Is API security the weak point in your cyber defence?


The Application Programming Interface (API) has, in recent years, become the primary method of communication online, from Software as a Service (SaaS) and Platform as a Service (PaaS) to mobile apps and cloud integrations. A 2018 report estimated that 83% of internet traffic comprised API calls, and this number has inevitably grown in the years since. APIs form a bridge between various systems, which makes them immensely useful but also vulnerable to attack. They have historically been under-secured for a number of reasons, but the spotlight is now firmly shining on API security as an essential for businesses, particularly those that make use of online payment gateways. Without effective API security, businesses may fall victim to cybercrime while at the same time risking breaches of compliance legislation, including the latest iteration of the Payment Card Industry (PCI) Data Security Standard (DSS).

You are the weakest link

One of the major reasons why APIs have become a popular method of cyberattack is because they are a link between different systems, and people tend to assume that if the systems or applications are secure, then the entire process is. However, API calls take place at various points between the systems, and if they are not secured, they can be misused.

While securing the front- and back-end remains critical, if API links are not secured, they can act as a sort of side door that enables malicious actors to intercept data without anyone being any the wiser as to the breach. Alongside web application firewalls and other basic security protocols, it has become critical to bring in API security to analyse traffic and enforce additional controls.

A growing concern

For many years, the Open Worldwide Application Security Project (OWASP) has been working to improve the security of software, and the OWASP Top 10 has become a de facto standard, representing a broad consensus about the most critical security risks to web applications. Now, with API security increasingly a priority, the non-profit organisation also incorporates the OWASP API Security Project and produces a list of the top 10 API security risks on an annual basis. This helps organisations understand the nature of the threat, how it is evolving, and what frameworks need to be put in place to address these challenges.

The challenge with API security is that it is inherently complex, and it can be challenging to understand what a legitimate API call or request is, and what represents a malicious attack. For example, one system may query another to confirm a username, date of birth, or other personal information, and this is a legitimate and valid call. But if that call is not effectively limited, or authenticated or controlled, a malicious actor may request a dump of a user list, and this will also be seen as a valid request.

It is critical to have the relevant controls in place to limit the data request, to have proper authentication according to business needs, and to validate the request. However, it is equally important to balance this security with usability.  For example, if you limit the number of API calls and a website is experiencing heavier than usual but legitimate traffic (for example, during a Black Friday sale), then payments cannot be processed because API calls are being blocked. By the same token, a malicious actor can use this strategy of inundating a system with API calls to create a Denial of Service (DOS) attack.

A matter of practice

The first step in effective API security is to understand what it is and how it relates to a business, as well as to create an inventory of APIs and the systems they are linked to. This is standard security practice: you cannot manage something without first being aware that it exists. Creating and maintaining API documentation is vital to this. Then you need a strategy around both application and API security, aligned with OWASP API security, business strategy, and best practice frameworks. It is also important to train developers and administrators to code securely with API security in mind, so that controls are in place from the start, which is infinitely more secure than patching them after the fact. 

There are secure platforms available for monitoring the front, middle, and back of applications, including where APIs sit, and there are controls that can be implemented to improve management and control. However, API security is both critical and complex, and while there are tools available that can assist, these are only as good as their foundation.

It is essential to have a solid strategy in place, as well as a plan and a framework based on accepted best practices, and to incorporate specific requirements according to business needs, such as compliance with PCI DSS standards for any business that makes use of payment gateways, which themselves make use of API calls to function. In this landscape, it is highly beneficial to engage with a specialist security professional who will be able to help you understand what is applicable to your business and apply a framework and a solution to ensure the correct balance of security and functionality to address the threat without impacting business as usual.

Simeon Tassev, MD and QSA at Galix