Security Considerations for API-Driven Apps Deployed to Cloud
The last several years have seen the rise of API-driven applications deployed to scale on enterprise-grade cloud platforms. Their ability to scale to match user demand has revolutionized the way applications are written and deployed. Often, these distributed applications are deployed on Kubernetes platforms to make it easier to manage, orchestrate and deploy microservice containers.
DevOps teams invest a lot of resources to ensure that their applications that run on the Kubernetes infrastructure platform are safe and secure from exploitation. This can include hardening the operating system, preventing lateral movement through micro-segmentation across clusters, and preventing unauthorized access through strict RBAC controls to limit access.
However, that is only half the battle. Moving up from a Kubernetes platform, deployed API-driven applications have their own category of security issues that require a different approach in order to achieve a proper level of security protection. The rise of API-driven applications has fueled a new class of API vulnerabilities that are unable to be protected by existing application security products. Vulnerabilities hidden in the underlying APIs can expose weaknesses that are waiting to be exploited, exposing critical business data. Cybercriminals have taken notice and are now developing new attack vectors in order to exploit organizations as they move towards an API economy.
A new approach is required that moves away from application security that was focused on protecting monolithic applications and focuses on how API-driven applications operate in order to provide the proper level of protection.
Here are some of the key criteria that you should consider when evaluating an API security solution.
API Visibility and Monitoring: You Can’t Protect What You Can’t See
Despite the explosive growth in API usage, many security and development teams are unable to answer basic questions about their API program – like how many do we have, who owns them, and what do they do. This poses a huge security risk for organizations – especially in today’s complicated threat landscape.
To protect against security risks, it’s crucial that organizations understand all aspects of their API programs and their associated security challenges. This better positions leaders to improve their organization’s security posture through proper mitigation strategies. Most organizations expose a number of APIs that are built-in house and open sourced for customers and partners. They are published by different teams, using different application stacks and different procedures. As a result, it becomes hard to keep track and understand where the potential risks are. Here are some key API visibility challenges that you should consider:
- Unknown APIs: Shadow, deprecated or hidden APIs can fall outside of the security team’s areas of visibility, which often leads them to go unprotected. These APIs may transmit sensitive data and jeopardize an organization’s compliance standing.
- API Parameters: API vulnerabilities such as mass assignment can lead to privilege escalation by allowing an attacker to change user profile to “admin” which can lead to fraud, data loss or worse.
- Sensitive Data Exposure: Exposure of confidential or sensitive data in response codes or error messages can be used to steal data or as a form of reconnaissance for a large-scale attack.
- Business Logic Flaws: Application business logic flaws can enable bad actors to commit fraud through account takeovers, scraping, fake account creation and other forms of API abuse.
When looking to address these common API security challenges, it helps to ask questions to evaluate and mitigate the degree of risk. There are a number of questions to consider: What do the APIs we have, do? Who are the API owners? Which APIs are subject to legal or regulatory compliance? How do we monitor for vulnerabilities in our APIs? Are our APIs exposing sensitive data, or PII, which could put us out of compliance? How do we test and measure the effectiveness of our API monitoring?
API Security: A Different Type of Application Security
Most organizations that have a web application will have a Web Application Firewall (WAF) for security protection. However, as organizations continue to ramp up their API-driven applications, they are discovering that a traditional WAF that worked well for monolithic applications doesn’t scale to match the needs of modern API-driven applications. Due to the very distinct nature of how API-driven applications are written, this lends itself to a separate category of exploitable vulnerabilities that are very different from their OWASP Top 10 web brethren. The security approach that worked well to protect monolithic web application vulnerabilities from OWASP’s Top 10 web exploits doesn’t translate well in the API world. Critical API vulnerabilities such as BOLA (broken object level authorization) and mass assignment are very difficult to defend against using traditional web security approaches. Increasingly, customers are slowly realizing that deploying a WAF to protect their API is like taking a knife to a gunfight. It’s simply the wrong weapon.
A new category of API security products has emerged that replace web application firewalls and more closely align with the specific requirements of protecting API-driven applications from exploitation. These API security solutions are built around the way applications behave on an everyday basis. Powered by machine learning (ML), these security solutions are focused on learning application behavior and surfacing anomalous activity. Building an application machine learning model can set the stage to discover intrinsic business logic flaws and API vulnerabilities that are embedded across hundreds of microservices. User-driven traffic powers the development of a machine learning model and captures how the application’s microservices work together to deliver the application business logic. Slight deviations in user interaction can highlight a cyber attacker probing the application for flaws or exploiting an API vulnerability within the application.
If you are looking for an API security solution, you should consider the three following criteria:
- Discover: Identify all APIs within an organization’s environment. Ideally, the API security tool should be aware of the API parameters that define the API requests that are allowed. For example, an API should allow the user to only respond with 255 string characters. Often, unvalidated API responses can be used to exploit application vulnerabilities.
- Learn: The API security tool should be able to learn the API behavior from user-driven traffic. This allows the API security solution’s machine model to learn all the nuances that define normal application behavior. Slight and sudden deviations in user behavior are surfaced to the security operations team via an alert.
- Adapt: Most modern applications, developed in an agile environment, change rapidly. An API security solution should be able to automatically adjust its security model to continuously accommodate all new changes to ensure that application security is always in lockstep with DevOps.
Threat Analytics: Detecting Cyber Attacks as They Happen
Cybercriminals wage sophisticated cyber campaigns that are well planned, cautious and patient. They take the necessary precautions to evade detection as they exfiltrate sensitive data from applications. To combat them, threat analytics is required to detect malicious activity across users that access your application. The quality and breadth of data obtained from your application will determine your level of security protection and make the difference in how soon you detect an impending cyber attack. As an application becomes more complex and distributed, it becomes more critical to know more about your application’s inner workings, how it works, its business logic and interactions with other third-party technology partners. Collecting data interactions across all points within the application ensures that you have a complete view of all user interactions with your application. The richer the data set, the easier it becomes to separate malicious from legitimate user transactions and enable your security teams to discover data breaches as soon as possible.
An API security platform should enable security teams to perform the following:
- Threat hunting: A security analyst can search through a data lake searching for ongoing campaigns.
- Tracking attackers: You can track kill-chain activities such as reconnaissance or scanning activity as an attacker digs deeper into an application.
- Post-mortem analysis: Security analysts can obtain post-mortem forensics to understand how a cyber attack was able to exploit an application’s business logic or vulnerabilities.
Conclusion
Rapidly changing API-driven applications lend themselves to quicker time to market, but also release API vulnerabilities that can be quickly exploited by cybercriminals. The application security products that work well in protecting monolithic web applications don’t scale well in protecting your API-driven applications. Due to rapid change across more complex and distributed application architectures, the requirements of API security are fundamentally different from existing application security products on the market. When you are evaluating an API security solution, focus on: How does the solution deliver visibility, how well does it understand your application, and the quality and depth of your threat analytics.
Obtaining proper application security solutions that are specifically focused on API applications will help your organization to better defend against an increasing level of API-driven cyber attacks that seek to exploit your most valuable asset – your data.
To learn more about API security and API-driven applications deployed in the cloud, consider coming to KubeCon+CloudNativeCon North America 2021 on Oct. 11-15.