APIs Becoming a Favorite Attack Vector for Adversaries
API security is a hot topic for two main reasons. First of all, as Nick Rago, field CTO at Salt Security, pointed out in a recent webinar, we’re living in an API-first world, as they have become the backbone of the digital economy and power nearly every aspect of modern applications used daily by businesses and consumers alike.
Secondly, APIs are extremely difficult to secure, largely because they are used everywhere and are hard to track.
It isn’t just API sprawl setting up security woes; it is how and where APIs are used. They are used in critical infrastructure and business operations and across the digital supply chain. Unfortunately, Rago said, developers aren’t paying enough attention to why APIs are becoming a targeted attack vector, but API security is top-of-mind for most security professionals. It’s a disconnect that is increasingly problematic. In fact, in Salt Security’s State of the CISO report, 70% of CISOs prioritize API security more now than they have in the past two years, and more than 90% expect to put even greater emphasis on API security in the future.
Why Threat Actors Have the Advantage
These numbers are an increase from past surveys, and one of the reasons is because threat actors are focusing more of their attention on API attacks than ever before. Adversaries know how difficult it is to protect APIs. They recognize exactly where the challenges are—API sprawl, the growth of third-party APIs and how APIs are being used in particular—and they are taking advantage of the security shortfalls.
Another problem area for security professionals—but a boon for threat actors—is that APIs change frequently. According to Salt Security’s State of the API Security Report, over half of respondents said their APIs change monthly, and a third said theirs change weekly. In part because of this frequent change, APIs aren’t adequately documented, so it is difficult to know how and where they are used. Without that information, security professionals are at a loss as to how to best implement security.
Masquerading as Real Traffic
Finally, threat actors have the advantage because of how APIs are tracked. Attack traffic masquerades as real traffic, said Rago. “It’s difficult to decipher and discern when someone is doing bad things to our APIs,” he added.
In the past, there was some predictability in tracking attack patterns, using technologies that could look for a particular known sequence of patterns or a signature and get in front of an attack. It’s very different with API attacks, where reconnaissance can take weeks, giving the attacker plenty of time to poke around to find more vulnerabilities and do significant damage.
The attacks against APIs are also different in that they are multi-step, logic-based attacks. What that means, said Rago, is that when you don’t know how an API is used and the attacks are based on business logic, you probably don’t have the tools in your web defense arsenal to understand when something bad is happening against your APIs.
Thwarting the Adversaries
As threat actors continue to home in on APIs as favored attack vectors, security teams are tasked with finding ways to thwart those efforts. The gut reaction is often a shift left testing strategy, but Rago warned that might not be the most effective way. The problem with automated scanning is that APIs often get treated like web applications, and that does not address the threats surrounding APIs.
To build an effective API security system, you have to get to know your APIs. When an API goes into production, you must learn to assume that what is put in production has some business logic vulnerability associated with it, and with those vulnerabilities comes the risk of zero-day attacks.
At the end of the day, said Rago, we have to realize that API risk is an inescapable production reality, but it is time to put a strategy in place that will slow down adversaries from using APIs as an attack vector.
