In this insightful article, learn what is API Security, why it is important, what are some threats, and how can Incepta can help you design and implement secure API solutions:
The world is moving towards an API-led architecture. One of the primary reasons for the increasing popularity of REST API is that it is user-friendly, and it is easy to understand for developers to code on it.
Ever since APIs have gained popularity, there has been increasing pressure on organizations across industries to upgrade their IT infrastructure and move away from traditional tightly coupled legacy integration styles to advanced micro-service-based API-led architecture. While every organization is racing towards digitization, API security is something that has often been ignored or taken lightly.
Why is API security a hot topic? If you google API security, you will come across tonnes of pages and white papers, a global research and advisory firms publishing reports and predictions on the future of APIs and their security. Let us dive deeper to learn why API safety is important while more and more businesses are transforming their operations through APIs.
Why API security is a big deal?
APIs are transforming businesses everywhere – our reliance on APIs is increasing for integrating systems, and applications, and exchanging data across organizations. Be it government, banking, defense, healthcare, or any other domain, API usage is rising exponentially especially now with the rise of IoT devices that are heavily API compatible.
According to Akamai’s Tony Lauro, the traffic classified as APIs currently accounts for 83% of all hits, while HTML traffic has fallen to just 17%. Amongst all, media organizations are the largest users of APIs by a significant margin
Another piece of evidence is the number of APIs that were added every year on ProgrammableWeb, a subsidiary of MuleSoft, which publishes a repository of web APIs, mashups, and applications.
The new focus of cyber attacks will be APIs as predicted by many independent research organizations and analysts. One such study by Gartner says that in the next couple of years, APIs will account for 90% of the attack surface and API abuses will become the most-frequent attack vector. The largest risks are associated with financial organizations, most of which are still on legacy systems and rely heavily on mainframes, that are drifting towards APIs for revamping their IT infrastructure. With a shift towards Real-Time Payments and Open Banking, financial institutions have publicly available APIs with users’ banking information at stake.
News about API-related breaches isn’t new, and the best of the best have been victims of API-based attacks naturally due to the widespread API proliferation. For instance, social media giant, Facebook reported a security breach in 2018 leading to the exposure of nearly 50 million accounts. This was supposedly an access-token-harvesting attack where attackers tried to “query APIs” and specifically target “profile retrieval API” said Zuckerberg. This obviously cost the company millions of dollars in investigation, redesign, and having had to immediately reset access tokens of over 90 million users!
Other such companies who have had similar breaches are Mcdonald’s, Twitter, Panera Bread, T-Mobile, Instagram, Salesforce, Snapchat, the US Internal Revenue Service and the biggest name of all is Capital One which was hacked and information of over 100 million individuals was leaked.
How to deal with API Threats?
There is no denying that there has been a shift in internet traffic patterns and the data that is being exchanged is in most cases either XML or JSON formats. This has led to ramifications in overall security strategies. Traditional measures that focused on protecting servers and systems by observing traffic have been attempted to extend to API traffic as well but haven’t been enough. They have been proven less robust specifically due to newer architectural designs and environmental limitations.
According to Gartner, “A security strategy that manages access and protects systems from attack while still engaging digital ecosystems is essential to any API program. Application leaders must design, execute and govern an effective API security strategy, including the use of API gateways.”
Obviously, newer ways must be thought about securing API-led architecture. The sooner the vulnerabilities get identified and addressed, the lesser will be risks of an attack or an impact shall there ever be an attack. Security must extend beyond accessing APIs – the data itself that is being handled through APIs must be secured.
Therefore, one of the first things an organization’s IT security department must do is to educate itself on the possible types of attacks, learn from the security breaches that have occurred, and speculate on the types of future attacks.
On a high level, the top REST API security threats are:
- Injection Attacks – A malicious code, usually a query or a script, is embedded into an unsecured software program to stage an attack, most notably SQL injection and cross-site scripting. Code injection techniques are popular in system hacking or cracking to gain information, privilege escalation, or unauthorized access to a system. The injection can result in data loss or corruption, lack of accountability, or denial of access. The injection can sometimes lead to a complete host takeover.
- Man-In-The-Middle-Attack (MITM) – An unauthorized third party secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other e.g. getting control of the payment API would allow a hacker to redirect payments to his/her own accounts.
- CSRF Attack – Cross-Site Request Forgery (CSRF) forces logged-in users to silently open URLs that perform actions unintentionally. E.g. changing the email address on their account, changing their password, or making a payment by passing the action itself in the URL.
- Broken Access Control – An attacker can bypass or control authentication into web applications compromising web tokens, API keys, passwords, account recovery options, password reset methods, account permissions, session management, etc.
- Distributed Denial of Services (DDoS) – Most common type of attack where a malicious attempt is made to disrupt regular traffic by flooding requests to a target system blocking resources and leading to the breakdown of APIs.
- Web Parameter Tampering – Based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
- Sensitive Data Exposure – When sensitive data isn’t encrypted in transit or at rest it could lead to abuse of this information leading to an attack. Information can be private health information or credit card information, user details like emails or phone numbers, session tokens, passwords, etc.
