24th April 2021, Kathmandu
API security risks are a common problem in today’s cyber world. Unfortunately, cyberattacks have become an everyday word in today’s vernacular. Like any software, APIs can be compromised and your data can be stolen. Since APIs serve as conduits that reveal applications for third-party integration, they are susceptible to attacks. To take precautions, here is a list of the top 10 API security risks.
Bad coding
Right off the bat, if you start off with bad coding, you are exposing yourself to serious API security risks. Inefficient coding from the get-go is a first-class way to have your API compromised.
Asset Management
Do you know how many publicly available APIs your company deploys? Do you know all of their endpoints and how to access them?
Many companies are seeing the number of APIs exploding as they add more functionality to an application. It’s not uncommon to see hundreds of microservices deployed, each with an API endpoint used to communicate with other components.
Excessive Data Exposure
Data exposure occurs when APIs return too much data to the client. Each client should only receive the data they need to perform their function. Otherwise, another vulnerability could be compounded by exposing PII or other sensitive data.
Application program interfaces (API) have created a powerful way for software applications to communicate and interact. Like much of the tech world, the API ecosystem is constantly changing and evolving. As new ideas and approaches move to the forefront of industry standards, so do potential security problems. Too often API security is not considered when evaluating whether new technologies should be used for a project. You only need to look at the widespread and growing adoption of the cloud. While it offers many benefits, because the data is off-site, it creates a new set of potential vulnerabilities. Physical security cannot be guaranteed, and hardware protection is limited due to the remote nature of the servers. You can reduce the potential risk by ensuring consistent backups and using top-level server security protocols.
As more companies develop Application Programming Interfaces (APIs), those who manage risk need to understand what risks APIs introduce to the business. Those who equip themselves to handle API risks will be better able to weather any cybersecurity storms ahead.
Let’s break down three significant sources of risk in APIs and how you can reduce your exposure.
1. Coding Risks
The most basic risk is poor coding practices that lead to exploits by malicious actors. Poorly designed or written code could be a ticking time bomb hiding within your application.
Impact of Coding Mistakes
Vulnerable code can lead to account takeover, theft of personally identifiable information (PII), or denial of service.
Broken Object Level Authorization (BOLA) is a common API flaw with potentially catastrophic effects. Many APIs use unique identifiers to retrieve records. For example, an application might request your Facebook profile from an API by calling “facebook.com/api/profile/12345678”. The number on the end of the URL is a “resource identifier.” It uniquely identifies your profile.
BOLA can occur when changing the number at the end of the URL results in viewing someone else’s profile as that person. When something like this happens with sensitive information, such as in medical records or banking applications, a significant data breach could occur, costing millions to the offending company.
It’s not difficult to write the code to protect against vulnerabilities like these, but it sometimes is forgotten or pushed aside by developers for the sake of quick delivery of features.
How to Manage Coding Risks
Education is your best bet to manage coding risks. Your engineers need to know what pitfalls exist and how to avoid them. Automated security scanners have come a long way, but most still miss the big stuff. For example, BOLA will likely bypass web application firewalls and Runtime Application Self-Protection. These tools know that the URL should have an ID at the end, but they won’t know if it’s the wrong ID. The code must be written to protect against these types of business logic attacks.
The OWASP API Top 10 is an excellent way to educate software engineers on the most common API flaws. Work these risks into onboarding and security training. Task your brightest engineers to build frameworks and patterns into the codebase to help make secure code automatic.
Automation can help, but humans on the front line are the actual investment you need to protect against severe coding mistakes.
2. Asset Management
Do you know how many publicly available APIs your company deploys? Do you know all of their endpoints and how to access them?
Many companies are seeing the number of APIs exploding as they add more functionality to an application. It’s not uncommon to see hundreds of microservices deployed, each with an API endpoint used to communicate with other components.
“Shadow APIs,” or APIs created without proper oversight or approvals, are dangerous if no one knows they exist. Leftover testing endpoints and domains could be publicly available without anyone’s knowledge.
Impact of Poor Asset Management
Old endpoints that are still internet-facing could have outdated and insecure code. Several years ago, Facebook left an authentication endpoint exposed on beta.facebook.com and mbasic.beta.facebook.com. The APIs left on the two testing endpoints didn’t have rate limiting enabled and allowed an attacker to brute force password recovery tokens and take over any Facebook user’s account.
If an API endpoint is left available, but no one within the organization knows about it, it could be attacked without your knowledge. You could be leaving a back door unlocked with no guards or security cameras. People can come and go as they please.
From a financial standpoint, if these rogue APIs are running in cloud services, you could be wasting money paying for resources you don’t need or want.
How to Manage Asset Management Risks
An essential tool in asset management for APIs is API discovery. API discovery is automation that helps you find all exposed and vulnerable endpoints. You can then review and shut down unsafe or unwanted endpoints.
If unwanted endpoints are using cloud resources, you can use tools like Swabbie to find and shut down unused resources. Swabbie can find the endpoints no one uses but are still hanging around, costing you money.
3. Excessive Data Exposure
Data exposure occurs when APIs return too much data to the client. Each client should only receive the data they need to perform their function. Otherwise, another vulnerability could be compounded by exposing PII or other sensitive data.
Uber’s API had a vulnerability that led to excessive data exposure. An endpoint returned information about the user, including their email and physical address. Unfortunately, this endpoint was susceptible to a BOLA attack and produced another user’s record when the client used a different user’s ID. The API gladly spits out the personal information of any user in the system. The client only used a fraction of the data returned.
Impact of Excessive Data Exposure
Excessive data exposure can lead to account takeover and theft of PII. It often is chained to another vulnerability to steal data to impersonate someone to another service or steal their identity.
How to Manage Excessive Data Exposure
APIs shouldn’t serve data not used by the client. This practice reduces exposure and the chance that another vulnerability leads to a data breach.
Also, APIs that aren’t meant to collect or distribute sensitive data shouldn’t return it as part of a request. Microservices typically have a unique data store, and copying personal data into multiple places isn’t safe. Keep a close eye on where your data is stored and how someone can access it.
Tools exist that can find sensitive data. For example, Amazon Macie can scan what you have stored in your AWS S3 buckets for sensitive data, and Traceable AI can help detect sensitive data leakages at run-time. You can use this information to decide what you should store and where. AI-driven automation can make it easier to find and classify data, so you know what you’re exposing to the outside world.
Managing Risks in an API World
APIs are everywhere. If the software is eating the world, APIs are the teeth.
APIs and microservices help companies become more agile. They help speed up the delivery of new products and features. They connect different services so business owners can automate almost everything.
But these new advancements bring new risks. Learn to identify and manage these risks so the APIs don’t end up eating you.