To Solve the API Security Crisis, Think Beyond OWASP
What’s the greatest cybersecurity threat businesses face today?
If you answered ransomware, cryptojacking or phishing–which headlined lists of top cybersecurity risks in recent years–you’re stuck in the past. Although other types of attacks continue to occur, APIs have now become the top attack vector for enterprises to worry about, according to an October 2022 Gartner report. Not coincidentally, the frequency of API attacks has increased by an astounding 681%.
That’s why it’s absolutely critical to make API security a primary consideration within broader enterprise cybersecurity strategies. Below, we’ll explore why API security risks have become so pervasive recently and discuss how to secure APIs across your business.
The Surge of API Security Risks
APIs have been around for decades, and so have API security risks. However, it has only been within the past few years that most attackers have focused on APIs as a means of exfiltrating data, disrupting business operations or causing other types of harm.
Why have API security attacks surged in recent years? It’s not because APIs have fundamentally changed or businesses have gotten any worse at building secure APIs. On the contrary; if anything, increasing awareness of API security risks has translated to better approaches to API design at the typical business–although the measures clearly don’t go far enough in many cases, as evidenced by the surging rate of attacks.
The problem instead is that APIs have evolved from a resource that larger organizations occasionally deployed to integrate systems into the lifeblood of modern businesses of all types. In today’s world of cloud-native, software-defined, distributed everything, APIs play an absolutely critical role in making complex application stacks operate. Businesses of all sizes and across all industries routinely rely on internal APIs to unite their line-of-business apps and on external APIs to share data or services with vendors, customers or partners.
As a result, APIs have become a very attractive target for attackers. Because a single API may have access to multiple applications or services, compromising the API is an easy way to compromise a broad set of business assets with minimal effort.
At the same time, securing APIs has proven harder for many organizations than securing other resources. Consider, for example, a simple, monolithic web application that doesn’t depend on APIs. To secure that type of app, you only have to secure the application logic and the server that hosts the app.
In contrast, take a modern, distributed, microservices-based app that relies on various internal APIs to connect its microservices and integrate with a cluster of host servers. In addition, the app exposes external APIs that are accessible to the world at large and subject to all manner of potential abuse. Because of the APIs, this type of app has a much broader attack surface. It’s also a lot more complex architecturally, which increases the risk of oversights that could create security vulnerabilities or weak points.
Meeting the API Security Challenge
That’s the challenge that modern businesses face when it comes to API security. Now, let’s discuss what they can do about it.
The answer begins with following basic API security best practices, such as those that OWASP (an authoritative nonprofit organization dedicated to software security) recommends to protect against common API security risks. This type of guidance provided a baseline for developers looking to protect APIs from abuse for several years.
However, on their own, basic API security practices are not enough to keep IT resources safe in a world where attacks that target APIs have become so pervasive. Businesses should take the following additional steps.
Risk-Based Authentication
Not all API requests or users are subject to the same risks, and not all require the same protections. To achieve the best balance between usability and security, businesses should adopt risk-based authentication policies, which enforce security protections in instances of heightened risk.
For example, an API client with a long record of issuing legitimate requests that follow a predictable pattern might not need to go through the same level of authentication for each request as a new client who has never connected before. But if the longtime API client’s access pattern changes–if, for instance, the client suddenly begins issuing requests from a different IP address–requiring more rigorous authentication would be a smart way to ensure that the requests don’t come from a compromised client.
Biometric Authentication
Along similar lines, developers should think beyond traditional API authentication measures like tokens. Although tokens remain important as a basic means of authenticating clients and requests, they can be stolen (for example, during a 2022 API attack in which attackers used compromised tokens to access private GitHub repositories).
For that reason, coupling token-based authentication with other methods, like biometric authentication, is a smart way to enhance API security. Rather than assuming that anyone who possesses an API token is a valid user, developers should design applications so that users also have to authenticate using fingerprints, face scans or a similar method, at least in higher-risk contexts.
Enforce Authentication Externally
The more complex your API authentication schemes become, the harder it is to enforce security requirements within your application itself. For that reason, developers should strive to decouple API security rules from application logic. They should instead rely on external tools, like API gateways, to enforce security requirements.
This approach saves a significant amount of development effort. It also makes API security policies more scalable and flexible because they can be easily implemented and updated within API gateways–which is much faster and simpler than having to modify application source code and redeploy apps to change API security policies. And most important of all, enforcing security within the API gateway makes it possible to apply different rules to different users or requests based on varying risk profiles.
Balance Security With Usability
As I’ve hinted above, it’s important not to let API security become the enemy of usability. If you make API authentication measures too intrusive or burdensome, your users might abandon your APIs, which is the opposite of what you want to happen in an API-first world.
Avoid this risk by ensuring that API security rules are strict when there is a reason for them to be, but without imposing unnecessary requirements. Methods like risk-based authentication are helpful for this purpose. So is, again, the adoption of API gateways where API security is enforced since gateways make it easier to implement flexible security policies that can be adapted to different contexts or risk profiles.
Conclusion: Moving Beyond API Security Risks
API security attacks show no sign of slowing down. But forward-thinking businesses can get ahead of the risk by adopting measures that go beyond basic API security. When designing and securing APIs, developers should start with practices like those recommended by OWASP, then adopt additional strategies–such as risk-based authentication and API gateway-based security policies–that set their APIs apart from the crowd and that help ensure they won’t be low-hanging fruit as attackers increasingly look to APIs as a means of breaking into IT estates.
