4 tips to help keep your APIs safe

Security analysts say multifactor authentication is an absolute must for any company running multiple interfaces.

API first strategy and Mulesoft help Pilot Flying J break down data silos Pilot Flying J uses MuleSoft, which enables the integration of data from locations across North America and increases the quality of service provided to its customers.

So many of the biggest breaches these days involve APIs, which help power almost all of your favorite apps and platforms. 

APIs have made all of our lives easier by giving companies an easy way to share information and data with one another. The best examples are rideshare apps like Uber and Lyft.

Dozens of APIs are required to give you the experience you demand as a customer, including tools that bring up your profile, connect the app to your bank account, identify your location, find the location of nearby drivers and determine routes.

"Any online service or mobile app where you have to put in your credit card number can be affected by API abuse. The most common things you see now are credential stuffing and abuse of the business logic of the application, like verifying email addresses, credit card numbers or gift cards," said Zane Lackey, co-founder and CSO of the cybersecurity company Signal Sciences. 

SEE: Implementing DevOps: A guide for IT pros (free PDF) (TechRepublic)

Gartner has already released worrying predictions for the future of API security, writing in a recent report that by 2022, API abuse will become the most common attack seen by security teams.

Gartner added in another study that in 2019, 40% of web-enabled applications will have more surface area for attack in the form of exposed APIs rather than the user interface. That number will reach 90% by 2021 according to its predictions. 

With all of these different APIs sending and receiving so much valuable information, there is risk. Some of the world's biggest companies now manage hundreds of APIs and rely on small third-party enterprises to provide critical functions for their online business. 

Etay Maor, chief security officer at IntSights, said that when you dig deeper into many breaches, the root cause often points back to APIs being abused or accessed by malicious actors. 

"There was a famous breach last year at the IRS, where attackers used a database and were downloading taxpayer information. One of the new systems launched in 2014 where end-users could download all their information and so that's exactly what the criminals did through the API," Maor said. 

"700,000 taxpayers information was downloaded. Some of the attacks you read about, if you go deeper, you find out that it was an abuse of the API, a combination of vulnerable APIs and somebody who obtained a database of users and then started to attack that API."

TechRepublic spoke to security experts and researchers about four steps enterprises can take to protect their APIs.

1. Manage authentications

Beyond the basic security measures every organization should have, a key to protecting APIs is making sure you know who is using what and who has access to what. 

One of the biggest problems enterprises face is credential stuffing, where crybercriminals use databases of stolen emails and passwords to bombard APIs with thousands of bogus requests. 

Lackey said as more companies move to web apps as their main mode of interaction with customers, criminals are pivoting toward attacking the APIs that power mobile apps.

"Attackers are now buying big stolen lists of credentials and retrying those against every service they can think of," Lackey said. "Once they discover the accounts, they'll then attack the business logic of the application. Their objective is 'I want to log into the account and update the mailing address for the customer account that I just stole so that all the goods get delivered to my mailing address.'"

To protect against this kind of credential stuffing, enterprises should use stringent multifactor authentication, according to Ben Waugh, chief security officer at the a healthcare data integration company Redox.

Redox helps healthcare institutions use technology, like APIs, to improve systems and share information. Waugh said for high-risk industries like healthcare, multifactor authentication was an absolute must and enterprises should go even further by forcing people to use lengthy, complicated passwords instead of ones they come up with on their own.

But due to advances in the kind of technology cybercriminals use, even using phone numbers as an extra layer of security was not enough. 

"What I see more and more of, particularly for high-risk sites, is more and more SIM swapping, which means folks really need to move away from SMS-based multifactor authentication because for high-risk targets, it's simply not effective anymore," Waugh said.

The Open Web Application Security Project recently released an API Security Top 10 report that said authentication mechanisms "are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other users' identities temporarily or permanently. 

"Compromising a system's ability to identify the client/user, compromises API security overall," the Open Web Application Security Project report added. 

2. Check authorizations

Now that many companies manage hundreds of APIs, it can be difficult to keep track of who or what is authorized to use or access certain information. 

