The world is moving towards an API led architecture. One of the reasons for the increasing popularity of REST API is that it is user-friendly, and it is easy to understand for the developers to code on it. Ever since APIs have gained popularity, there has been an increasing demand from organizations in various industry domains to upgrade their IT infrastructure and move away from traditional tightly coupled legacy integration styles to a mode of advanced micro service-based API led architecture. While every organization is racing towards digitization, API security is something that has often been ignored or taken lightly.
Why is API security a hot topic? If you google API security, you will come across tonnes of pages and white papers, global research and advisory firms publishing reports and predictions on future of APIs and their security. This is because everyone wants to know if it is really a wise decision to move towards REST based APIs widely popular for human readable JSON data interchange format while more and more businesses are transforming their entire operations through the convenient APIs.
– – –
Why API security is big deal?
APIs are everywhere and transforming business – our reliance on APIs is increasing for integrating systems, applications, exchanging data across organizations be it government, banking, defence, healthcare or any other domain through various devices especially now with rise of IoT devices which are heavily API compatible. According to Akamai’s Tony Lauro, the traffic classified as APIs currently accounts for 83% of all hits, while HTML traffic has fallen to just 17%. Amongst all, Media organizations are the largest users of APIs by a significant margin
Another evidence is the number of APIs that are added every year on ProgrammableWeb, a subsidiary of MuleSoft, which publishes a repository of web APIs, mashups and applications.
The new focus of cyber attacks will be API based as predicted by many independent research organizations and analysts. One such study by Gartner says that in the next couple of years, APIs will account for 90% of the attack surface and API abuses will become the most-frequent attack vector. The largest risks are associated with financial organizations, most of which are still on legacy systems and rely heavily on mainframes, that are drifting towards APIs for revamping their IT infrastructure of decades. With shift towards PSD2 and Open Banking, financial institutions have publicly available APIs with users’ banking information
News about API related breaches isn’t new, and the best of the best has been victim to API based attacks naturally due to the widespread API proliferation. For instance, Social media giant, Facebook, in 2018 reported a security breach leading to exposure of nearly 50 million accounts. This was supposedly an access-token-harvesting attack where attackers tried to “query APIs” and specifically target “profile retrieval API” said Zuckerberg. This obviously would have cost the company millions of dollars in investigation, redesign and having had to immediately reset access tokens of over 90 million users!
Other such companies who have had similar such breaches are McDonalds, Twitter, Panera Bread, T-Mobile, Instagram, Salesforce, Snapchat, the US Internal Revenue Service and the biggest name of all is Capital One which was hacked and information leaked of over 100 million individuals.
– – –
How to deal with these?
There is no denying that there has been a shift in internet traffic patterns and the data that is being exchanged is in most cases either XML or JSON formats. This has led to ramifications in overall security strategies. Traditional measures that focused on protecting servers and systems by observing traffic have been attempted to extend to API traffic as well but haven’t been enough. They have been proven less robust specifically due to newer architectural designs and environmental limitations.
According to Gartner, “A security strategy that manages access and protects systems from attack while still engaging digital ecosystems is essential to any API program. Application leaders must design, execute and govern an effective API security strategy, including the use of API gateways.” Obviously, newer ways must be thought on securing API led architecture. Sooner the vulnerabilities get identified and addressed, the lesser will there be a risk to an attack or an impact shall there ever be an attack. Security must extend beyond accessing APIs – the data itself that is being handled through APIs must be secured.
Therefore, one of the first things an organization’s IT security department must do is to educate itself on the possible types of attacks, learn from the security breaches that have occurred and speculate the types of future attacks.
On a high-level, the top REST API security threats are:
- Injection Attacks – A malicious code, usually a query or a script, is embedded into an unsecured software program to stage an attack, most notably SQL injection and cross-site scripting. Code injection techniques are popular in system hacking or cracking to gain information, privilege escalation or unauthorized access to a system. Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.
- Man-In-The-Middle-Attack (MITM) – An unauthorized third party secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other e.g. getting control of the payment API would allow a hacker to redirect payments to his/her own accounts.
- CSRF Attack – Cross-Site Request Forgery (CSRF) force logged-in users to silently open URLs that perform actions unintentionally. E.g. change the email address on their account, to change their password, or to make a payment by passing the action itself in the URL.
- Broken Access Control – An attacker can bypass or control authentication into web applications compromising web tokens, API keys, passwords, account recovery options, password reset methods, account permissions, session management, etc.
- Distributed Denial of Services – Most common type of attack where a malicious attempt is made to disrupt normal traffic by flooding requests to a target system blocking resources and leading to breakdown of APIs.
- Web Parameter Tampering – Based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
- Sensitive Data Exposure – When sensitive data isn’t encrypted in transit or at rest it could lead to abuse of this information leading to an attack. Information can be private health information or credit card information, user details like emails or phone numbers, session tokens, passwords, etc.
