From Zombies to Bots: 3 API Security Villains to Avoid  

Who’s responsible for the security of your development and production environments?

Oftentimes, it’s not the security team alone, but the developers themselves. This trend is unlikely to change in the coming years as cloud-native architecture becomes the primary development methodology, making it harder for security teams to keep up with the scale and pace of DevOps.

APIs, the connective tissue that ties modern applications and services together, are increasingly vulnerable and under attack by cybercriminals. By 2024, it’s predicted that API abuses and related data breaches will nearly double in volume.

While APIs will play a vital role in the future of cloud-native architecture, the potential risk they pose today and in the future is significant. In fact, the number of new API vulnerabilities grew in 2020, with sensitive data exposure ranking as the most common vulnerability.

Developers should pay close attention to three malicious breeds of API security risks in particular:

1. Shadow APIs

How many APIs does your organization have? Research by Aite Group indicates that most organizations don’t know. For those that have an API inventory, the average number was 620 per organization.

Now, how many APIs don’t you know about? The issue of shadow APIs is not new, but it will become a greater source of risk in the coming years.

In fast-paced DevOps environments, the creation of shadow APIs can happen easily. When an API is published without security reviews or controls, they become invisible to the security team and API gateway. Other times, it’s the result of an API published outside of a defined process or after the API structure changes with the update of an application. In some cases, the developer may not be fully aware of a publication process and assume they have the autonomy to publish the API into production.

There’s also the issue of human error. If a developer applies the backends for frontends (BFF) pattern in their application design, it may result in backend services—meant to be accessed only by internal services—exposed to direct pass-through access from external client API calls.

The issue with shadow APIs is that they have access to the same sensitive information that published, secured APIs do, but no one knows where they exist or what they’re connected to. Ultimately, this can create a compliance violation and regulatory fine, or worse, a probing attacker can use it to access your organization’s data.

2. Automated Bot Attacks

The issue of automated bot traffic is not restricted to any one specific industry—it’s a common issue that will impact every organization that has a website, mobile app or public-facing API. Web applications are a rich target for a botnet attack because they’re a direct path to sensitive data which can be scraped and shared on the Dark Web.

These types of attacks are harder to stop because the bots mimic legitimate human behavior and can more easily evade detection. Unlike other types of attacks, botnets operate around the clock and are purposefully designed to carry out repetitive tasks that are harder for humans to maintain. When breached via this attack vector, APIs are a doorway to personally identifiable information, and can cause data leakage and more. For a developer that doesn’t have formal information security training, this is a tricky threat to stop.

Many organizations fail to manage the security of their APIs by relying on simple authentication tokens or basic IP rate limiting. Unlike the authentication of human users through multi-factor authentication, API tokens are often a single factor authenticating an API call.

3. Deprecated or Zombie API

The deprecation of APIs is part of the natural API life cycle. However, when the API has not been properly disabled, it becomes a dormant breeding ground for cybercriminal activity—usually outside of the purview of the developer and security operations team.

These unmonitored APIs are analogous to an unlocked window. Motivated criminals can sneak in and access data or execute more sophisticated attacks—often without the developer or security team ever knowing. This is the underlying risk factor that can escalate and become a software supply chain attack.

Deprecated APIs are often overlooked and left unaddressed and are not included as part of a regular software update. Thus, the API can be exploited for account takeover, fraudulent transactions or data extraction.

Stopping API Attacks

While most organizations use an API gateway solution today, this is not a silver bullet for growing API security risks. Gateways are great for delivery and access management but lack the sophistication necessary to stop complex attacks.

Further, approaches like gRPC, MQTT and GraphQL are growing in popularity as businesses demand more diverse engineering models. However, this will expose the business to more sophisticated attacks on APIs. Adopting a baseline of governance standards and security tools is essential when API protocols with structures even more flexible than RESTful APIs are adopted.

While the DevSecOps movement is an important industry effort, this mentality alone cannot stop business logic attacks—the concentrated abuse of rules that dictate how an application operates. The challenge is that runtime protection policies which protect business logic cannot be easily shifted left. Instead, organizations should seek out security tools that not only provide runtime protection but also seamlessly embed into the application development process.

Developers and security operations can start addressing today’s top API attack risks by first making a clear assessment of such risks. The assessment starts with automated discovery and keeping an API catalog up-to-date. As attacks become more complex, the solution should include bot detection that can identify a good bot from a bad bot, as well as discern a bot from a legitimate human user. Lastly, to address the issue of deprecated APIs, an effective solution also needs to monitor the life cycle of API tokens along with API versions.

Together, this approach will enable developers to adequately address API security risks without slowing down their innovation agenda.

Avatar photo

Lebin Cheng

Lebin Cheng is a technologist and serial entrepreneur with more than 20 years of experience in cybersecurity. Cheng cofounded Netskope and later cofounded CloudVector, acquired by Imperva. He was awarded 15 patents in areas such as network security, application infrastructure and API inspection. He holds an MBA degree from the Haas School of Business at the University of California Berkeley and a MS in Computer Science from Purdue University.

lebin-cheng has 5 posts and counting.See all posts by lebin-cheng