API security is widely being considered, yet breaches continue to plague many organizations. What are the biggest mistakes organizations are making when it comes to API security?
APIs hold great promise for businesses, with potential of exponential growth in transactions and revenues, but they also impose a major security risk, unlike anything cybersecurity experts have trained and prepared for. APIs are information highways connecting the world to the crown jewels of every business. The result is in an infrastructure that creates full connectivity, with security that has to rely on configuration, instead of segmentation.
Moreover, the dramatic revolution of APIs doesn’t stop at the architecture level, it can also be found in the development cycles. Due to the fact that APIs are in the front, responsible for the customer experience, API developers are under continuous pressure by the business objectives to ship updates at a fast pace. With such a super agile development cycle, incidents seem almost inevitable. In other words, the whole situation is really insecurity by design.
Failing to understand this uniqueness of APIs is the biggest mistake organizations make with respect to security. APIs and existing cyber security approaches, best practices and technologies simply don’t go together. In particular, one cannot rely on a WAF, never designed to learn the business logic, in order to protect his API.
Another fatal mistake organizations make is underestimating the threat to their APIs and assuming that the basic level of authentication provided by an API gateway is sufficient to avoid breaches.
The common basis for all of these critical mistakes is the lack of awareness with regards to the reality created by APIs. Understanding who and what threatens APIs is the first step to better assess the risk.
How can API security awareness help tackle these growing threats?
Malicious actors are the prime suspect to attack APIs. From stealing precious data, through retrieving worthy personal information and up to exploiting the APIs for sophisticated ransomware campaigns – cyber-attacks are at rise. Furthermore, when collaboration is the golden standard, and one needs to open up as much as possible to provide access, use and integrate – the work of attackers is cut out for them.
Nevertheless, when it comes to APIs, most organizations face several other threats that many times would be more probable as well as relevant: Leakage – caused by a flaw or misconfiguration on the server side, i.e. a bug in the API service, and abuse by legitimate customers, partners and the like that misbehave and take advantage of the open and rather vulnerable nature of the system.
Realizing these multidimensional risk factors would be an important step forward.
What can be done to boost API security awareness?
In order to boost awareness of API threats it is recommended to follow media publications about relevant breaches that are associated with APIs in light of recent statistics stating that 9 out of 10 companies report API security incidents, and above all Gartner’s prediction that API would become the no. 1 attack vector on web applications by 2022.
In addition, a few simple checkups one can perform on his own API would definitely raise the awareness of various risks, including possible (privacy) compliance violations, in no time. One advisable experiment is recording and analyzing the API traffic for a short period of time. Another interesting option is to run some kind of an API-oriented pen testing.
The next step should be acknowledging the significance of all parts of the full API lifecycle. Taking into consideration the OWASP Top 10 security threats for APIs, one must not neglect any of the development, testing and production phases when coming to protect an API system.
What are the most vulnerable parts of an API lifecycle and why?
With the understanding that the more you shift left, the deeper the vulnerabilities you can find, but with life experience teaching you that the more you shift right, the more likely you are to detect them – the conclusion must be that no part is more vulnerable than the other.
It all depends on the circumstances, and the best practice would be to protect the full lifecycle – targeting some threats during development, some others while testing and having the last line of defense, in particular for those risks that don’t arise from unsecured code, in the production.
What features should an API protection solution have to be effective?
A comprehensive API security solution should better have both the functionality to statically scan the code and dynamically simulate possible API attacks to detect vulnerabilities and suggest best practice for remediation before moving to production.
Then, it is very important also to have a continuous monitor for the real time API traffic in the production. It is essential that such a monitor would support automatic discovery of all the APIs, their structure and properties, and provide the critical feature of attack detections with a low rate of false alerts. On top of that, any practical solution must include investigation tools to get to the bottom of every alert and collaboration options to close the loop of mitigating the attack.