Salt Security, a provider of a platform for securing application programming interfaces (APIs), today published a report that reveals the existence of vulnerabilities in APIs in an unidentified platform employed widely in the financial services industry that could be easily compromised.
Company researchers identified inadequate authorization for data access, inadequate authorization for function access, susceptibility to parameter tampering and improper input filtering across the financial platform used by thousands of customers and financial partners.
Researchers exploited these vulnerabilities to demonstrate that any user could read any financial records of any customer without authorization, could delete any user account, tamper with authentication parameters to take over any account or launch an application-level denial of service attack that would render entire applications unavailable.
Salt Security CEO Roey Eliyahu said the company is also launching today Salt Labs, a public forum for publishing research on API vulnerabilities that are generally more widespread than most organizations appreciate. A recent survey conducted by the company finds two-thirds (66%) of respondents have delayed an application deployment because of API security concerns.
All too often, APIs are created almost as an afterthought during the application development process. They are deployed but not often carefully screened for vulnerabilities. It’s not uncommon for APIs to be superseded by other APIs without that original API actually being turned off. The security of those APIs has become a cause for concern as attacks against software supply chains increase. Cybercriminals have become more adept at discovering and exfiltrating data through API vulnerabilities.
In theory, the adoption of DevSecOps best practices should lead to the development of more secure APIs. The challenge is it takes time for developers to acquire the tools and expertise needed to secure APIs. Given a spate of recent high-profile breaches, however, many organizations have determined they can’t wait for developers to master all the nuances of cybersecurity. In many cases, there are already hundreds or even thousands of APIs deployed in production environments that are misconfigured or have some other unknown vulnerability.
More challenging still, developers are now building and deploying microservices-based applications that rely on APIs to interconnect the various modules of the application. That approach makes it easier and faster to build and update applications, but it also results in an exponential increase in the total number of APIs being deployed in a production environment. Many of those APIs are now embedded in digital business transformation processes that are among the most crucial for any organization to protect. Unfortunately, most cybersecurity teams today are not even able to accurately assess the number of APIs strewn across a highly distributed computing environment.
API security is, of course, only one aspect of securing a software supply chain. However, it’s also a crucial element that can be easily overlooked. While it’s relatively easy to determine who in an organization is responsible for an application, the API employed by that application may be the responsibility of an entirely different app dev team. On the plus side, securing APIs represents a great starting point for securing a software supply chain if for no other reason than cybercriminals have shown how easily they can be exploited.