Technology has been changing rapidly and providing organizations with an unprecedented level of speed and benefits. As organizations embark on their digital transformation journeys, APIs are being leveraged in several different ways, becoming increasingly to the overall customer experience.
However, many enterprises have become accustomed to the security provided for them through their legacy applications. They are searching for a way to achieve the level of protection needed even as technology continues to advance rapidly.
In a recent webinar, API experts from Google Cloud, Allstate, APIsec, and Achieve Internet sat down to discuss how to integrate API security testing into the CI/CD pipeline and gain real-time visibility into API security issues. This article will summarize that webinar which also provided a review of the most common API vulnerabilities, including business logic faults, role-configuration issues and other non-conventional flaws.
There has been a dramatic shift in the API landscape of how organizations view APIs. As Shawn Smiley, CTO at Achieve Internet pointed out, APIs were only used by development teams to facilitate their internal processes. As a result, there wasn’t much consideration as to the ramifications of those APIs getting exposed. However, as the internet has grown and organizations have found new ways to leverage their APIs, things have become siloed, providing more opportunities for hackers to exploit vulnerabilities. Now, organizations are becoming more proactive, trying to find ways to thwart attacks before they happen.
The OWASP API Security Top 10 and various other organizational and federal mandates around security have changed the focus of the API security landscape and dedicated businesses expand their API ecosystems outside of development teams.
For Byron Williams, Principal Engineer and API Evangelist at Allstate, there is a need to develop best practices across enterprises to provide a consistent way of doing things. APIs should have a standard way of being delivered, a consistent look and feel, and ease of use. At Allstate, their journey involves setting up an API center for enablement that brings everyone within the organization together from the bottom up instead of the top-down. This creates an open-source environment where all learning and best practices can be established to deliver consistent APIs throughout the industry.
As a legacy insurance company, they’ve been able to use APIs to provide roadside assistance to customers through a connected car app, removing the need for calls to go through a call center. Eventually, this will open up the opportunity for Insurance as a Service, enabling them to bring all APIs into one ecosystem, making them scalable, robust and secure.
Sachin Kalra, Solutions Architect at Google, working on Google’s APIgee API management platform, explains that APIs have become part of the customer experience. As the connected experience continues to proliferate across different devices and various touchpoints, organizations are looking for a platform to help make the digital transformation journey.
Brick and mortar companies have been embracing APIs as part of their modernization efforts, turning monolithic applications into microservices and containers. Dan Barahona, CMO and VP of Business Development at APIsec, points out that this is all driven by APIs. These organizations now recognize that security needs to be prioritized, as APIs form part of IT operations’ mission-critical aspects, including how the backend is being run, how sensitive data is stored, and how transactions are managed.
So what are the common API security concerns organizations need to be aware of? What keeps the experts up at night?
Data needs to be secured in all instances. Whether internally or externally, organizations need to take a proactive approach to monitor analytics to uphold their APIs’ integrity and confidentiality, whether they are in use or not.
Are we as secure as we need to be?
Many organizations have a ton of personal identification information, including social security numbers and other details about their customers. If that data is breached, it can be detrimental to a brand. Therefore, brands need the appropriate logging and monitoring systems to determine if a hacker has access to API keys. They need the ability to protect these keys, authenticate and monitor activity to know about breaches before they happen.
API attacks and breaches are becoming more publicized, with hundreds of millions of records being exposed and harvested each time. However, the successful breaches are now different to what many security experts are accustomed to. Classic vulnerability breaches such as SQL injections and cross-site scripting are being left behind for logic flaws and loopholes. These types of attacks are harder to discover by a researcher or be found on a CVE list. In a rush to push functionality and code, security doesn’t always keep up. These loopholes are also tricky to find with standard firewall or code scanning types of approaches.
Coordinating an API security program development teams to various businesses and sub-organizations can be a challenging undertaking. However, there are some ways to create general security practices and maintain consistency throughout the organization.
By putting together a central source of best practices, authentication methods are fed from the bottom up, enabling organizations to gather information from those persons writing APIs. These API producers are involved in creating the best practices and can identify security issues that can come up to keep everything as secure as can be.
When an application or service with multiple users and others with lesser privileges begins to access a service, organizations need a management solution to provide capabilities that enable them to mitigate risks and provide strong authentication and session management. Just implementing API key validation isn’t enough. There needs to be a layered approach where key validations are complemented with OAuth or JSON web tokens to protect against internal and external issues.
Each API has a unique purpose, audience and objective security requirements. Organizations need to have a way to manage these APIs and create a central repository. For security, however, the manual approaches for finding vulnerabilities such as pen testing need to be augmented with tests that find leakages in other areas.
Organizations need to incorporate into their CI/CD processes ways of publishing API documentation into a central portal. This way, there is a single source of truth of what APIs are available, where they’re located and who is responsible for them.
Commonly, this includes setting up a governance layer at an API layer and abstracting your API infrastructure from your back end systems and from the front end system so that it acts as a glue between your clients and your target back end systems. This provides you with the capability to do centralized governance at an API infrastructure or API platform layer.
This enables you to onboard your API and application developers, internal and external partners and provides them with a standardized approach for onboarding and API documentation. Version management and revision control also allow you to handle things as APIs change regularly.
For many organizations, governance only becomes a concern after APIs are published. This approach returning to fix things later doesn’t work as if there is inadequate documentation, potential customers will go elsewhere to find APIs with better documentation. Governance needs to be built in from the beginning and enforced into the development pipeline. Taking a bottom-up approach to governance can create subjectivity and avoid limitations due to a sub-committee of only a few people who don’t understand every aspect of the APIs.
Many organizations without this governance have published and unpublished APIs, which can create vulnerabilities. These APIs need to be audited to document each API’s type of risks and how to mitigate these risks.
The use of IP whitelisting as a security measure on your API provides a good base for API security but should be complemented with additional security measures. Smaller organizations with minimal APIs may consider this an option, but it should still include a zero trust model. They should be combining IP whitelisting with other things such as layered security, geofencing and more to avoid relying on one form of protection.
Monitoring is critical to avoid breaches, as, without it, you won’t know if you’ve been breached. Every company suffers attacks daily, but the level of the breach may be unknown without proper monitoring.
APIs have fundamentally changed how often code is pushed to production. Classic security testing doesn’t necessarily operate at the speed of DevOps. Therefore tools and technologies that automate the process and are baked into the development cycle help organizations stop relying on reactive methods to circumvent attacks.
Software configuration analysis tests need to be included in the process to avoid security misconfigurations. With the help of API management solutions, organizations can achieve granular control to monitor and mitigate risks continuously.
Finally, the experts pointed out that training to learn about API security through resources such as Cisco, API Academy, and other resources can arm companies with what they need to remain aware of additional best practices and educate others within their organization.
Testing and securing APIs is an ongoing process and needs to be incorporated throughout the development lifecycle. However, organizations need their API security to operate at the pace of DevOps and match how quickly new code gets pushed to production. With APIsec, you can locate API logic flaws before production with automated testing.