How to Secure APIs, the New Shadow IT

APIs are creating a major blind spot in many companies’ security plan. Gartner predicts by 2022, the largest source of data breaches will arise from APIs.

Nov 20th, 2018 10:14am by Keith Casey

Featued image for: How to Secure APIs, the New Shadow IT

Keith Casey

Keith Casey is Okta's resident API problem solver, and focuses his time on technical marketing for Okta's API Access Management product. Previously, he served as an early Developer Evangelist at Twilio and before that worked on the Ultimate Geek Question at the Library of Congress. He is co-author of A Practical Approach to API Design from Leanpub and primary editor for Okta's API Security guide.

API growth has risen exponentially over the past five years: an average of nearly 2,000 new web APIs have been added each year since 2014 (and there were less than 2,000 back in 2010!). There are now well over 50,000 public APIs and thousands of additional privately managed internal APIs in existence. And in fact, many supposed “private” APIs are not even actually private…they are just not documented or protected at all.

Throughout this growth period, have we stopped to think about how APIs impact the security of our organizations and the information we’re entrusted to safeguard? Probably not.

APIs are creating a major blind spot in many companies’ security plan. Gartner predicts by 2022, the largest source of data breaches will arise from APIs. APIs are the new Shadow IT because developers are exposing APIs without alerting their IT teams of the risks and vulnerabilities, creating security hazards faster than IT and security teams can identify.

API security should be a top priority for organizations; however, many have not considered the implications or thought strategically about it. Here are some top tips for both organizations and developers to help keep APIs secure.

Put on Your Black Hat

When designing the interface of an API, put yourself in the shoes of a hacker to avoid shortcuts that could lead to malicious activity. API designers have a deep knowledge of how to adhere to design principles while creating an interface, but there is often a temptation to create faster and create more when developing APIs, opening potential gateways to hackers. Developers should take as much care in designing the interface of an API as they do in designing a web interface.

Staying smart about software development also means only collecting data you really need. With massive data scandals happening all the time, it’s crucial to maintain a mindset of “everyone wants my data” and build interfaces with this guiding principle in mind. If you don’t have the data in the first place, no one can steal it.

In the British Airways data breach, hackers stole customer data as well as personal and financial details from the airline’s website, compromising around 380,000 card payments among BA’s more than 45 million passengers. As a security consultant commented, the breach was a “disaster waiting to happen” and the airline had a “woeful” system for keeping card payments secure. Thinking in the mindset of a hacker and being more thoughtful about elements like interface development and data collection could help prevent breaches like this one in the future.

Understand Who Needs Access to What (aka Authorization)

Many API security problems stem from neglecting to consider varying levels of access. If you visualize a hotel, you want to make sure only the right people (or in this case, only the right applications) have the correct keys to the correct rooms. You don’t want a hotel guest to have a key to another room. Developers need to think about API access in this way, granting the correct access to the correct users.

Twitter recently revealed a bug in one of its APIs may have led to exposure of users’ private messages to third-party developers. This Twitter mistake may have affected as many as three million of its active users! Both of these instances could have been mitigated by thinking through use cases and vulnerabilities from the beginning.

Promote Security Training for Developers from Day One

There’s the old adage of one executive saying to another: “what happens if we train our people and they leave?” and the response, “what happens if we don’t and they stay?”

Organizations should stress the importance of API security training for developers from day one. As part of this training, developers should come away with the understanding that launching an API is a team sport. Too often, developers will build something great, throw it over the wall to the operations team, and move on to the next task. Continuous API monitoring is crucial.

At Okta, we prioritize developer training to ensure our developers are informed, diligent, and proactive about API security from the moment they start working at the company. We even wrote a book that covers the fundamentals of building and securing APIs and acts as a guide for developers to consider every layer of their infrastructure, ask the right questions, and mitigate issues before they become problems.

Technology is advancing at break-neck speeds, and we need to constantly adapt to changing standards. Everyone is in a mad rush to develop APIs, but many are neglecting security practices along the way, only recognizing APIs are the new Shadow IT after the security breach happens. As more and more developers create APIs, it’s more crucial than ever for organizations to bring API security out of the shadows and into the light.

Featured image via Pixabay.