From garage door openers to multi-million dollar tractors, API feeds open up security vulnerabilities on devices in homes, offices, manufacturing plants and job sites everywhere. The open nature of these data feeds makes the service both convenient and risky. APIs make it easy for partners to access data and information, but they also leave the door open for bad actors as well.
In May, Peloton’s leaky API exposed user data to the public, including birthdate, gender, location, even for accounts set to private.
Hundreds of third-party apps in Android devices were given access to sensitive data logged by contact-tracing apps built on Google and Apple’s API, according to reports from security researchers in April.
Also in April, security researchers found that John Deere also had API security vulnerabilities that could have allowed hackers to see a vehicle owner’s name, address and the vehicle’s VIN. There’s no evidence that this information was accessed by a bad actor.
Jason Kent, the hacker in residence at Cequence Security, said stealing API data requires very little effort.
“With the Peloton hack, the reaction was, ‘What a boring attack, who would have thought it would be so easy?'” he said.
Kent said that the problem is that companies are allowing more third-party implementations without securing access to the data, which then causes data leakage.
“If you think about web security from 2009, we are in the same place we were then with APIs,” he said.
Kent said that buying a smart garage door opener sparked his interest in the security of APIs. He identified potential security problems with the app that controlled the opener and took his findings to the company.
“When I made the report to them, the response was, ‘That seems hard to do,’ but from the point of view of someone who wants in and wants to attack, it’s not,” he said.
Sandy Carielli, a principal analyst at Forrester, said that companies have a responsibility to secure their own APIs.
“If you are making APIs available, you have to secure them,” she said. “You can’t depend on customers, external partners or other people making the API call.”
SEE: 91% of enterprise pros experienced an API security incident in 2020 (TechRepublic)
The challenge is that there’s no single tool for securing APIs, she said. Instead companies need to address current security risks and change operating procedures as well.
How to improve API security
Kent and Carielli shared this advice for improving API security in the short term and the long term.
Look at the traffic to your APIs
This will give you an idea of who is using your feeds and is a good starting point for understanding potential security problems, Kent said.
“If I read through the traffic that is coming through, it can illustrate how an attacker is going to use the information,” he said.
Set security standards for all APIs
Another good place to start is with the OWASP API standards. The list of 10 best practices for securing APIs covers a lot of ground.
“That will make you change the way you approach writing code for security,” he said.
Kent said the industry needs to set overall security standards as well, something similar to the Payment Card Industry Data Security Standard. Companies that violate that standard run the risk of losing the ability to process credit cards.
“Compliance doesn’t equate to security, but it does equate to dollars and boardroom visits,” he said.
Review authorization and authentication permissions
The first item on the OWASP list is “broken object level authentication.”
Kent said that he finds this problem on every API that he reviews and that there are simple tests that can identify problems. He suggests starting with permissions, such as determining whether a user can edit his own profile as well as another user’s.
“Anyone can touch it, anyone can see it–we need to have that kind of mentality when we think about how to secure it,” Kent said.
Carielli said that the other challenge is that security controls must be implemented throughout the lifecycle of the API from development to deployment and beyond.
“You have to be paying attention the entire time,” she said.
Bring the procurement team into the conversation
Another operational change is making security concerns part of the buying process. Kent said procurement teams should start adding security issues to contract language, such as adding a price tag to a security breach.
“If you go out and purchase something, procurement would beat them up in contract language about security stuff,” he said. “You have to take a multifaceted approach to ensure that security is built into everything.”
Do an API inventory
Carielli said she is always surprised by the volume of APIs that companies have in use and Kent said he worked with a customer with 25,000 end points.
Carielli said that governance is a big part of securing APIs and companies have to keep track of what has been deployed.
“There are always issues with insufficient discovery and many security issues are due to past authentications,” she said.
Invest in API tooling
Carielli said she is actually somewhat optimistic about the state of API security because security teams are paying attention to the problem and investing in API tooling.
“There are more deployment side tools that are analyzing API calls looking at how API calls are responded to as well as API gateways to handle authorization and authentication,” she said.
Kent said that having an API security standard makes it easier to spot potential risks.
“If you publish one, we can take that and consume it and see if you are in or out of spec,” he said.
Make security training for developers a priority
Carielli said that most developers don’t get a lot of training on how to write secure code.
“It’s on the organization to do that training and put in the controls early in the development pipeline so you can find and fix vulnerabilities,” Carielli said.
Kent said that the long-term fix is to make sure that developers at all skill levels understand how to write secure code, not just the experienced software engineers who are working in DevSecOps.
“This is our challenge for the future, but finding the flaws along the way is where we are now,” he said.