What makes application programmable interfaces (APIs) vulnerable to attacks? IT research firm Gartner explained how APIs can be exploited during a recent webinar on API security.
Analysts Mark O’Neill and Dionisio Zumerle drilled down on what leads to API vulnerabilities and how developers can combat these issues, during the hourlong webcast. APIs are an automated way to share data between applications, whether web applications or apps embedded in Internet of Things (IoT) devices or mobile apps. Therefore, when an API is compromised, it means an organization has suffered a data breach, O’Neill said.
With this in mind, there are four typical attack vectors for APIs:
API keys or other credentials used to access an API might be carelessly left in cloud storage or GitHub repository — anywhere where users can view the code and see how the API is hard-coded. Finding the API key allows an attacker to log into the API as if the attacker were a legitimate user.
For example, one company that sold real-time data to partners and consumers noticed a consumer tweet about an Android app update they had done — but the company had never released an update. After an investigation, the company learned an attacker was using a modified version of their app through an emulator to perform an API scraping, thus stealing their real-time data to resell, Zumerle said.
“Sniffed” API calls, in which the attacker finds a successful API call, which is a computer signaling to the API to activate it, and replays it to gain access, are another way attackers find their way into APIs.
Infrastructure logs can hold an example of a successful API call. So, “if you’re able to replay that, that’s another way of attacking APIs,” O’Neill said.
There are also several attack vectors based on logic flaws. For instance, there is the BOLA broken object level authorization (BOLA) attack that leverages insecure approaches to access. For example, if an API is providing access to patients’ data, he said, the API might be able to look up a certain patient’s records, but when API security is lax, an attacker might be able to simply iterate from that number to gain access to other patient records. “That is a surprisingly common API security issue,” O’Neill said.
On top of these four typical attacks, there are other, commonly recognized ways to exploit APIs as outlined by the Open Web Application Security Project, a group that addresses cybersecurity issues.
Part of the challenge with securing an API is that they are all different so “there isn’t a one-size-fits-all way to secure APIs,” said O’Neill.
Secure APIs from three sides
To secure APIs, Gartner recommends organizations involve IT security in API security, rather than only expecting developers to solve API security. Companies should also consider forming an API center of excellence or an integration center of excellence to oversee API management. Gartner’s research has found that the security team was involved in API security in 80% of organizations surveyed.
Gartner also recommends approaching API security from three sides:
- API protection, which includes validation, threat detection and traffic throttling using attack signatures, reputation-based control, anomaly detection, and OAS message validation. Technologies that support these steps include web application firewalls, API management tools and specialized API security platforms.
- API security testing, or identification of API security flaws and vulnerabilities using dynamic security testing, which uses automated tools to test security; fuzzing, which is an automated software testing technique; and static application security testing (SAST), which reviews the source code for vulnerabilities. Technologies that support these types of testing include API security testing tools and specialized API security platforms.
- API access control, which means managing authentication, authorization, and identity creation through OAth 2.0, OpenID Connect and JSON web tokens. Technologies for this include API management, access management software and identity as a service.
“The broader point I would make here is that the product landscape that we see today is still largely fragmented and use case-oriented,” Zumerle said. “What I would advise here is to prioritize to identify your needs, prioritize them, and make the right choices as the market starts to move and consolidate and hopefully, increasingly having more all-in-one solutions for you.”