Application programming interfaces (APIs) are an essential enabler of innovation in today’s digitally driven world. Applications (or application components) can leverage APIs to connect to other apps and communicate autonomously. APIs are found in use by customer-facing, partner-facing and internal applications in support of mobile, SaaS and web applications.
A way of visualizing this change is to view web applications less as bedspreads and more as quilts, with APIs the stitching that holds the patchwork quilt blocks together. To complicate the matter, since typically several people work on a quilt together, they may use different types of thread and each of the patches is by nature, a different texture, has a different level of porosity and strength, and may even come from a different era. This is vitally important in that the quilts we’ve now created have an attack surface for our applications of epic proportions.
How Modern Applications Are Different
Though APIs are not new, over the last few years the architecture of applications has changed significantly. In traditional web applications, data processing is done on the server side and the resulting web page is then sent to client browsers for rendering. As client devices have become more varied and powerful, modern API-based applications use APIs to send and receive the data from the backend servers to provide the functions of the application.
You may remember in the early days of mobile technology when you went to your banking app or your favorite travel site on you smart device it would simply open a web browser—the same as if you were accessing the standard web page from your desktop computer. For mobile devices, this experience was less than stellar. As a result, financial, travel and retail organizations began building API-laden mobile applications that would in real-time check balances, transfers, seating availability and product availability without the use of a browser. This has far-reaching implications as more and more functionality moves from the sturdy backend processing world into a highly agile and changing mobile world and that continues to grow at astronomical rates.
So as you can see, APIs play a very important role in serverless architectures, containers, microservices, single-page applications (SPAs), mobile apps, IoT and more.
By design, client-side developers need fine-grained access to services and data. Like basic web requests, API calls incorporate URLs, methods, headers and other parameters. Detailed documentation is usually available for APIs to provide transparency to developers, but it also provides the blueprint for hackers to utilize for their attacks. APIs define a backdoor into adjacent systems and apps for those who are intent on gaining access, both legitimately and otherwise. APIs expose application logic and data, therefore providing access to multiple sources of potentially sensitive data and mission-critical services. In turn, they widen the attack surface exponentially.
As documented in Micro Focus’ “2019 Application Security Risk Report,” analysis of more than 11,000 web applications showed that API abuse issues have roughly doubled over the past several years. As APIs are increasingly important and hidden from view, they tend to represent a bigger business risk than other assets.
While most typical web attacks, such as injection, credential brute force, parameter tampering and session snooping work well in attacks against APIs, there are sufficient differences that warranted OWASP to launch a project focused on API security. The Open Web Application Security Project (OWASP) is a non-profit, collaborative online community focused on enhancing web application security. Similar to the OWASP Top 10 Most Critical Web Application Security Risks, OWASP released the API Security Top 10 in 2019. This list rounds up the most critical API risks while also providing example attack scenarios and recommendations for mitigating these threats, including:
- API1:2019 Broken Object Level Authorization
- API2:2019 Broken User Authentication
- API3:2019 Excessive Data Exposure
- API4:2019 Lack of Resources & Rate Limiting
- API5:2019 Broken Function Level Authorization
- API6:2019 Mass Assignment
- API7:2019 Security Misconfiguration
- API8:2019 Injection
- API9:2019 Improper Assets Management
- API10:2019 Insufficient Logging & Monitoring
While not all-encompassing, the OWASP API Security Top 10 helps cybersecurity professionals and developers alike gain a better understanding of potential risks presented through API implementations as threat actors set their sights on this emerging target. It also provides advice on how best to remediate these key vulnerabilities.
Most organizations have limited or no awareness as to which APIs are exposed by their applications, much less applied controls to secure them. Unlike web applications that you can “crawl,” APIs have nothing to crawl and can be difficult to discover. Without some way of programmatically acquiring this information, API discovery is difficult to automate. Given the increased importance of APIs, it’s vital to have better visibility into what APIs exist, who owns them and which port they are listening to.
For example, in the financial world, it is extremely common when processing loan applications to reach out through APIs to other organizations such as credit bureaus to help with the loan decision and execution process. Many times technologies also contain code developed for mainframes and the intellectual capital is long gone. What information is flowing through? Is it sensitive in nature? What is the implication if it is stolen?
Some organizations are starting to proactively layer in controls and leverage API tools to gain visibility and control. API Gateways can create, manage, secure and measure the APIs in use. Other tools can provide a full picture of an API and all its interactions.
API Attack Surface
There are many ways for threat actors to target a modern application. APIs are just a small stitch in the overall attack surface—don’t let them become a blind spot. As they are windows into applications, an API can easily be misused. Research by Micro Focus showed that in 2018, 35% of analyzed web applications had API abuse issues. That abuse increased to 52% for mobile applications. Understanding API vulnerabilities and weaknesses provides a better fuller picture of attack vectors that could be used to breach an application and begins to complete the visual representation of this digital quilt.
API collaboration tools can be used to provide input into vulnerability scanners for fuller analysis of exposed APIs. In fact, by working together with these API tools, vulnerability scanning of APIs can be better achieved and much easier than a scan of a traditional web application.
Another consideration is how to cope with authenticated APIs, which can get quite complex for modern applications. Target scanners that also cope with complicated authentication and custom parameter requirements. Otherwise, coverage of the APIs will be limited.
Once you understand your API attack surface, you can mitigate risks by using signatures, encryption, quotas, throttling, tokens and API gateways to ensure that the stitching of our expanding digital quilt is not going to unravel. Gain visibility into these potential attack vectors to mitigate these risks before a breach occurs.