Most applications built today leverage application programming interfaces (APIs), code that enables digital devices, applications, and servers to communicate and share data. This code, or collection of communication protocols and subroutines, simplifies communication or data sharing. The use of APIs has grown exponentially, year by year, and with the growth of cloud computing, cloud APIs have become the essential building blocks for cloud application development using today’s agile development methods.
APIs enable organizations to bring innovative applications and functionality to customers at an ever-increasing pace and are also used as applications to deliver cloud platforms, hardware and software, acting as service gateways to enable indirect and direct cloud services. While the increasing use of APIs increases seamless integration and improves the customer experience, a new set of risks has emerged.
It is important for organizations to understand the risks of using APIs and prepare to address these risks. Companies at the beginning of their API security The journey should begin by establishing an inventory of the APIs in the environment, including the functionality they perform, the languages they use, the authentication and data security requirements they have, as well as the main owners/developers of those APIs. Once the inventory is complete, an organization can move to threat modeling to understand the threats to its APIs. This should include a strong understanding of data flows and trust boundaries. The API code should then be subject to manual and automated testing to identify vulnerabilities and misconfigurations. To help address the new risk landscape, consider the security risks associated with using APIs, such as:
- Access Control: APIs pose a security risk when they allow unauthorized access to user data, systems or applications.
- Injection vulnerabilities: APIs can be vulnerable to SQL injection attacks where attackers send malicious requests to extract confidential information or manipulate data.
- Human error: APIs can pose a security risk through misconfiguration due to human error or code vulnerabilities that allow unauthorized access to data.
- API mismanagement: A security risk can occur if the API is not properly managed and controlled, including code versioning and documentation. Effective API management involves designing, publishing, documenting and testing in a consistent and repeatable manner. API lifecycle management ensures security protocols are followed, monitoring is performed, and version control is in place.
- DDoS Attacks: Attackers can launch Distributed Denial of Service (DDoS) attacks against the API to make it unavailable, resulting in service disruption.
In general, following security best practices and effectively managing APIs can help mitigate many of the security risks discussed above. Protiviti recommends integrating API security into an organization’s broader application security plan. Some best practices for securing APIs include:
- Authentication and authorization: Ensure that the API requires appropriate authentication and that the endpoints or methods accessed have sufficient authorization controls in place.
- Input Validation: Test the API input fields to ensure that the system handles and validates input correctly. Inadequate input validation can lead to various types of attacks such as SQL injection, cross-site scripting (XSS), and code injection.
- Security Testing Tools: Implement static and dynamic security testing tools for source code reviews, data flow analysis, as well as scanning for weak links and known vulnerabilities.
- Error handling: Ensure that the API handles errors securely to prevent exposing sensitive information to attackers through error messages.
- Data security: Check the level of safety of confidential data shared between applications and confirm that unnecessary data storage does not occur. Any information that is required to be saved should be properly encrypted.
- Network connections: Review all network connections leveraged by the API and ensure that they are secure, and that connections and transactions are encrypted.
- Penetration testing: Utilize penetration testers with application security expertise to perform penetration testing to verify the overall security posture of the API.
- API Gateways: Depending on the application, they may provide functionality such as authentication, routing, rate limiting, billing, monitoring, analytics, policy, alerts, and security.
- API Firewalls: The security gateway to the enterprise architecture, the single point of entry and exit for all API calls. It provides automatic blocking of incompatible I/O data, and undocumented methods, error codes, schemas, and query or path parameters.
- Web Application Firewalls (WAF): Protect APIs from attacks. Rules can be defined to define acceptable traffic for APIs, and protect them from common web exploitation.
- Content Delivery Network (CDN) services: Many CDN solution providers now include web application security to protect APIs.
- Web Application and API Protection (WAAP): Often referred to as an extension of WAF capabilities that now include: WAF, DDoS protection, bot management, and API protection.
starting
While there are steps any organization can take to secure their APIs, the journey to building a strong security and privacy program is never-ending, so continuous monitoring and re-evaluation of best practices is essential.
A mature application security program should integrate API security into its daily activities. For others, it may be a bigger effort, but the risks involved in using APIs will only continue to grow with their increased adoption. No matter where any organization is in its API security journey, Protiviti is ready to help build and maintain an API security program from the ground up, or help mature an existing application security program to include API security. Our security professionals have extensive experience in API development, and we understand how to securely meet the growing API needs of any organization.
Read the results of our new Global IT Manager Survey: The tug of war of innovation versus technical debt.
To learn more about our Security consulting services, Contact Us.
Connect with the author
Keith Zelinsky
CEO, Technology Consulting
Digital transformation