Waugh said enterprises should worry about how information is being passed around with APIs. It's generally more difficult to detect attacks on APIs because each API request is hard to differentiate from others and cybercriminals make a point of  overwhelming systems with thousands of attempted attacks.  

"API attacks tend to be much more well-targeted. They will follow the API specifications but ultimately it's still the same type of attack as anything else. It's still attempting to access some other indirect resource, so you need to ensure that you're properly checking that every request is authorized to access a particular resource that it's requesting," Waugh said.

"They might be attempting to attack some downstream microservers or some other downstream service through an injection attack," he added.

 "Most people have APIs in a microserver architecture, so they're passing requests from one service to another. You should really think about and understand what service is responsible for what when it comes to sanitizing that input and handling it securely all the way down that chain. Many folks tend to assume that some other part of the system is doing something."

Enterprises should have a clear understanding of who is in charge of what and avoid assuming that something else has authorized it upstream.

In many cases enterprises do the authentication part but fail to handle the authorization needed to protect themselves, Waugh said. 

"They'll say, 'Yup, this is a valid API key, therefore this must be a valid request' and then some downstream service will handle the resource request itself and it will not actually check who the actor that is requesting this resource and they'll assume that that first front end did the authorization," he said.

The OAS report added that "object-level authorization checks should be considered in every function that accesses a data source using input from the user."

3. Organize security team setup

Every analyst mentioned the need for security teams to set up in an organized way that involved the whole company. 

Lackey, who spent years as a CISO with the e-commerce site Etsy, said many of the API security issues companies have usually originate from the separation between development teams and security teams.

Traditionally, security teams were focused primarily on the infrastructure or network layer and generally stayed away from the applications, he said. But systemwide visibility is now a must for every security team.

"This is what we learned very painfully at Etsy. If you're going through digital transformation or DevOps or a cloud journey, the only way you scale and effectively and defend yourself is by getting visibility that not only one of those groups can use but actually all of them."

"You need to get visibility into how people are trying to abuse those applications, but it has to be done in a way where the development teams, the DevOps teams and security teams can all use it," Lackey said.

Legacy cybersecurity systems required highly trained security officials to manage them but more modern tools take advantage of AI and other technology to lighten the load for defenders. 

Shadow IT is a major problem for companies as departments embark on their own projects and allow outside services into an organization's system. Waugh noted that in the past, IT departments would handle all outside accounts and review them for security, but those days are long gone.

"There is no such thing as IT anymore. Our entire business is what we're responsible for and our entire business works closely with the IT security team on whatever we end up deploying or using," Waugh said.

4. Scrutinize third parties

Even when enterprises do all the right things and make sure everything is protected, they can still be at risk of breaches or attacks thanks to third-party services.

Waugh said a fair chunk of the breaches he sees are not direct attacks on a company system but a compromise of a third party that has access to that system to process data. 

"As an industry, we do a really poor job of understanding risk when it comes to third parties. As much as we work to keep ourselves secure, we have a very limited understanding of what third parties we have out there. How do we secure those?" he said. 

Companies should have a thorough understanding of  third-party partners accessing their data, sending them security questionnaire, requests for certifications or demanding reports. But even this, Waugh said, can still leave companies vulnerable to attacks.

Last year India's national ID database, which has identity and biometric information like fingerprints and iris scans on more than 1.1 billion registered Indian citizens, was exposed through a vulnerable API.

According to ZDNet's Zach Whittaker, a utility provider, Indane, had access to the Aadhaar database through an API, which the company relies on to check a customer's status and verify their identity. 

The company did not secure the API and as a result, anyone had access to private data on each Aadhaar holder, even those that were not customers of that particular utility. 

According to one researcher, a URL on the company's domain was the API's endpoint and it had no access controls in place. The researcher also found that the API had set up no rate limits, meaning cybercriminals were able to work through through trillions of permutations until they were successful. 

Also see

istock-854566388-1.jpg

NicoElNino, Getty Images/iStockphoto