The Layers of API Security

There’s no arguing that the API ecosystem has become a key enabler for businesses. Leveraging APIs has helped companies become more agile, grow faster, and unlock more revenue. However, companies must also prioritise API security to make the most of this technology. Otherwise, they risk exposing their data and critical infrastructure to cybercriminals.

 

While API security is vital — malicious API attack traffic surged from an average of 12.22M malicious calls per month to an average of 26.46M calls over the past year — it’s also challenging to get right. Standard security practices like web application firewalls and identity and access management solutions weren’t designed to protect APIs. Instead, APIs require a robust security strategy that accounts for various challenges, including:

 

• A constantly evolving landscape where existing APIs change all the time and new ones enter the space with different parameters
• Low-and-slow attacks that are designed to compromise unique features in an API
• Existing security tactics in the DevOps model that don’t account for the complexities of APIs across different environments
• APIs with multiple, complex layers that require specific security measures to keep them safe

 

To mitigate the impact of these complexities, an API security framework needs to cover all the bases. It requires a layered approach that keeps attackers out and protects the valuable data shared across an API network. In this article, we’re taking a closer look at how APIs can be compromised across various areas and how to secure each layer in an API.

APIs have multiple vulnerabilities

There is no one way to compromise APIs. In fact, just exploring some of the most common API attacks shows the breadth of vulnerabilities. These include:

 

• BOLA attacks: In broken object-level authorization attacks, bad actors exploit API endpoints by manipulating the ID of an object sent in an API request. Since the server component doesn’t usually track the client’s state, these vulnerabilities are prevalent in APIs. These attacks can lead to data being accessed, stolen, modified, or destroyed.
• Broken user authentication: Teams with weak password hygiene, long password rotation cycles, or those that rely exclusively on API keys as authentication materials are open to broken user authentication attacks. Cybercriminals can exploit these vulnerabilities by using stolen authentication tokens, credential stuffing, or brute-force attacks to get access to applications. Once they’re in, they can leverage this access to compromise user data, conduct phishing attacks, or make transactions to their benefit.
• Excessive data exposure: APIs that share more data than they should, leave themselves open to attack. APIs send more information than is needed, relying on the client application to filter the data and present the correct input to the end user. However, bad actors can use redundant data from this process to extract sensitive information, which they can then use to compromise the organisation.
• Security misconfiguration: This category spans several potential vulnerabilities, as various security misconfigurations could negatively impact an API. These include incomplete configurations, verbose error messages, and misconfigured HTTP headers. Bad actors can learn more about the API they’re attacking and exploit these errors.
• Business logic flaws: Some of the most successful API attacks target gaps in the business logic of the API. If a developer hasn’t fully understood the use case or business logic they are trying to build for, they may leave logical flaws in the code that attackers can then exploit. This is one of the trickiest vulnerabilities to identify and solve.

 

These vulnerabilities span different functions and layers within an API, including authentication, data processing, and business logic. This is why a strong API security strategy needs to be multi-layered.

A layered approach to API security

A successful API security framework covers the four key layers of an API. These include the network and service, data, identity and access, and business and application layers.

Network and service layer

An API’s network and service layer is often compromised by attacks that overload the system with requests or traffic — like a DDoS attack. Measures that teams can take to prevent these types of attacks include pagination, which segments results from queries into manageable chunks, as well as API throttling, which limits the number of API requests that a user can make in a designated amount of time.

Data layer

Attacks to the data layer will often include an injection of malicious code that disrupts the usual functionality of the API — this is how attackers will leverage excessive data exposure, for example. One way to mitigate these efforts is to validate all input data on the server side. Bad actors can easily bypass validation efforts on the client side, so adding a validation step on the server side can reduce their success rate. 

 

Another helpful approach for preventing cross-site scripting, for instance, is to use HTML entity encoding. This way, user input data is encrypted before a response is sent to the web browser, thus protecting it in motion.

Identity and access layer

Identity and access management is a vital component of API security. Teams should be able to ensure that only the right people have the right level of access to the correct data at the right time. Implementing role-based access control across every API and role and feature mapping can reduce the impact of authentication-based attacks. This should be implemented as early as possible in the API development process. Continuous monitoring and reviews of the security parameters are also key activities.

Business and application layer

As mentioned above, business logic gaps pose a high risk for API attacks. API testing is part of the equation, but pre-production testing won’t uncover most business logic gaps. Teams must also implement runtime security to identify the reconnaissance behaviour of an attacker manipulating a company’s APIs.

Cybercriminals see APIs as dynamic and multifaceted technologies that are rife for attack — and companies need to look at their APIs similarly. As you build out your API security strategy, make sure to take a comprehensive approach that accounts for all these different parts of your attack surface. Only with the right security measures in place will you be able to fully take advantage of the API economy.

Author: Ali Cameron is a content marketer that specializes in the cybersecurity and B2B SaaS space. Besides writing for Tripwire’s State of Security blog, she’s also written for brands including Okta, Salesforce, and Microsoft. Taking an unusual route into the world of content, Ali started her career as a management consultant at PwC where she sparked her interest in making complex concepts easy to understand. She blends this interest with a passion for storytelling, a combination that’s well suited for writing in the cybersecurity space. She is also a regular writer for Bora. 

 

Ali is a guest blogger. All opinions are her own.