Just a few short years after Forbes declared the Year of the API Economy, it seems we’re there. We reside in a customer-focused world where the customer experiences in buying journeys are paramount. Also, members of the C-suite have recognized that APIs are more than technology but now form part of the company’s business models and digital strategies.
Monetizing API offerings is becoming more and more common as a digital strategy for businesses, and the potential ROI is attractive. As pointed out in the Harvard Business Review a few years ago, Salesforce earns half of its revenue through its API offerings, and Expedia generates roughly 90% of its revenue from its API offerings.
API offerings promote innovation around a company’s ecosystem, both internally and with partners and users. They help developers avoid reinventing the same wheel over and over, providing well-documented and standard interfaces to build on top of.
With a lower barrier of entry to new services, APIs also allow the creation of more personalized experiences for individual users. But the past couple of years have been trying for DevOps and infrastructure teams responsible for the security of their organization’s critical business applications.
In this article, we’ll outline the risks that APIs can pose to an organization, explain why they’re so challenging to address, and highlight how automated security testing can keep APIs and other IT infrastructure safe.
Mobile and web apps are able to communicate with each other using APIs, and technology is available to protect and scan the code of these applications for vulnerabilities. While that is sufficient for internal APIs, many of today’s APIs are exposed as public APIs.
Such APIs are externally visible and can be consumed by customers and partners. This has enabled organizations to transform their legacy applications into a microservice-based structure which provides several benefits. However, it has also made these external APIs a ripe target for hackers because of:
Website page read requests and a few endpoints to process forms data submissions like newsletter signups, offering both users and attackers a relatively small feature or attack surface. In contrast, REST APIs usually expose substantially more of the application’s internal API to users. Hackers see this flexibility as a programmatic access point directly into backend data and functionality.
APIs offer hackers direct access to backend data and systems. These undersecured vulnerabilities can be difficult to find, but hackers can take advantage of exposed APIs in a number of ways, including Broken Object Level Authorization, Broken Authentication, Excessive Data Exposure, Lack of Resources & Rate Limiting, and Broken Level Function Assignment.
APIs are implemented eventually as function calls and will return whatever functionality or data they were written to provide. REST APIs generally aren’t flexible in the data fields that they return for an item and often over-deliver.
A common pattern in frontend UI applications is to ignore the unneeded data returned in the API response’s raw information and to rely on the UI to format, filter, and present data to users. As OWASP notes, this often leads to “developers tend[ing] to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user”.
For an attacker, the API response may be full of sensitive and valuable information. User metadata sufficient to geolocate that user’s present physical location has been a past issue, showing the severity of risk of inadvertently exposing excessive data.
Granular authorization for elements in an API application is a tough task for developers. Administrators want the flexibility to give access to functionality and data according to their own business rules and to do so without complexity.
Unfortunately, that’s difficult to provide, and application code can be quite vulnerable to privilege escalation attacks, allowing an attacker to impersonate another user’s identity.
Zero-day vulnerabilities are an exploit that’s been discovered, either by security tooling, security researchers, or hackers. Vulnerabilities due to business logic errors in your company’s applications are also zero-day vulnerabilities but are unlikely to be discovered (and reported) by security researchers.
Unfortunately, the burden falls on companies to find any vulnerabilities that are present in their API applications. For example, Corey Ball, a Cybersecurity Consulting Manager and author of the forthcoming book Hacking APIs believes that either you will find them or an attacker will, and if you don’t test it, someone will do it for you.
Because they’re often available publicly, APIs are usually well documented or easy to reverse engineer. Given that they are often the easiest attack vector for accessing sensitive customer and internal data, APIs are attractive targets for bad actors.
In response to numerous high-profile breaches of cloud-based API offerings and theft of user data, a number of governmental and industry organizations have established standards and requirements for cloud security practices: FedRAMP, GDPR, HIPAA, HHS Interoperability, and others.
These rules usually define the types of data that should be safeguarded, the accepted data exchange processes, and reporting requirements. API security is a critical layer in compliance standards, focused on protecting sensitive user data.
