Complexity of APIs Make Them Harder to Secure
In the second quarter of 2023, the most viral API exploit, according to findings from Wallarm, was the MOVEit Transfer SQL, while the most dangerous API exploit was the ESPv2 vulnerability impacting the Google Cloud platform. And since you can’t talk about any technology or security issue anymore without mentioning AI, the top AI-related exploit was found in the NVIDIA DGX-1 AI supercomputer system, which the Wallarm research said “could lead to malicious code execution, denial of service, information disclosure and data tampering.”
This is just a small sample of how APIs are not only increasingly under attack, but a reminder that the complexity, consistency and overall number of those attacks are escalating. The simple reason for this is that API usage has exploded as APIs continue to evolve and support a number of different clients like web, mobile and IoT. The resulting API sprawl has led to increased data exposure risks. To add to the problem, said Nick Rago, field CTO at Salt Security, most organizations lack security and governance strategies for their APIs.
“APIs now power the vast majority of applications and services businesses and consumers rely on daily,” said Rago in an email interview. “This rapid escalation of APIs has also created a much larger attack surface for attackers–and attackers are fully aware of the immense value of the data being transported by APIs. Because they typically transport personally identifiable data (PII) and other critical financial data, APIs represent a highly lucrative target.”
How APIs Are Becoming More Complex
Every API has its own unique business logic, explained Rago, meaning each attack against an API is unique.
“Attackers probe and prod APIs for flaws, and API attacks can take days, weeks and even months,” Rago stated. “Traditional security solutions cannot detect this low-and-slow nature of API attacks. Traditional solutions look for known attack patterns. But API attackers focus on exploiting the underlying application and business logic behind an API, and most threats represent zero-day vulnerabilities.”
There are also a lot of unknowns around APIs in a network, and because of API sprawl, security teams often have no knowledge about undocumented APIs.
“Because APIs are being rolled out so quickly, many organizations have shadow (unknown) or zombie (outdated) APIs in their environments,” Rago said. “If you don’t know an API exists, you can’t defend it from attacks.”
In an API-first application world, organizations often expose multiple APIs which have access to the same data sets but serve different purposes. One API could feed the data to a web interface, while another API feeds the same data to a mobile app. Yet another API might feed the data for internal applications, and another might feed the very same data to external third-party apps and developers and so on. This level of complexity makes API security tougher to apply.
APIs and Consistency
The API attack surface still suffers from simple and detectable injection-type vulnerabilities, and you can bet that threat actors are checking that information first, said Scott Gerlach, co-founder and CSO at StackHawk, in an email interview. “These detectable attack vectors are becoming easier to find earlier in the development process, and with early detection and remediation, we will see fewer of them make it to production over time.”
The reasons for the changes in consistency and overall changes in API attacks, according to Gerlach, is that very few APIs are left unauthenticated.
“The whole point is to have users and to make it easy for users to sign up and gain access to the data/service that an API provides,” Gerlach said. “Authentication used to be a control mechanism for data type attacks, but now more and more of the attacks we see are authorization based.”
Vulnerabilities are now harder to detect as they are more of a chain-to-exploit. One little piece of data here helps extract another little piece of data there until the combination completes an exploit.
Security in an Evolving API World
Organizations can’t secure their APIs if they don’t have full visibility. They must have systems in place to continuously discover the APIs that exist in their environment.
“In addition, organizations need proper API runtime protection,” said Rago. “Runtime protection is essential to uncover potential threats and defend against data leaks.”
There must also be a close partnership between the security and development teams to address API security, Gerlach added. It begins with using automation to detect easy-to-find vulnerabilities and the security team sharing that information with the developers so the vulnerabilities are found and fixed quickly.
“Leveraging this type of automated testing also frees up the security team to do more deep and logical testing across APIs that multiple teams may be building and maintaining,” said Gerlach. “Monitoring production traffic and finding real-world types of attacks are also very valuable for building strong relationships with the development team, and reaction times to address these kinds of problems can be much faster.”
API security is becoming more complex because APIs are becoming more complex. By seeing and understanding API behaviors as they are being used, organizations can spot anomalies to quickly identify and stop any API misuse or abuse when an adversary tries to take advantage of a badly designed or misconfigured API.
