Common Risks in API Security (and How to Address Them)

Application Programming Interfaces (APIs) are fundamental components of modern software patterns and are used extensively in business and web application development. APIs allow applications to interact with each other and help businesses connect services and transfer data. Their popularity makes them an attractive target, putting the reputation and revenue of any business at risk.

In light of this, API security is vital for companies’ prosperity and success. Organizations must be aware of the risks associated with APIs and what can they do to cope with them.

API Security is Important

The evolution of digital technologies and web applications that interact with each other, led to an exponential increase in APIs volume and usage. Events such as accelerated digitization and the shift to working from home have fuelled their rise. Salt Security highlights that the average number of APIs per company grew from July 2021 to July 2022 by over 80%, while for the same period their usage skyrocketed, as the overall API traffic per organization grew by over 150%.

A RapidAPI survey showed overwhelming numbers about API usage: only 10% of the participant developers believe that they will use fewer APIs in 2022 than in 2021, whilst only 2% of enterprise leaders think that APIs are not essential for organizations’ digital transformation.

Sadly, APIs’ extensive use leads to an analogous increase in cyber-attacks against them. According to Gartner “90% of web-enabled applications will have more attack surface area in exposed APIs rather than in the user interface.” APIs have become an essential component of contemporary applications and a significant security problem. Their volume and importance make them a high-value target. As APIs do not fit well into standard Application Security Testing toolsets, API abuses will become the most common attack vector by 2022, resulting in data breaches and a deep concern for the cyber security community.

The Most Common API Risks as We Know Them

Paraphrasing Sun Tzu for the sake of API security, one can say that an organization must know its enemies and its weaknesses to be able to protect its assets effectively. It is critical for API security to shift left not only toward the security teams but also toward the developers; their close cooperation and common awareness of API threats will bring the best API security results.

Open Web Application Security Project (OWASP) has published the Top-10 API threats list, which highlights a general consensus on the most serious API security threats to web apps:

• API1:2019 Broken Object Level Authorization: As APIs expose endpoints that handle object identifiers, access control is implemented at the code level to ensure that users may only access objects to which they are authorized. Every API endpoint should implement object-level permission checks to ensure that.
• API2:2019 Broken User Authentication: An API vulnerability where forged tokens are used to obtain access to endpoints. Compromised authentication systems or mistakenly exposed API keys can be used by cybercriminals to acquire access.
• API3:2019 Excessive Data Exposure: It is simple to publish a group of endpoints without specific limitations. However, not all functions apply to all users. The more data you inadvertently expose the more risk you take on.
• API4:2019 Lack of Resources and Rate Limiting: If the number of resources that can be accessed and called via APIs is not predetermined and restricted, API may be susceptive to DoS brute force attacks.
• API5:2019 Broken Function-Level Authorization: Ambiguous separation between administrative and regular functions leads to authorization flaws, which can be exploited by cybercriminals to gain access to unauthorized functionality.
• API6:2019 Mass Assignment: The usage of functions that automatically link client input to internal objects and code variables results in attacks where cybercriminals edit or replace sensitive object attributes.
• API7:2019 Security Misconfiguration: Misconfiguration at any API stack level exposes sensitive data and system details; cybercriminals can gain unauthorized access and system knowledge.
• API8:2019 Injection: APIs are vulnerable to injection flaws, where untrusted data is sent as part of a command or query tricking the interpreter to execute unauthorized instructions, resulting in information disclosure, DoS, and host takeover.
• API9:2019 Improper Assets Management: As APIs expose more endpoints than conventional web apps, accurate documentation is crucial for their security.
• API10:2019 Insufficient Logging and Monitoring: Inefficient logging, monitoring, and inadequate integration with incident response allow cybercriminals to attack systems, retain persistence, and extract data.

Address API Risks

Businesses must take API security seriously and regularly test APIs to examine their health, identify vulnerabilities, and address any issue using security best practices.

The majority of APIs vulnerabilities are related to broken authentication and authorization. Organizations must ensure that proper access control for authentication and authorization is in place. There are tools that provide an authentication framework for third-party services to access information without exposing sensitive data. All API-managed sensitive data must be encrypted at rest, as well as in transit. Signatures must be requested to ensure that data provided by APIs are modified only by authorized users.

Additional practices include rate limits on the frequency and method of APIs calls to prevent DoS attacks, the use of service mesh to optimize access control, correct authentication, and the adoption of a zero-trust policy.

Organizations must be capable to detect and identify API vulnerabilities throughout the whole SDLC, from planning to production. Leaving an SDLC stage outside of the API security scope can be equally disastrous as if no API security is applied at all. A successful DevSecOps program relies heavily on API hygiene, hence, discovered API vulnerabilities must be addressed effectively and fixed as quickly as possible. Secure your APIs

It is crucial to comprehend the common API threats to create your API security perimeter and protect your organization’s APIs’ attack surface by applying best practices. The best API security is a specialized platform that uses AI and ML technology to monitor hundreds of attributes across millions of users and API calls in order to detect new and updated APIs, block API cyberattacks, and reduce vulnerabilities in the API build phase.

Christos Flessas

Christos Flessas is a Communications and Information Systems Engineer with more than 30 years of experience as an Officer of the Hellenic Air Force (HAF). He is an accredited NATO tactical evaluator in the Communication and Information Systems (CIS) area and the National Representative (NatRep) at Signal Intelligence CIS and at Navigation Warfare (NavWar) Wrking Groups. Christos holds an MSc in Guided Weapon Systems from Cranfield University, UK. He has also attended numerous online courses such as the Palo Alto Networks Academy Cybersecurity Foundation course. His experience covers a wide range of assignments including radar maintenance engineer, software developer for airborne radars, IT systems manager and Project Manager implementing major armament contracts. Christos is intrigued by new challenges, open minded, and excited for exploring the impact of cybersecurity on industrial, critical infrastructure, telecommunications, financial, aviation, and maritime sectors.

Follow us :