The application programming interface (API) economy is the commercial exchange of data, services and functionality between companies. These APIs allow different software systems to communicate and work together, enabling businesses to offer new services, improve user experiences and streamline operations.
According to Akamai, 83% of internet traffic now comprises API calls. This number has been on a steady rise and shows no signs of slowing down.
Companies like Amazon provide APIs that allow other businesses to list products, track shipments and process payments, enabling a vast ecosystem of online stores. Fintech companies offer APIs for payment processing, fraud detection and financial data aggregation as part of a new generation of financial apps and services. APIs are the glue that joins disparate systems together, allowing them to function as one.
However, as APIs proliferate, they pose some very serious risks. A study conducted by the Marsh McLennan Cyber Risk Analytics Center in June 2022 found that API-related security incidents cost global businesses as much as $75bn annually.
In the latest version of the PCI Data Security Standard (PCI DSS), which provides technical and operational requirements for organizations that store, transmit or process credit cards, specifically calls out APIs and the need to secure them. In 2021, Gartner predicted that APIs would become the top attack vector and that prediction is rapidly becoming true.
Specific Security Strategies Needed for APIs
APIs have direct access to data, are often over-permissioned and are vulnerable to logic attacks. Much of our existing secure software development tools like SAST and DAST are unable to find many of the vulnerabilities in APIs like logic attacks.
APIs require strong governance and a security program in their own right, starting with knowing what APIs you have and ensuring you have a full inventory of them. It is critical that organizations discover and document all the APIs in their environment and categorize them according to the sensitivity of the data to which they have access.
You can’t secure something if you don’t know it is there, and you don’t know the risk it poses unless you understand the data the API has access to and that will impact the controls that you implement.
Authentication methods have not caught up with the pace of technological progress, as global digital trust association ISACA explored in a recent white paper. One big problem with APIs is they often use weak forms of authentication and, in some of the worst attacks, no authentication, allowing attackers to stage attacks and gain access to sensitive data.
Shared API Security Responsibility
One of the credit reporting agencies was providing its API to various customers, such as financial institutions, lenders, and other businesses, who used the API to access credit information for their clients. These customers integrated the API into their own systems to retrieve credit scores, risk factors and other related data.
The credit score API did not require any authentication. The attackers were able to use the customer's weak authentication and validation processes to gain access to the credit score API. This enabled them to retrieve sensitive information, such as FICO scores and credit risk factors.
This incident highlights the shared responsibility between service providers and their customers. While the API provider must ensure its API is secure, customers using the API also need to implement robust security measures to prevent unauthorized access.
One of the most common forms of authentication used by APIs is the use of digital keys. The endpoint can authenticate to the API by using the key provider of the company that provides the API. The storage of the key and the length of the key’s lifespan is critical to the security of the API. If a hacker is able to obtain the key, are they able to access the data from a different endpoint?
Is guidance provided to the customers and clients of the API on how they should handle their key? If you are emailing keys to clients that are consuming your services through APIs, that opens a large hole. OAuth is an open standard for token-based authentication and authorization. OAuth provides fine-grained access control and can support delegated access.
However, OAuth is more complex to implement compared to API keys. There are other forms of authentication, but keys and OAuth are the most common choices.
Authorization is another a pain point in APIs. An example of the problems was displayed by a security researcher that showed by exploiting a vulnerability, they were able to sell cryptocurrency they did not own, exploiting the flaw for potential financial gain. Often APIs are over-privileged and have access to more data than simply what is shown at the endpoint. Business logic errors make up four of the top five attack vectors.
OWASP, the nonprofit focused on secure application development, has produced a list of the most common API attacks and the mitigations. It is critical that security developers use resources like OWASP to understand how to build strong code helps developers avoid vulnerabilities that have caused APIs to often be central to security breaches.
API Security Now a Top Priority
The API economy is transforming how businesses operate, enabling them to connect with each other and their customers in new ways. It is the fuel that is turbocharging digital transformation.
By leveraging APIs, companies can innovate faster, scale more effectively and create new revenue streams, making APIs a critical component of modern business strategies. Today, as many as one in every 13 cyber incidents can be attributed to a lack of API security, according to the Marsh McLennan Cyber Risk Analytics Center study. As companies grow their digital portfolios, API security should become a top priority.