An application programming interface, or API, is a defined process that allows data to be shared between applications or programs. Each API consists of a set of rules that dictates how communication occurs between a client and a server or external program. The required request format, the authentication process, and the encryption of data all have set guidelines so that the API knows what information to share and when and how to share it.
Examples of APIs include universal log-in interfaces, when a website allows users to log in using their credentials from a site like Google or Facebook rather than creating a new set of log-in credentials for every single website, and third-party payment processes, when a payment is processed using a third-party application such as PayPal. They allow data to be gathered from an external server or program in order to make the process of logging into an account or submitting a payment online easier.
APIs are useful not only in aiding consumers to simplify their online experience, but in enabling easy communication, integration, and collaboration between companies and organizations. They are versatile and constantly changing, allowing for developers to innovate how they are used, and they bring data from many sources into one place for ease of access. This is why the average number of APIs per company has grown 221% in the past year. Unfortunately, the features that make APIs practical and necessary are also the factors that make them a great target for cyberattacks. The same article that detailed the Salt Labs research report with recent API security trends, describes APIs as “the on-ramps to the digital world”.
API Security: Biggest Threats
Because API traffic is increasing so rapidly, cybercriminals are taking advantage of the wide attack surface; while API traffic grew 321% in 12 months, API attack traffic grew 681% in the same time. API development happens quickly, so the landscape of API security is constantly changing, making it difficult to keep security practices updated. Additionally, API attacks are tricky to guard against as each attack is unique and the result of probing for weaknesses.
The most common threat to API security is broken object level authorization (BOLA). An attacker can tamper with an object in the API request without the server component tracking the change. BOLA flaws cannot be detected by automatic static or dynamic testing, and can allow bad actors to view, modify, or delete sensitive data. To prevent BOLA attacks, a security process would need to be able to detect abnormal API behavior; in order to do this, the API security must understand normal API behavior.
Another common form of API attack is broken user authentication, where attackers take advantage of weak security procedures in user authentication. Using credential stuffing, credential cracking, stolen authentication tokens, and other methods of permeating vulnerable authentication interfaces, cybercriminals can gain access to user accounts, data, and transactions.
Attackers also often take advantage of excessive data exposure in API attacks. In the process of obtaining and sharing information, APIs often provide more data than is needed for the task; attackers exploit this by using the surplus data to get to sensitive information. Many APIs let the client application filter the data and decide what the user sees on their end, but the redundant data provided by the API is still vulnerable to attacks.
Security misconfigurations of all kinds present opportunities for cybercriminals to gain knowledge of a program and its API components to use to plan their attacks. An API with security settings that are poorly defined or deployed with default settings is vulnerable to attackers targeting data as well as infrastructure. Because APIs are different and must be secured by specific methods, it is difficult to spot a security misconfiguration and implement a specific solution. On the whole, most successful API attacks prey on gaps in business logic.
API Security Best Practices
Given that APIs are uniquely difficult to secure, there is no surefire way to ensure that they are properly defended against attacks. However, there are many practices that, if implemented and maintained, will make an API more secure and harder for cybercriminals to target. These practices come into play during development and testing as well as during production, presenting a broad range of opportunities to improve API security.
From the beginning, it is important to establish secure API design and development, making sure that the API is built using secure coding and configuring processes. It is also helpful to conduct design reviews which include business logic to increase the chances of flaws being caught early on. Security testing can identify misconfigurations and vulnerabilities in an API, while analysis and fuzz testing can catch issues with business logic.
Crucial to API security is documenting APIs and maintaining an accurate API inventory. This ensures that security teams and internal actors can see and comprehend the structure of the API, how it is integrated, tested, and protected, and the total attack surface of APIs being used. Accurate and detailed documentation is key to making sure problems and solutions are tracked and available for future reference.
After development and testing, there are other tools and practices that can help to maintain API security. Using logging and monitoring on APIs gathers data on normal API behavior so that any abnormal occurrences stick out and can be fixed. Automated systems can compare documentation to behavior in order to identify when an API has changed so that documentation can be updated to match. Encrypting data sent through APIs and including API gateways, identity stores, key management, and public key infrastructure will add layers of security to the functioning of the API, making it more difficult for bad actors to bypass authentication and authorization.
APIs are extremely important to application functioning in a myriad of ways, but API security is different from application security. It is vital to understand the unique challenges of API security in order to address the issues that put APIs at risk. The onus for API security does not lay in any one area or step of development, so too often it slips by unnoticed, but every step of the process and every member of the application team should be aware of API attacks and defense, the necessity of documentation, and the steps that they can take to make each API as secure as possible.
About the Author:
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.