What is API Security and how to protect them
Emergence of APIs as a security risk
APIs provide a great and reliable means for applications to connect services and transfer data for businesses. However, with every API created and consumed – there’s an endpoint that could leave your applications exposed to adversaries looking to launch malicious attacks and steal your data.
By 2019, API calls represented 83% of web traffic, hackers are starting to take notice of the growing usage of APIs in application development and how to exploit loopholes in API logics with bot/scraping and denial of service attack techniques. So it’s no surprise to see industry analyst Gartner predicting that by 2022, API abuse will become the most-frequent attack vector in web application data breaches.
The stake of API breaches is high and has the potential to cause significant harm to even some of the world’s biggest brands, notably Facebook in 2018 - when a photo API bug exposed private photos in a breach affecting up to 6.8 million users and allowed hackers to control up to 50 million accounts.
Given that the average organization has hundreds or even thousands of APIs, the need to properly secure APIs has never been more critical.
The unique challenge of API security
With API adoption on the rise by developers in software development, attackers are also discovering malicious opportunities in targeting APIs more readily. Whilst APIs and web application security are tightly intertwined for DevOps, there are some fundamental differences when it comes to API testing and protection. Currently, API testing generally fall into three categories:
1. Static Code Analysis: developing secure APIs from the start
2. Security Testing: automated security and vulnerability testing
3. Application Firewall: protecting live APIs
SAST can help enormously with ensuring the quality and maintainability of a codebase and to identify common, well-known coding issues. However, static code analysis is insufficient in identifying the types of API logic flaws that lead to major API breach. Operations often deploy a second line of defense and Web Application Firewalls (WAF) and API-aware traffic inspectors to the production API environments. These firewalls analyze network traffic and employ heuristic techniques to watch for common attack patterns. API-aware firewalls can go a step further, looking for API-specific anomalies, such as preventing strings from being passed to an API that should only receive integers.
With most API breaches because of the logic flaws that are unique to each API, its clear testing the code analysis and API firewalling alone is not sufficient and cannot be detected through a standard web application security approach which won’t pick up the nuances in the API makeup. Organizations investing in manual penetration testing may think they’re covered however its reliant on humans to understand API code, which in turn can be slow and costly.
Key considerations for API Security
Coverage: Testing needs to be comprehensive to look at every API endpoint and method and consider all the possible scenarios your API can be used, not just the likely ways.
Scale: Consider each API container endpoint which in turn supports multiple POST, GET, PUT and DELETE methods. Quickly you’re already up to ~250 endpoint-method permutations. And then consider the myriad of API breach categories and the multiple testing requirements to thousands of unique attacks. Testing needs to cover all these different scenarios, otherwise vulnerabilities will make their way into your production and widening your attack surface.
Speed: Speed is crucial in modern DevOps. When fixes and new functionality need to move to production, security cannot slow down the process. However, given the complexity of APIs, and the plethora of scenarios, testing speed is more often measured in weeks or months due to the complexity and number of endpoints.
OWASP Top 10 API Security
In 2019 OWASP created a separate framework for API security to ensure businesses considered their API security alongside the OWASP Top 10 for web application security risks. Recognizing the fundamentals needed to approach API security differently and the commonalities between how APIs are breached and away from the more well-known and understood web application security issues including Cross Site Scripting (XSS), Distributed Denial-of-Service (DDoS) and Man-In-The-Middle Attacks that many are already familiar with and have security measures in place to test.
OWASP Top 10 API Security:
- Broken Object Level Authorization
- Broken Authentication
- Excessive Data Exposure
- Lack of Resources & Rate Limiting
- Broken Function-Level Authorization
- Mass Assignment
- Security Misconfiguration
- Injection
- Improper Assets Management
- Insufficient Logging & Monitoring
Of OWASP’s API security top 10, only one involves a classic security attack vector common within application security, #8 (SQL injection vulnerabilities). Acknowledging the uniqueness of securing API-based applications and that the majority is via authorization and authentication. Four of the top five all involve business logic errors in the software stack that are unique to each organization and demonstrates how each API is difficult to identify with traditional testing methodologies as its unique to the business which created it.
API security testing best practice
The most common thread to understand with API risk is they’re not bred from classic security attacks and vulnerabilities. These breaches are the result of business logic flaws and loopholes in the API itself. Developers are taught to never trust user data, but APIs allow attackers to modify request properties in unexpected ways that are difficult to test for given the huge number of possible attack scenarios. In the rush to push more code, functionality and fixes into production, developers often introduce unintended access API vulnerabilities as well.
Our approach to API security begins with learning the API inside out: cataloging all available endpoints and identifying supported methods. This approach is fully automated and allows critical API vulnerabilities to be addressed before production. This approach offers major advantages above more common static code analysis, API firewalling, and manual pen testing:
- Ongoing API vulnerability detection - discovers vulnerabilities missed by static analysis and firewalls, including business logic faults and access control issues.
- Multiple API scenario testing - automatically creates thousands of test sequences with no manual work. This frees up time from the necessity of coming up with every possible test scenario and creating more tests.
- Comprehensive coverage – creates detailed tests to cover a company’s entire API footprint, addressing all API attack breach categories. It covers all the elements that are easy to miss with manual testing.
- Enhanced for DevSecOps – enables API testing at speed and scale. Testing is fast and continuous, rather than adding delays to your deployment workflow.
- Continuous API Security – provides continuous API security, unlike manual pen-testing that is ad hoc and doesn’t cover imminent API threats in production.
- Cost and time efficient – provides far greater continuous API testing over manual pen-testing, leveraging the efficiencies automation testing offers.
With integrated API security testing within your CI/CD pipeline your team can now be notified of any issues before moving onto the next stage, showing the exact nature of the API vulnerability and automatically calculating a Common Vulnerability Scoring System (CVSS) severity scores for effective remediation. Ensuring your API attack surface is reduced and logic flaws are flagged for straightforward remediation and reporting to FedRAMP auditors and compliance officials. Ensuring API vulnerabilities are identified without operational downtime and before you run the risk of falling prey to opportunistic hackers and losing your most valuable data.