Current Practice in the Industry
The big picture is not just about securing IT infrastructure, placing firewalls, and securing data centers that alone will mitigate the risks associated with APIs but extend security beyond the regular Infrastructure security. Design-level security is something that needs to be looked at thoroughly with developers being more responsible for API. Multiple layers of security are required to back an API exposed to the internet – the best security is preventive security.
Some of the considerations that are made when working towards building a secured API IT infrastructure:
- Always use HTTPS and SSL certificates
- Firewall optimizations
- Authentication and authorization of public clients
- IP whitelisting
- Rate limiting
- Access logs monitoring
- Server security logs
- Analyzing access and security logs in the paper trail
A variety of integration tools available in the market today provide measures for securing integrations. MuleSoft being a leader in API middleware platforms provides an all-in-one platform to help mitigate these risks.
The diagram below shows how an API Gateway works as an additional layer of enforcing security policies and protecting backend API having access to the organization’s systems.
Some of the built-in policies that can be easily configured through MuleSoft’s API manager are:
- Basic Authentication – LDAP – Authenticates the LDAP credentials.
- Basic Authentication – Simple – Authenticates a single user password.
- Client ID Enforcement – Allows access to client applications with valid client credentials.
- CORS – Enables calls executed on a web page to interact with resources from different domains.
- Detokenization –Transforms a tokenized value back to the original data.
- Header Injection – Adds headers to the request or response message of a policy.
- Header Removal – Removes headers from the request or response message of a policy.
- HTTP Caching – Stores HTTP responses from an API implementation.
- IP Blacklist – Blocks a range of IP addresses.
- IP Whitelist – Allows access from only a preapproved range of IP addresses.
- JSON Threat Protection – Protects against a malicious JSON structure in API requests.
- JWT – Validates a JWT token.
- Message Logging – Logs a custom message when an API is invoked.
- OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy – Enforces token access using the MuleSoft OAuth Provider policy.
- OpenAM Access Token Enforcement – Restricts access to a protected resource using an Open AM authentication server.
- PingFederate Access Token Enforcement – Restricts access to a protected resource using the PingFederate authentication server.
- Rate Limiting – Enables imposing a limit on the number of requests that an API can accept within a specified time.
- Rate Limiting, SLA-Based – Enables imposing an API request limit based on SLA tiers.
- Spike Control – Controls API traffic.
- Tokenization –Transforms sensitive data into non-sensitive equivalent tokens.
- XML Threat Protection –Protects against malicious XML elements in API requests.
API Security Testing – Have your own APIs attacked!
What would be the best way to know that your APIs are truly protected? Of course, you have had them tested internally by your own testing team, but isn’t that what every organization that had breaches would have done? SmartBear’s 2019 State of APIs report found that approximately 50% of organizations of all sizes don’t have a standardized API testing methodology.
One of the most effective ways to know that the APIs are secure is to have a system in place for regular penetration tests by experts which could uncover potential loopholes. Some of these areas where APIs must be tested are:
|• Architecture||• Credentials||• Files||• Physical||• Social|
|• Authentication||• Cryptography||• Logs||• Privacy||• Source|
|• Authorization||• Data||• Mobile||• Services||• System|
|• Certificates||• Emails||• Networks||• Session||• Virtualization|
API security must go hand in hand with API implementation. Developers are simply not technologists divorced from the business. With the speed of changing IT trends, while most of the world is still catching up and moving towards an API-based microservice architecture, there is no doubt that API will be the most abused and thus, vulnerable to cyber-attacks.
Having said that, there is no way to avoid an API-led architecture given the numerous advantages it brings in terms of efforts and cost saving, time to market, reusability, and the flexibility it provides to replace backend systems without impacting the existing implementation. Therefore, considering the changing trends, security must be rethought with the adaption of newer architectural designs, with an allocation of resources, and by implementing practices that continuously challenge in-place security through ethical testing uncovering areas for improvements.
Incepta enables businesses to secure their systems by detecting vulnerabilities in applications using comprehensive and robust testing methods with vulnerability detection at various stages of the development life cycle.
Are you looking to put in place best practices that continuously challenge in-place security through ethical testing uncovering areas for improvements? Connect with Incepta for a complete security audit of your APIs.
Incepta’s 4-Level API Service Offering
API and Integration Consulting and Strategy
Incepta can help develop a roadmap and plan by studying current organization processes and identifying areas of opportunity where API integration can drive efficiency and productivity.
Integration Solution Architecture
Incepta’s team of experienced Integration architects will help develop a comprehensive and scalable architecture that meets organizational business needs while remaining cost-effective, leveraging the power of MuleSoft – the leading Integration Platform for APIs. Incepta is proud to be a preferred partner to MuleSoft.
Comprehensive Integration Services
Incepta builds Integration and API Management solutions in a manner that accelerates time-to-value and ROI. Incepta helps connect key systems, eliminate silos, and enable access to the right information both inside and outside the organization, enabling new and legacy systems to connect and coexist.
API Development Services
Incepta’s team of experienced developers and architects can help build and optimize business processes and data flows. In addition, Incepta can help develop new APIs and user interfaces, conduct testing, and ensure best practices are followed at every step.