The rise of APIs has been monumental over the last decade, supporting the creation of new digital revenue streams and forming the basis for innovative partnerships. APIs essentially act as a software intermediary that allows systems and applications to communicate with each other in simple, programmatic ways.
Yet, according to a Ping Identity survey conducted in late 2018, the lack of visibility into API deployments is all too common—51% of respondents weren’t confident that their teams even know about all the APIs that exist in the organization, and, it’s for good reason. There are many types of APIs which can be used for different purposes, and they’re created and consumed by a broad range of stakeholders throughout an organization.
When companies stand back and consider all the APIs that reside under the layers of systems and applications they support, they realize there is much, much more to manage… and secure.
Considering the power and prevalence of APIs, attacks against this critical layer of the digital economy have grown considerably over the last decade. Last year’s disclosure by Facebook was just one example, in which it revealed that 50 million user accounts were compromised by attackers using Facebook’s developer APIs to obtain profile information.
API attack vectors
There are many types of API attacks used by hackers. The most prevalent are login attacks. Similar to providing login credentials to access a secure website, APIs also have an authentication process. API management systems may reject invalid login attempts, but they usually don’t have adequate mechanisms to stop clients from continuously trying new combinations in an automated fashion, also known as credential stuffing. To remain undetected in these attempts, hackers keep request rates below rate limits and periodically change IP addresses to make detection difficult.
The result is that successful login attempts using these methods often go undetected, as existing API security systems don’t possess the capabilities to protect systems and data once a user is authenticated.
Another type is the distributed denial of service (DDoS) attack, designed to overrun an organization’s cyber defenses through a sheer volume of requests or by crafting inquiries that cause excessive resource consumption.
API DDoS attacks are often executed by multiple clients, and because each client sends normal traffic volumes, these attacks are difficult to detect without analyzing the aggregate traffic rates on each unique API service, another gap which most existing API security solutions are unable to address.
Sophisticated hackers can even detect rate-limiting controls and adapt traffic rates to stay beneath the throttling limits to avoid detection. API management systems use rate limiting to control individual client activity, but they have limited visibility into aggregate traffic rates among multiple clients to stop distributed DDoS attacks.
A particularly dangerous type of attack leverages legitimate credentials. These can be stolen through man-in-the-middle and phishing attacks, which trick users into connecting to a compromised system and then captures their token or API key. In certain instances, crooked insiders or compromised partners may provide credentials that allow hackers much deeper access to applications and data made available via APIs. Since attackers with compromised credentials look like valid clients, API management systems have no way to recognize when a compromised user is accessing applications via the APIs.
Getting API security in order
Increasing the security posture of an organization’s APIs can be pursued in several ways, starting with a few pragmatic first steps. Start with an API audit that includes external and internal facing APIs, including those in production and those in labs. Lab or pre-production APIs have been the root cause behind a wide range of security breaches, often because they are forgotten by developers after production deployment and security teams are often never made aware of their presence. All APIs must be identified before they can be protected and secured in a standard fashion.
Next, it’s time to address the easy-to-remedy attack vectors like weak authentication, session management and security misconfigurations. Penetration testing is also worthwhile, and API developers should be involved in penetration testing efforts so they’ll be aware of potential weak spots and vulnerabilities to address in the future.
Implementing secure authentication and authorization controls to ensure that only legitimate users can gain access to APIs is a requirement for API security. API keys used for authentication should have the same level of protection as usernames and passwords. API keys should not be hard-coded in source code repositories—just as usernames and passwords shouldn’t be.
Best practice suggests that API keys should be rotated periodically or in some cases, a service can force clients to regenerate API keys in similar ways that periodically mandated password resets for users can defeat compromised credentials. Other basic security controls including applying SSL/TLS to all communications to provide integrity on all data exchanged between a client and a server, including important access tokens such as those used in OAuth.
After audit, vulnerability assessment and testing, an organization will have a solid understanding of their current level of security and potential gaps.
Taking API security to the next level
Unfortunately, securing keys, tokens and communication channels is not enough as the prevalence of stolen credentials and successful login attacks remains high. Increasingly, organizations are applying advanced cyber security techniques to the API layer such as behavioral analysis for anomaly detection and blocking. These systems work in tandem with API usage policies provided by API gateways to benchmark normal behavior and spot anomalies that could indicate unauthorized access, a cyber-attack against the API or an ongoing breach.
These systems typically use machine learning to automatically sift through large volumes of transactions along with associated meta-data such as connecting IP addresses, frequency of calls, volumes of data and types of calls. They offer a way of securing APIs that may have thousands or even millions of requests a day—where human monitoring is unfeasible.
APIs are constantly changing as are the applications that rely upon them. This means that security for APIs is a continual and ongoing challenge that cannot be solved once and never visited again. The steps for securing APIs need to be revisited regularly and particularly when there are major updates to API deployment practices.
As more organizations start to weave a complex web of API dependencies, a failure of security with a single API may well result in a cascading effect of business disruption and potentially breaches of connected systems.