(By Santosh Matam)
In today’s world of ever-increasing interconnectivity, application programming interfaces (APIs) have cropped up as a powerful tool for providing access to data and capabilities beyond the firewall. Businesses are increasingly running APIs to bring together ecosystem partners and unlock new sources of value. A recent 2019 State of Application Services (SOAS) report found that of the 2000 technology professionals who responded to the survey, 42 percent had already deployed API gateways and 27 percent planning were planning to deploy gateways in 2019.
As APIs become a part of standard enterprise architecture, their security risk profile is emerging as an issue that potentially diminishes the appeal of this powerful technology. The security risk is a result of the broad permissions to access any data within the application environment. Permissions are usually set up for the user making the original request, which are, in turn, passed to the API. That is all well and good until an attack bypasses the user authentication process and goes directly to the downstream app.
API Breaches of Large Platforms
Organizations with high traffic sites offering a wide range of services (such as social media or e-commerce platforms) often feature many third-party integrations. These integrations rely on APIs to collect data from third parties and deliver them to the user in a seamless fashion. The growing decentralization of infrastructure—represented by multi-cloud environments, third-party functions, content, and serverless and containerized architectures—means that APIs are essential for modern, high-volume platforms. Some of these platforms have hundreds of APIs, all of which need to be managed and monitored. These kinds of organizations and business models have tended to figure prominently in the API breach notifications, and breaches of this type constituted 41 percent of known API breaches from September 2018 to September 2019.
Mobile Apps
Most mobile apps rely on APIs to pull data from servers, which allow apps to use fewer resources on the devices themselves. Because of some of the inherent challenges with securing mobile applications, there is a vibrant community of attackers who decompile and reverse engineer mobile applications looking for vulnerabilities, such as hardcoded credentials or weak access controls. The API is often a focal point of these efforts.
It is important to automate and integrate an agile process into the release in order to remain competitive and close the widening gap between development and security teams. However, security should keep pace with CI/CD pipeline where the controls should be automated and embedded into the release process in a manner that the team can enforce common controls without striking the release cycles.
Cracking the Vulnerability threat
As such, it is important to put together a comprehensive API security program that reduces the most important risks to back-end systems. The architecture, tools, and controls vary but the fundamental security requirements should be able to defend against the major threats that can exploit vulnerabilities in APIs. This practice is recommended for application security, but with APIs, the pace of changes to API code and the number of disconnected parties involved in their use make life-cycle security management essential.
Secondly, developing an API security policy for each API is important especially which defines who can do what to which internal services, when they can do it, and how much.
Enable App-to-App Authorization: As businesses build and release more apps, the number of APIs, which enable apps to communicate automatically with one another, has risen exponentially. In this fast-paced environment, DevOps teams need to rapidly create and manage application services without worrying about cross-app vulnerabilities. The challenge with more and more APIs is that they become additional targets for threats. To mitigate threats at the API level, it is essential to have secure authorization between apps based on standardized and open methods across web, mobile, and desktop environments.
Continuously test: The prevalence of APIs is matched only by their obscurity. Constant testing is required to stay current. It is also a good idea to place a bug bounty on API vulnerabilities and harness the insight of proactive security researchers.
(The author is the Security Manager at F5 Networks)
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]