– – –
Current practice in industry
The big picture is not just about securing IT infrastructure, placing firewalls, securing data center that alone will mitigate the risks associated with APIs but extends beyond the regular Infrastructure security; design level security is something that needs to be looked at thoroughly with developers being more responsible for API. Multiple layers of security are required to back an API which is exposed to internet – the best security is preventive security.
Some of the considerations that are made when working towards building a secured API IT infrastructure:
- Always use HTTPS and SSL certificates
- Firewall optimizations
- Authentication and authorization of public clients
- IP whitelisting
- Rate limiting
- Access logs monitoring
- Server security logs
- Analyzing access and security logs in paper trail
A variety of integration tools in the market today provide numerous measures on securing integrations. MuleSoft being a leader in API middleware platform provides an all in one platform to help mitigate these risks.
The diagram below shows how an API Gateway works an additional layer of enforcing security policies and protecting backend API having access to organization’s systems.
Some of the built-in policies that can be easily configured through MuleSoft’s API manager are:
- Basic Authentication – LDAP – Authenticates the LDAP credentials.
- Basic Authentication – Simple – Authenticates a single user password.
- Client ID Enforcement – Allows access to client applications with valid client credentials.
- CORS – Enables calls executed in a web page to interact with resources from different domains.
- Detokenization –Transforms a tokenized value back to the original data.
- Header Injection – Adds headers to the request or response message of a policy.
- Header Removal – Removes headers from the request or response message of a policy.
- HTTP Caching – Stores HTTP responses from an API implementation.
- IP Blacklist – Blocks a range of IP addresses.
- IP Whitelist – Allows access from only a preapproved range of IP addresses.
- JSON Threat Protection – Protects against a malicious JSON structure in API requests.
- JWT – Validates a JWT token.
- Message Logging – Logs a custom message when an API is invoked.
- OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy – Enforces token access using the MuleSoft OAuth Provider policy.
- OpenAM Access Token Enforcement – Restricts access to a protected resource using an Open AM authentication server.
- PingFederate Access Token Enforcement – Restricts access to a protected resource using the PingFederate authentication server.
- Rate Limiting – Enables imposing a limit on the number of requests that an API can accept within a specified time.
- Rate Limiting, SLA-Based – Enables imposing an API request limit based on SLA tiers.
- Spike Control – Controls API traffic.
- Tokenization –Transforms sensitive data into nonsensitive equivalent tokens.
- XML Threat Protection –Protects against malicious XML elements in API requests.
– – –
Have your own APIs attacked!
What would be the best way to know that your APIs are truly secure? Of course, you have had them tested internally by your own testing team, but isn’t that what every organization that had breaches would have done? SmartBear’s 2019 State of APIs report found that approximately 50% organizations of all sizes don’t have a standardized API testing methodology.
One of the most effective ways to know that the APIs are secure is to have a system in place for regular penetration tests by experts which could uncover potential loopholes. Some of these areas where APIs must be tested are:
|• Architecture||• Credentials||• Files||• Physical||• Social|
|• Authentication||• Cryptography||• Logs||• Privacy||• Source|
|• Authorization||• Data||• Mobile||• Services||• System|
|• Certificates||• Emails||• Networks||• Session||• Virtualization|
– – –
API security must go hand in hand with API implementation. Developers are simply not technologists divorced from the business. With the speed of changing IT trends, while most of the world is still catching up and moving towards an API based micro service architecture, there is no doubt that API will be the most abused and thus, vulnerable to cyber-attacks. Having said, there is no way to avoid an API led architecture given the numerous advantages it brings in terms of efforts and cost saving, time to market, reusability and the flexibility it provides to replace backend systems without impacting the existing implementation. Therefore, considering the changing trends, security must be rethought with adaption of newer architectural designs, with allocation of resources and by implementing practices that continuously challenge in-place security through ethical testing uncovering areas for improvements.
Incepta enables businesses to secure their systems by detecting vulnerabilities in applications using comprehensive and robust testing methods with vulnerability detection at various stages of the development life cycle.
Are you looking to put in place practices that continuously challenge in-place security through ethical testing uncovering areas for improvements? Connect with Incepta for ways to transform your business.
Visit our website: www.inceptasolutions.com.com or email us at email@example.com
– – –
Incepta’s 4-Level API Service Offering
API and Integration Consulting and Strategy
Incepta can help develop a roadmap and plan by studying current organization processes and identify areas of opportunity where API integration can drive efficiency and productivity.
Integration Solution Architecture
Incepta’s team of experienced Integration architects will help develop a comprehensive and scalable architecture that meets organizational business needs while remaining cost-effective, leveraging the power of the MuleSoft – the leading Integration Platform for APIs. Incepta is proud to be a preferred partner to MuleSoft.
Comprehensive Integration Services
Incepta builds Integration and API Management solutions in a manner that accelerates time-to-value and ROI. Incepta helps connect key systems, eliminate silos, and enable access to the right information both inside and outside the organization, enabling new and legacy systems to connect and coexist.
API Development Services
Incepta’s team of experienced developers and architects can help build and optimize business processes and data flows. In addition Incepta can help develop new APIs and user interfaces, conduct testing, and ensure best practices are followed at every step.