Standard first lines of defense for cloud deployments employ time-tested strategies that have proven their usefulness in on-premise deployments. Continuous integration pipelines are usually bolstered with static analysis and code quality tools that focus on classic security vulnerabilities.
While the output from these approaches doesn’t in itself ensure a secure deployment, they can indicate problems for further investigation like the use of insecure language methods, the inclusion of vulnerable code libraries, and code that isn’t covered by unit or functional tests. These SAST and DAST tools do not directly evaluate an application’s business logic for errors.
Live APIs are usually secured with inline, traffic-based solutions. Web Application Firewalls (WAF) and API-aware traffic inspectors can fingerprint incoming traffic, identifying and blocking or reporting suspicious traffic as it enters the network in real-time.
Traffic-based approaches can be heavy-handed, blocking entire networks and even continents from accessing resources. They are often ineffective against zero-day exploits where there’s no base of knowledge to identify malicious traffic. Also, they do little to protect against business logic errors that allow access to resources that should be forbidden to a user.
To circumvent these attacks, organizations need to incorporate completing testing coverage that involves the entire API and not just a few endpoints. This includes coverage for every endpoint, attack vector, method, and variable.
Many organizations also conduct manual penetration testing. The tester will create a suite of tests based on their experience and knowledge of a company’s API footprint. Some tests scenarios are widely applicable, like simulated distributed denial-of-service attacks, and others are tailored for specific endpoints. Pen tests are often scheduled on a periodic basis and don’t generally align with continuous deployments. They also rely heavily on the experience of the person designing the test suite.
Unfortunately, this periodic testing needs to be done on a continuous basis. Organizations need continued visibility of their APIs so that they know the current state of APIs at all times and can take preventative and corrective measures as required before waiting until it’s too late.
In addition to being expansive and complex, cloud-deployed workloads change fast. The introduction of solid continuous deployment pipelines that allow single-button rollbacks in case of problems encourages rapid rollout of new features: a great force multiplier for the business but challenging for operations and security because APIs often get updated weekly or even daily.
In contrast with the rapid evolution of an API offering, using manual pen testing to discover business logic errors often happens much less frequently.
Given the expense and scope of work, pen tests are often scheduled to occur monthly, quarterly, or even semi-annually. Since production can’t wait for the next manual pen test to complete and maintain their innovation velocity, the code ends up going live without assurance that the last sprint didn’t add any vulnerabilities.
Manual pen-testing involves creating a suite of test scenarios based on the security professional’s knowledge of the API and potential vulnerabilities. The approach generally doesn’t have complete test coverage as a goal, as even modest API offerings can quickly run into thousands of unique test scenarios.
As an example, an API with fifty endpoints and the standard HTTP methods, with test scenarios for ten attack vectors on each endpoint and standard method, requires some 2,000 unique tests.
APIs often have many more endpoints, support multiple methods, and be attacked in many ways. And attackers only need to be right once: they can look for the one missed corner that allows them to manipulate the API and gain unauthorized access.
A manual pen-tester is constrained in time and creativity to create robust testing suites for a particular API offering. Organizations with many APIs have to prioritize which ones are pen-tested on a schedule and which are left alone.
API offerings are increasingly powerful, versatile, and widely used in all industries, including financial services, healthcare, retail, and professional services like legal firms. At the same time, cybercriminals are continually working on new tactics to breach and compromise data at firms of all sizes.
While traditional security techniques like code analysis, application firewalling, and manual penetration testing are valuable, they struggle to address the most common API attack vector: the business logic that powers APIs.
APIsec is an automated security scanning and compliance reporting service that provides comprehensive security testing of your organization’s API offerings. This approach is 100% automated, configured as part of your continuous integration pipeline, and allows critical API vulnerabilities to be addressed before a company’s product reaches production.
APIsec delivers continuous API security, with complete test coverage, that operates at CI/CD speed. If you want to learn more about APIsec’s API security service, read more here: How does APIsec secure my APIs-An Explainer.