Application Programming Interfaces (APIs) are incredibly powerful; yet they operate behind the scenes and can be taken for granted. In fact, most organizations are aware of only a fraction of the APIs they have in their environments. They also don’t have an accurate understanding of which APIs expose sensitive data, such as the personally identifiable information (PII), or how much data is exposed. When you factor in the speed of development and deployment in cloud-based systems, APIs — essential as they are to the functioning of today’s modern apps — constitute a substantial and largely misunderstood risk.
APIs are in many ways the glue connecting cloud-based data and services. They are the software components that allow applications to interact with other applications, microservices and operating systems and are used practically everywhere, including when accessing the Internet on your phone, sending a text, using social media or buying a product online. APIs simplify application development and integration, fuel innovation and allow for collaboration among IT and operations teams.
Retail outlets, banks and other walk-in businesses created new online apps and services on the fly. Government agencies scrambled to manage services, including pandemic relief via the internet, schools turned to holding classes in virtual meeting rooms, and healthcare providers dove headlong into telemedicine. Even local sandwich shops began to rely more heavily on online orders and Grubhub deliveries.
Every one of these activities, new applications and responses — and many others not mentioned — runs in the cloud and involves APIs. Organizations are building them quickly and updating them regularly to meet the evolving demands of customers and other users, themselves on a similar trajectory of change. In the mad rush, it’s easy to lose sight of security. Cloud services and DevOps software development have the critical advantages of providing essentially infinite scalability and continuous delivery of new capabilities, but security of those tools and systems often gets left behind.
Whether through misconfigurations — a primary source of major breaches in the cloud — insufficient identity and access management, or software vulnerabilities within systems, organizations regularly face a full roster of potential threats, now amplified by the surge in online transactions and operations during the pandemic. In many cases, the increase in threats comes from the increased reliance on APIs — the conduits connecting all types of users to all types of data and services. Securing APIs is essential to any organization’s business continuity plan.
APIs as an Under-the-Radar Threat
In August, the Russian newspaper Kommersant reported that hackers had exploited an unprotected API to steal funds from customer accounts in the country’s Central Bank. Late last year, the U.S. Postal Service fixed an authentication weakness in an API that had exposed account details for 60 million users for more than a year — finally addressing the problem only after being contacted about the weakness by security blog KrebsOnSecurity. In another example of potential API exploits, AppSecure detailed how an attacker could take over users’ Uber accounts by exploiting a takeover vulnerability (now fixed by Uber) in API requests.
APIs, like any software, are vulnerable to a range of threats, from broken object-level authorization and user authentication to security misconfigurations and improper asset management. Since each API tends to be unique — with its own functionality and logic — traditional security measures built to safeguard against known attack patterns cannot protect APIs. What’s more, APIs make up an expanding attack surface that is only going to grow in the coming years.
Eliminating API threats relies on securing APIs across the full lifecycle, from development to running in production. Eradicating vulnerabilities in the writing of a given API is a good place to start. To enable this improvement in the security posture of APIs, many CISOs are working to foster greater collaboration between security and application development teams. By incorporating security into the DevOps process, or creating DevSecOps, organizations can identify and remediate vulnerabilities before software goes into production.
No organization will ever succeed in writing perfect APIs, however. So companies must augment their efforts to improve API security posture with runtime protection as well. Adopting innovative solutions specifically focused on API protection across build and runtime are the key to effective attack prevention. Such solutions improve effectiveness by tapping Big Data techniques and artificial intelligence to identify an API’s unique functionality, establish baseline behavior, and automatically detect attacks on APIs in real-time. A full lifecycle approach to API protection is also critical to helping organizations prioritize and remediate vulnerabilities because understanding how attackers are performing reconnaissance — but blocking them before they succeed in an attack — yields valuable learnings.
With so many of these modern applications running in the cloud, organizations need to ensure they’re holding up their end of the Shared Responsibility Model. The cloud provider secures the cloud infrastructure — the customer is always responsible for securing their applications and software platforms, and that responsibility very clearly extends to securing their APIs.
Having strong API access control and vulnerability detection will go a long way in protecting data and services from bad actors. Organizations implementing a business continuity strategy must ensure that the technology operating behind the scenes, as APIs do, is not overlooked in applying necessary security controls. In fact, it is often exactly the behind-the-scenes technology that makes the most attractive targets, because they’re often overlooked for security and are often vital to delivering revenue. Preventing these critical elements from being compromised can have the biggest impact on improving business continuity.
The rise in API usage has empowered businesses to build applications faster but has also put those businesses at risk, as incomplete information about them and insufficient protections for them, leave security holes that can compromise business continuity. As APIs grow as a leading attack vector, given their increased importance in enabling digital transformation and innovation, business continuity will become ever more intertwined with API security.