API attacks can be brutal
Warning signs have been growing around APIs for years. In 2020 an API vulnerability opened up the credit scores of nearly every American to cyberattackers; it was only noticed when a college student examined the code on a partner website. In 2021, an API vulnerability was found in the fitness app Peloton that would allow cyberattackers to install malware, steal personal data and control bike cameras and microphones.
These weaknesses can result in widespread data theft and hit company reputations hard. Responding to risks and attacks can be costly and take months, while API issues can slow down the roll-out of new apps. And as modern networks stretch ever wider, with APIs forming a crucial part of web, SaaS and mobile apps, the threats are multiplying. Worse looks likely to come: Gartner predicts that by 2022 API attacks will become the most common attack vector. If APIs are a crucial bridge for communications, hackers are bandits, waiting for vulnerable travelers to cross.
Part of the problem is that while APIs are now ubiquitous, API security is a relatively new discipline. While some companies are waking up to the threats involved in APIs and countering them using appropriate measures, many are lagging behind. A 2021 Dark Reading survey showed that almost one in five organisations don’t perform security testing on APIs at all, while 41% treat them the same way as web applications, rather than having a dedicated process to root out API issues.
API vulnerabilities to watch out for
APIs connect applications, services and databases in a far-reaching net, which means an attack via an individual API can have far-reaching and unpredictable effects. A 2021 Open Web Application Security Project (OWASP) survey summed up the biggest API risks, with these filling the top five places:
Broken access control, which may allow users to access unauthorised information, or to change or delete data
Data exposure, in which a lack of cryptography can make private information visible
Injection, when user data is sent to an interpreter without filtering, allowing attackers to manipulate the interpreter into exposing data or running malicious code
Insecure design, in which proper security controls were never created
Security misconfiguration, in which unnecessary features, misconfigured HTTP headers or overly specific error messages offer attackers an entry point.
As this list shows, API security isn’t just about protecting your APIs from attack. It’s about managing the risks to all processes and data that are associated with APIs.
Why API security measures don’t always work
Common measures to secure APIs include:
SSL and TLS certificates that encrypt data exchanges, limiting the opportunities for cyberattackers to insert themselves into communications
Optimising firewalls to set rules around data security based on API use
Authentication protocols that limit the access third-party apps have to an API
Yet to use these measures, you need to understand your APIs and the threats they face. Here many businesses start on the back foot. Do you know how many APIs your company has? A shocking number of organisations don’t.
This is partly because of a lack of oversight: APIs may be developed by different departments, with other teams managing their deployment. Does responsibility lie with the development team, the platform team or the cybersecurity team? In the absence of a clear policy, some APIs will fall into the cracks. And if you don’t understand your APIs, you won’t be able to protect them.
Giving APIs the focus they deserve
If we don’t take API security seriously, the risks associated with them will continue to grow. Clear accountability is a crucial first step, with security built into every part of their lifecycle. An audit of APIs is another important step in understanding threats. Any analysis will consider public APIs, but should also assess private and partner APIs, which can otherwise be neglected. Just because access to an API is restricted to authenticated users doesn’t mean it cannot be exploited; all APIs should be coded to prevent data exposure.
APIs are vital components of your business and they should be treated as such, with security prioritised alongside function. A change of mindset is needed: to stay ahead of cyberattackers, a comprehensive, end-to-end approach to API risk is necessary. A reputable managed services provider (MSP) will be able to help you identify which APIs are most vulnerable and what cybersecurity measures to take to protect them.
Tackling API abuse
In a world of increased data integration via web, mobile and SaaS applications, organisations are increasingly dependent on APIs. And cyberattackers are watching. Measures such as firewalls, better authentication and SSL and TLS certification can all mitigate the risks, but as high-profile incidents show, API threats are at a tipping point.
APIs should not be the forgotten foot soldiers of data exchange. Instead, their crucial role must be recognised, and security strengthened through a holistic approach built on accountability and cybersecurity. Reviewing API security one of the key steps to ensure your organisation, and your data, stay protected.