No matter your industry, you’re likely surrounded by application programming interface (API) usage and impacted by vulnerable APIs.
Akamai estimated that 83% of all web traffic was API-related in 2019. Gartner predicts that by 2022, APIs will become the most frequent attack vector. Many major recent data breaches and leaks have involved APIs for some facet of the attack.
Below, we outline API benefits as well as how to avoid their vulnerabilities.
What Is an Application Programming Interface (API)?
Application Programming Interface (API) is a technology that enables and facilitates communication between different applications.
They’re an essential part of the current technological revolution—pipelines that enable a quick and seamless transfer of information and application functionality.
What Is the Value of APIs?
All industries can use and find value with APIs as they provide a bridge between two systems in order to obtain information.
The plethora of programming languages don’t work well together. So, when one app needs to interact with the functionality of another app, things can get messy and challenging.
APIs solved this problem by acting as a common set of functions that can act as a translator or intermediary between different apps.
What Are the Advantages of API-Driven Development?
APIs bring a new level of modularity to applications. APIs allow developers to leverage the expertise of other applications. When an organization develops an application, they no longer need to reinvent the wheel when it comes to things like authentication, communication, payment processing, and maps.
Instead developers can leverage the seamless plug in capabilities and functionality of APIs. APIs allow applications and system components to communicate with each other on internal networks as well as over the Internet.
They’ve become integral to enterprise efforts to make internal applications and services accessible over the Internet to business customers, partners, suppliers, and other third parties.
Are APIs Safe?
Asking if APIs are secure is like asking if web applications are secure. So, the easy answer is it completely depends on the implementation and life cycle management.
APIs can be secure, but due to the quantity and complexity of APIs, it’s easy to have security gaps. Like many other facets of cybersecurity, the API defenders must get defense right every time, while an attacker only needs one weakness for a successful compromise.
An organization can have dozens, hundreds, and even thousands of APIs connecting internal applications to each other and the outside world. APIs can provide a direct gateway from the outside to an organization's critical data and applications if they aren’t properly secured.
The problem is API adoption tends to exceed the rate at which organizations can secure and manage them.
Over the years, an organization may have done a lot of work adding firewalls, segmentation, vulnerability management programs, and more, but if an organization has insecure APIs, then an attacker could evade many typical security measures. An insecure API exposed to the internet could lead to a serious compromise.
If you don’t properly manage the security of your APIs, it could be a recipe for disaster and pave the way for a major security breach.
API Attacks by the Numbers
Salt Security surveyed nearly 200 security, application, and DevOps professionals about their API concerns in February 2021. The results showed 91% of organizations involved in the survey suffered an API-related problem within the last year.
54% reported finding vulnerabilities in their APIs, 46% pointed to authentication issues, and 20% described problems caused by bots and data scraping tools.
For example, Peloton exposed data of its three million subscribers in 2021 due to a bug that allowed access to their private account data on Peloton’s servers even for private profiles.
The flaw allowed any Internet user to access subscribers’ personal information such as age, gender, location, birthday, and more.
This information was easy to retrieve and no special hacking tools were required—just knowledge of how to use a browser to query and modify data elements.
How Do You Control API Security Risks?
The question is—are your organization’s APIs part of a vulnerability management program?
API vulnerability management could be broken if:
- APIs aren’t a part of vulnerability management programs and are overlooked
- Information security teams lack the knowledge to thoroughly test APIs
- APIs are tested generically and false negatives provide organizations with a false sense of security
- APIs are only tested by the development team
- APIs aren’t considered with an adversarial mindset
Importance of Accurately Testing APIs for Vulnerabilities
If you’re scanning your APIs with generic vulnerability scans or even web application scans, then you’re likely missing eight out of 10 of the top API vulnerabilities.
What Is False Negative Vulnerability Scanning?
Vulnerability scans that weren’t designed for API vulnerabilities will result in false-negative findings. False negative vulnerability results are one of the most dangerous threats to plague an information security program.
These results are dangerous because they suggest that your APIs are secure due to a lack of findings, however, it’s much more likely that the scanner didn’t test for the top API weaknesses.
A false negative occurs when a vulnerability scanner indicates nothing is wrong, but an existing vulnerability has gone undetected. This could happen if an API is scanned generically.
Each API is unique in the set of business functionality and this presents a problem to most vulnerability scanners. The vulnerability scan may detect common security misconfigurations but will miss most of the vulnerabilities indicated on the OWASP API Security Top 10.
What Are Business Logic Flaws?
The OWASP API Security Top 10 is an excellent cheat sheet that helps you understand the highest vulnerabilities that plague APIs, such as business logic flaws.
Business logic flaws are features of an application that can be used maliciously because they’re vulnerable by design. In other words, these flaws are present in an application’s code and are exceedingly difficult to detect for most automated scans.
What Are API Penetration Tests?
APIs must be tested from an adversarial standpoint that mimics how they would be exploited by a malicious user. An API penetration test is one of the best ways to discover common vulnerabilities and business logic flaws.
A good API penetration test will test for common vulnerabilities, business logic flaws, validate findings, and demonstrate what an attacker would accomplish with the given weaknesses.
The most valuable part of a penetration test is getting a comprehensive report that describes the findings, associated risks, and remediation recommendations.
Manage, Monitor, and Test APIs
Organizations need to manage, monitor, and test their APIs. APIs must be managed from their inception and throughout the life cycle.
If you don’t know what APIs you have, you won’t be able to secure them.
API traffic should be monitored to detect attacks.
Finally, APIs need to be tested. Due to the unique nature of APIs, not only do they need to be thoroughly tested, but they also need to be tested for business logic flaws.
Testing for business logic flaws involves testing the features and functions of an API from an adversarial perspective. This means attempting to maliciously use the features of an API. Don’t hesitate to perform this testing because your application is in production.
One great experiment would be to use your organization’s vulnerability scans against a deliberately vulnerable API. Set up a secure test environment with a vulnerable API like OWASP’s crAPI and see how effective your organization’s vulnerability scans are against it. Vulnerable machines like crAPI are riddled with the top API security vulnerabilities.
If your scanner isn’t effective at detecting the vulnerabilities present on a deliberately vulnerable application, then you should look for tools that are more effective at testing APIs for vulnerabilities.
We’re Here to Help
If you’re interested in API vulnerability assessments, or penetration testing to help identify vulnerabilities and risks, please contact your Moss Adams professional.