Waking Up to the Growing Threat to APIs

Application programming interfaces (APIs) have become crucial to business functionality in recent years. It facilitates Gartner’s ‘composable enterprise’ concept, in which organisations break down their applications into components known as packaged business capabilities.

APIs enable these disparate software components to be stitched together in various configurations, meaning businesses can better adapt to changing market conditions with speed and agility. They also support third-party integrations with partners.

These advantages have led to the surging use of these interfaces. According to content delivery network provider Cloudflare, APIs make up 70% of all web traffic, while Salt Labs found that the average number of APIs per customer grew 82% from July 2021 to July 2022.

Unfortunately, the rapid uptake of APIs has created more opportunities for cyber-criminals to target businesses. Speaking to Infosecurity in an article during the Q2 2023 magazine edition, Forrester principal analyst Sandy Carielli explained that many organisations haven’t updated their security policies and processes in accordance with increased API adoption.

Carielli said: “A lot of traditional web app security tools didn’t support APIs, leaving holes in protection. Even as API security has evolved and more solutions are available, organisations struggle to understand what combination of tools and processes are needed.”

During a presentation at Infosecurity Europe 2023, Mayur Upadhyaya, CEO of Contxt, observed that API security solutions are not being widely adopted yet. He noted: “As there is no clear owner of APIs within the enterprise, there is usually not a single stakeholder that will be responsible for protecting APIs and API security tend to be overlooked.”

Research published in the first half of 2023 has shown that threat actors are taking full advantage of these security shortfalls. For example, a Salt Labs report from March 2023 found that attacks targeting APIs increased by 400% in the previous six months.

There have been a number of high-profile API incidents, leading to major data breaches. In July 2023, the US Patent and Trademark Office (USPTO) disclosed a data security incident involving domicile information in certain trademark filings between February 2020 and March 2023.

And in January 2023, T-Mobile admitted that tens of millions of customers had their personal account information accessed by a malicious actor via an API.

Unsurprisingly, therefore, a CISO survey from June 2023 revealed that APIs are now a primary security concern for cyber leaders.

Threat researchers have identified a range of key techniques being taken by attackers to target APIs. The OWASP Top 10 API Security Risks – 2023 list found that broken object level authorization (BOLA) is the most common API attack. This arises when someone requests an object and the API fails to verify whether they should have access to it. BOLA can lead to data theft, modification or deletion, depending on the APIs and vulnerabilities involved.

The second and third most common attack techniques also revolved around authorisation. These are broken authentication attacks, whereby attackers take advantage of the complex and confusing mechanism for API authentication, and broken object property level authorisation (BOPLA), where attackers gain unauthorised access to sensitive info by manipulating endpoints via excessive data exposure.

In an article for Infosecurity Magazine, John Iwuozor identified three major API threats. These were malware and DDoS attacks, improper assets management and misconfigured APIs.

Therefore, it is crucial that organizations update their security strategies to tackle surging API cyber threats. The first step is gaining proper visibility and governance over the plethora of APIs present in organizations. Carielli told Infosecurity Magazine that it is common for enterprises to have hundreds of thousands of customer and partner facing APIs, “and they may not have a good grasp of what those APIs are and what they do.”

As part of this, she advised organisations to invest in API discovery tools to help them find rogue or shadow APIs, in addition to API security tools that analyse API requests and block malicious ones.

In the same article, Peter Klimek, Director of Technology at Imperva, also emphasized that visibility is an essential foundation of API security. He said a vital component of this is communications between security teams and developers, creating a continuous feedback loop on the APIs being created and ensuring these do not contain known vulnerabilities.

Due to the growing use of bots to enable attacks on APIs, security firm Akamai said it is crucial to have bot management solutions in place to actively monitor and protect these applications.

In addition, due to the prevalence of authentication/authorisation-based attacks on APIs, experts have highlighted the importance of establishing strong access control policies for these interfaces. In an article for Infosecurity Magazine, Pankaj Gupta, Senior Director at Citrix, said organizations should utilise cryptographically secure mechanisms, such as OpenID and OAuth, “to establish, identify, define and enforce granular authorization policies for each API.”

The growing utilization of APIs in enterprises makes this area a lucrative target for cyber-threat actors. There have already been numerous instances of large-scale data breaches caused by API attacks, and security must be treated as a priority in the wider cyber industry in the coming years – raising awareness, and developing new solutions.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?