Most applications built today leverage Application Programming Interfaces (APIs), code that makes it possible for digital devices, applications and servers to communicate and share data. This code, or collection of communication protocols and subroutines, simplifies that communication, or data sharing. The use of APIs is growing exponentially, year over year and with the growth of cloud computing, cloud APIs have become the essential building blocks for developing applications in the cloud using today’s agile development practices.
APIs enable organizations to bring innovative applications and functionality to customers at an increasingly fast pace and also serve as applications for provisioning cloud platforms, hardware and software, acting as service gateways to enable indirect and direct cloud services. While the growing use of APIs increases seamless integration and improves customer experiences, a new set of risks emerges.
It is important for organizations to understand the risks with the use of APIs and prepare to address those risks. Companies at the start of their API security journey should begin by establishing an inventory of APIs in the environment, including the functionality they perform, languages they use, authentication and data security requirements they have, as well as the primary owners/developers of those APIs. Once the inventory is complete, an organization can move on to threat modeling to understand the threats to its APIs. This should include a strong understanding of data flows and trust boundaries. The API code should then be subject to manual and automated testing to identify vulnerabilities and misconfigurations. To help address the new risk landscape, consider the security risks associated with the use of APIs, such as:
- Access control: APIs present a security risk when they allow unauthorized access to user data, systems or applications.
- Injection vulnerabilities: APIs can be vulnerable to SQL injection attacks where attackers send malicious requests to extract confidential information or manipulate data.
- Human errors: APIs can pose a security risk through misconfiguration due to human error or vulnerabilities in the code that allows unauthorized access to data.
- API mismanagement: Security risk can occur if the API is not properly managed and audited, including versioning and documentation of code. Effective API management includes designing, publishing, documenting and testing in a consistent, repeatable way. The management of the API’s lifecycle ensures security protocols are followed, monitoring is performed and version control is in place.
- DDoS attacks: Attackers can launch Distributed Denial of Service (DDoS) attacks against the API to make it unavailable, resulting in an interruption of service.
Overall, adhering to security best practices and managing APIs effectively can help mitigate many of the security risks discussed above. Protiviti recommends integrating API security into an organization’s broader application security program. Several best practices for securing APIs include:
- Authentication and authorization: Verify that the API requires proper authentication and that the endpoints or methods accessed have sufficient authorization controls in place.
- Input validation: Test the input fields of the API to ensure that the system handles and validates inputs correctly. Inadequate input validation can lead to various types of attacks such as SQL injection, cross-site scripting (XSS) and code injection.
- Security testing tools: Implement static and dynamic security testing tools for source code reviews, data flow analysis, as well as scanning known weak links and vulnerabilities.
- Error handling: Verify that the API handles errors securely to prevent the exposure of sensitive information to attackers via error messages.
- Data security: Check the safety level of confidential data shared between applications and confirm that no unnecessary data storage takes place. Any data that is required to be retained should be properly encrypted.
- Network connections: Review all network connections leveraged by the API and verify they are secure, and connections and transactions are encrypted.
- Penetration testing: Leverage penetration testers with application security expertise to perform penetration testing to validate the API’s overall security posture.
- API gateways: Depending on the implementation, they may provide functionalities such as authentication, routing, rate limiting, billing, monitoring, analytics, policies, alerts and security.
- API firewalls: The security gateway to an organization’s architecture, the single entry and exit point for all API calls. This provides for automatic blocking of nonconforming input/output data, and undocumented methods, error codes, schemas and query or path parameters.
- Web Application Firewalls (WAF): Protect APIs from attacks. Rules can be configured to define acceptable traffic for APIs, protecting them against common web exploits.
- Content Delivery Network (CDN) Services: Many of the CDN solution providers now include web application security to protect APIs.
- Web Application and API Protection (WAAP): Often referred to as the expansion of WAF capabilities to now include: WAF, DDoS protection, bot management and API protection.
While there are steps every organization can take to secure their APIs, the journey to building a robust security and privacy program is never over, so continuous monitoring and re-evaluation of best practices are vital.
A mature application security program should incorporate API security into its day-to-day activities. For others, this may be a larger effort, but the risks associated with the use of APIs will only continue to grow with their increased adoption. Regardless of where each organization is in its API security journey, Protiviti is ready to assist with building and maintaining an API security program from the ground up, or to assist in maturing an existing application security program to include securing APIs. Our security professionals have extensive experience in API development, and we understand how to securely meet any organization’s growing API needs.
Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.
To learn more about our security consulting services, contact us.