Application Programming Interfaces (APIs) allow software programs to communicate with each other. They facilitate integration with third party and in-house apps. This has made APIs a core feature of modern application development and a cornerstone of digital transformation. Most mobile and web applications that we use for work rely on APIs to function.
However, many APIs have access to sensitive data that they do not always adequately protect. API security is not keeping up with the rate of API implementation, and many organizations may not be aware of exactly how many APIs they have or where they are. Our own recent research shows that 43% of the EMEA organizations surveyed don’t know where all the APIs are deployed in their organization and 54% worry about API security.
So, what must we do to bring APIs into the cybersecurity fold?
How APIs serve as a gateway for attacks
The rise of APIs and their direct access to critical data has made them a prime target for attackers. API risks were in the spotlight in January when telecoms giant T-Mobile reported a severe breach, saying that an exposed API was exploited to obtain confidential customer information, with attackers accessing details including names, addresses and contact information for 37 million accounts.
APIs are built for automation, and this makes finding and exploiting insecure ones very profitable for attackers. Automated attacks make it faster and easier for cybercriminals to exfiltrate data than with a web application.
Public-facing APIs generally represent the greater risk. Whereas private APIs are only used by internal developers, public APIs are available online for any external developer to use and integrate with their own software. This makes them excellent tools for collaboration and integration but also increases the chances of a malicious actor finding ways to exploit them.
Since APIs are specifically built to facilitate fast, easy access to large amounts of data, the potential impact of a successful exploitation is considerable.
Stefan van der Wal is Consulting Solutions Engineer, specializing in Application Security at Barracuda.
Why is API security lagging behind when the risks are so high?
API security is not advancing at the same pace as that of other common digital tools, like web applications, partly because of the sheer volume of APIs most firms have in place. There are two major factors here.
First, the ease of API implementation means they can be deployed extremely quickly, sometimes in mere minutes. This makes it easy for developers to inadvertently skip some security checks – especially when the development and security teams operate in separate siloes.
Secondly, development teams can quickly push out new API features to meet evolving business needs. This means that APIs often have more capabilities than the organization may realize, and those built with the best intentions can be used in unexpected ways and for malicious purposes. When it comes to public-facing APIs, anyone with a hacker's mindset and intention can start poking around to discover unintended uses. Bringing API security to the same level as other assets can be challenging for organizations that have deployed a large volume of APIs.
Securing APIs starts with awareness and visibility
To have a hope of securing your APIs, you must first have accurate visibility. This can be achieved by conducting a full audit and compiling an inventory of all APIs deployed and their access capabilities.
This needs to be an in-depth process to account for the fact that APIs will often grow beyond their original purpose as they are updated with new features over time. You need to make sure you have complete visibility of each tool, how it integrates with your system, and how it could be exploited in an attack.
Remove any APIs that no longer serve a purpose, and rein in any with too much power. For any high-risk APIs that cannot be removed, you must ensure the appropriate security measures, such as strong identity controls, are in place.
Get your teams talking
A long-term challenge in API security is a lack of collaboration between developers and security teams. This is a common problem for organizations as their developers focus on building software to meet business needs, often without considering all the security implications, while the security teams are watching out for anything that might increase business risk, without necessarily considering the business needs.
Fortunately, more organizations are now following the DevSecOps approach, which integrates security practices into the development pipeline. If the two departments are not on the same page, security teams can lack a clear view of what the development team is working on, and some development teams might even see security as a barrier to innovation.
These two teams have much to gain by working together to deliver APIs that facilitate business growth without increasing risk exposure. This will also help to prevent APIs growing beyond their original purpose and ensure that security is baked in from the beginning of the development process.
APIs will continue to be essential tools in digital transformation. By getting to grips with existing API sets and implementing effective security processes for future deployments, you can reap the benefits of APIs without providing an easy access point for attackers. The security industry is aware of the challenges businesses and their software developers and security teams face and can offer help and support where needed.
