- April 10, 2023
- By Cyberarch Admin
There has been an exponential increase in the adoption of Application Programming Interfaces (APIs) in recent years. This is because APIs have become the main component through which data is accessed. Enterprises find it very useful to share information with customers, employees, partners and associates through different channels such as apps, cloud and IoT.
The latest industry reports also point to the fact that the majority of decision-makers are keen on adopting APIs or have already implemented them. The number is only set to increase. However, as the volume of APIs increases, the security profile is a cause of concern as it opens up opportunities for cybercriminals and threat actors. It is a major vulnerability targeted by threat actors to gain access to an extensive amount of sensitive personal and business data. Plus, it gives bad actors programmatic access to exploit internal database structures.
There are two major reasons why APIs have security vulnerabilities. First, the APIs are often published or released without appropriate levels of security review or controls. Secondly, improperly disabled APIs give the platform for cybercriminals to carry out the advanced cyber attack by passing the security and developer team. Thus, security should be an integral part of API development. One of the key challenges is that it is widely different from web and network security.
API Security Stats and Trends in 2023
Salt Labs has released The State of API Security report which reveals stats and trends on API in the first quarter of 2023. Some of the highlights of the report are listed below.
- More than 90% have experienced security-related problems while developing APIs in the last year
- 17% have already suffered an API breach
- 400% increase in unique attackers observed when compared to half a year ago
- 78% of cyber attackers are disguised as legitimate users with proper authentication
- 59% have seen a delay in publishing APIs due to security-related shortcomings and issues
- Half of the API security vulnerabilities detected are critical in nature
- One of the positive things is that close to 48% of respondents believe that API security is in the limelight and has gained attention from decision-makers
Thus, as you can see, API security is fast emerging as a big problem for businesses around the world. Application release delays are a major concern as it disrupts operations and affects business growth. At the same time, API security strategies are not on par with the challenges posed by threat actors.
Although traditional security risks are applicable to APIs, their unique nature of it expands the attack surface vector. Therefore, it is important that businesses know what are the potential threats and vulnerabilities in the API. Find out in the next section.
Threats and Vulnerabilities in APIs
Cybercriminals exploit the flaws present in the APIs and extract highly valuable data from them. And one of the ways to do it is to carry out Denial of Service DoS attacks. Flooding the systems with repeated requests disrupts the back end and brings it to a halt.
- Cross-Site Scripting
Hackers use cross-site scripting by exploiting the exposed vulnerabilities in web-based applications, servers and plug-ins related to it. The hackers place malicious code into the content. This content is delivered by a compromised site but it remains unknown to the API developer or user. This provides access to content, cookies and other information of the user. In the past, big corporations such as Twitter have suffered from this type of cyber attack. Many others are potential targets too. =
- SQL Injections
SQL injections are used against data-driven web applications. A malicious SQL statement is successfully placed on an entry field. Thereafter, the hacker can use it for myriad functions such as dumping the database to the hacker. Security vulnerabilities such as wrong filtering for string literal escape characters are usually exploited.
- Parameter Attacks
These attacks are conducted by modifying the parameters of API calls. In such attacks, the application is forced to perform malicious tasks instead of the intended action. Although simple, it is effective to exploit personal and business data. It is used against all types of web technologies.
- Business Logic Attacks
APIs are used to share business-related operations as a procedure call, thereby making them vulnerable to cyber-attacks. Contrary to traditional attacks like cross-scripting or SQL injection, business logic attacks do not use malicious requests. Instead, legitimate input values are used making the detection difficult. BLAs are further powered by AI botnets to attack businesses directly.
There are several other threats and vulnerabilities in API like tampering with requests and responses, identity and session threats, lack of quality of service and service information leakage.
Awareness of the threats and vulnerabilities is important to finally address the problem and build a robust strategy against it.
Recommendations and Best Practices
Business organisations should make a conscious decision to look into modern and advanced security strategies that include the use of the latest tools and technology. It helps in addressing security concerns at every level of the API lifecycle and reinforces protection too. Here are some recommendations as well as best practices that can help build resilient API security initiatives.
- Assess Risk and Build Strategy
The first step is to assess the current level of risk which includes validating API designs. In addition, check if the authentication and authorization controls are available during API calls. Businesses can run risk assessments by launching simulated attacks to understand the potential gaps in security.
Once the risk assessment is done, build a strong strategy around the complete API lifecycle which also includes cross-functional factors. The strategy should include design analysis, discovery, runtime protections, feedback mechanisms, and training for the team.
- Enable Security at all Levels
Since APIs are today the foundation of application development, enable security at all levels and environments.
- Runtime Security
Runtime protection helps in reducing risks while writing the code. AI and ML are necessary to check and process the extensive amount of data in real time and detect any possible activities by cyber criminals.
Some of the best practices are also listed below:
- User and App Validation
Controlling access to the API is important to mitigate security risks such as identity and session threats. API providers or developers should have the controlling power and know the identity of the app. An API key can help in this regard.
- Message Channel Encryption
Encryption should be flexible for API security and thus the security providers must enable SSL/TLS encryption. It is quite an effective defence against man-in-the-middle attacks.
- Monitor and Analysing Traffic
The authentication and authorization process helps in providing a clear picture of who can access API and what can be accessed. However, there is a caveat. It is difficult to control how many times the API is used by a user or specific app. It is helpful if the API management solution enables monitoring of the performance of the API.
- PCI Compliant Infrastructure
API security should be in sync with PCI compliance. It makes sure that Personal Identifiable Information (PII) is protected. APIs built for businesses which are PCI compliant must be hosted by infrastructure that meets the regulations completely.
Although APIs pose a great risk to businesses, the measures discussed can help in mitigating them.