often use weak forms of authentication and, in some of the worst attacks, no authentication, allowing attackers to stage attacks and gain access to sensitive data.

Shared API Security Responsibility

One credit reporting agency was providing its API to various customers, such as financial institutions, lenders, and other businesses. These customers used the API to access credit information for their clients and integrated the API into their own systems to retrieve credit scores, risk factors, and other related data.

The credit score API did not require authentication. The attackers could use the customer’s weak authentication customer station process to gain access to the credit score API, which enabled them to retrieve sensitive information, such as FICO scores and credit risk factors.

This incident highlights the shared responsibility between service providers and their customers. While the API provider must ensure its API is secure, customers using the API also need to implement robust security measures to prevent unauthorized access.

One of the most common forms of authentication used by APIs is digital keys. The endpoint can authenticate to the API by using the key provider of the company that provides the API. The storage of the key and the length of the key’s lifespan are critical to the security of the API. If a hacker is able to obtain the key, can they access the data from a different endpoint?

Is guidance provided to API customers and clients on how to handle their keys? If you email keys to clients who are consuming your services through APIs, that opens a large hole. OAuth is an open standard for token-based authentication and authorization. It provides fine-grained access control and can support delegated access.

However, OAuth is more complex to implement than API keys. Although there are other forms of authentication, keys and OAuth are the most common choices.

Authorization is another pain point in APIs. A security researcher displayed an example of the problems: By exploiting a vulnerability, they were able to sell cryptocurrency they did not own, exploiting the flaw for potential financial gain. Often, APIs are overprivileged and have access to more data than simply what is shown at the endpoint. Business logic errors make up four of the top five attack vectors.

OWASP, a nonprofit focused on secure application development, has produced a list of the most common API attacks and mitigations. It is critical that security developers use resources like OWASP to understand how to build strong code, which helps developers avoid vulnerabilities that have made APIs often central to security breaches.

API Security Now a Top Priority

The API economy is transforming businesses’ operations, enabling them to connect with each other and their customers in new ways. It is the fuel that is turbocharging digital transformation.

By leveraging APIs, companies can innovate faster, scale more effectively and create new revenue streams, making APIs a critical component of modern business strategies. Today, as many as one in every 13 cyber incidents can be attributed to a lack of API security, according to the Marsh McLennan Cyber Risk Analytics Center study. API security should become a top priority as companies grow their digital portfolios.

Source: Infosecurity Magazine

Latest News:

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top