Many organisations are working to modernise their existing applications and integrate secure apps across their environments to keep pace with business demands. Modern application development relies on Application Programming Interfaces (APIs), which enable services and products to communicate with each other and leverage each other’s data and functionality to support business operations. APIs are business critical – the most popular web applications and innovative services run on APIs. While APIs help businesses accomplish many strategic and operational goals, simplify software development and improve user experience, they are not without risks. Because APIs connect services and transfer all types of data, including sensitive data, APIs are vulnerable to attacks that may result in costly data breaches.
APIs are Used for Communication and Data Transfer
An API is technology that is driven by a set of defined rules that allow software applications to communicate with each other. The API acts as a middleman between machines, applications or services that want to connect with each other for a specified task. APIs use defined protocols to enable developers to build, connect and integrate applications quickly and at scale.
How Do APIs Work?
An API works using a call request-data transfer format. In a client application-web service scenario, a client application initiates an API call (or request) to retrieve information. This request is processed from an application to the web server via the API’s Uniform Resource Identifier (URI). After receiving a valid request, the API (the intermediary or middleman) makes a call to the web server. The server sends the requested information in its response to the API, and the API transfers the data to the application that initiated the API call (or request).
An API works similarly to a waiter or waitress who acts as an intermediary between the chef in the kitchen and a customer in a restaurant. When a customer places an order with a waiter, the waiter communicates the details of the order to the chef. The chef responds to the order details by preparing the order and giving it to the waiter. In this scenario, the customer represents the initial API call, the waiter represents the API and the chef in the kitchen represents the server. When the chef (i.e., the server) provides the information to the waiter and the waiter provides the information to the customer, this act represents the transfer of data. Given the exchange of data, this process must remain secure.
API security involves protection of the APIs that an organisation owns and uses. Properly secured APIs create an additional layer between the data being transferred and the server. APIs may be leveraged to quickly authenticate users who log in to websites using their social media profiles, for example. This login approach decreases the time and energy it takes for the user to join or create a profile on every website that requires a login to view information or participate in their community. APIs also protect sensitive payment details by allowing users to pay for products online without exposing any sensitive financial data to the eCommerce shop through the use of trusted third-party payment processing.
While APIs offer great benefits, including increased efficiency for businesses and a better web and application user experience for end users, they are also a target for attacks. Bad actors realise how lucrative it can be to target APIs, since they direct traffic to an organisation’s most valuable data and services. And APIs are challenging to secure since traditional security tooling can’t protect APIs.
Organisations also have a lot of APIs for which they lack visibility, also known as shadow APIs, and older APIs they should have decommissioned, also known as zombie APIs. Organisations cannot secure or manage what’s invisible to them. Part of API security is discovering APIs that fall within this category and properly managing them to mitigate risk.
Secure APIs Against Attacks and Breaches
Securing APIs against attacks is critical for businesses as API use increases and the attack surface expands. Common attacks against web APIs include credential stuffing attacks, account takeover attacks, API call request manipulation, distributed denial-of-service (DDoS) attacks, and Man-in-the Middle attacks. Having APIs hacked or abused may have far-reaching consequences such as data breaches, data exfiltration, or slow and even fully disrupted service.
Organisations must invest in implementing API security best practices such as API testing (before production) to identify issues that may allow a bad actor to exploit a vulnerability. To mitigate the risks inherent in APIs, an organisation should take six actions to protect their existing APIs:
- Identify APIs across the organisation to avoid the risk of shadow or zombie APIs
- Use fine-grain access controls for each API to authenticate users and avoid broken user authentication
- Implement encryption methods to ensure the secure transfer of data
- Implement a rate limit for the number of API requests to mitigate PI abuse
- Ensure collaboration between developer, information technology (IT) and security teams
Organisations that inventory and manage their APIs are on the right track, but it’s not enough. Every organisation has those unknown or forgotten APIs. Implementing strong access controls is critical because APIs provide an entry point to enterprise assets, including personal and sensitive data. Without cryptographical measures to encrypt data in transit, data transferred using an API is at risk for modification and unauthorised use. Flagging when a given user is making too many API requests will help prevent brute-force attacks or service disruptions.
The reputational harm of an API breach or a leaky API can be costly, and real dollar costs, in the form of privacy violation fines, can also be very painful. Organisations looking to successfully manage and secure their APIs need that security to be a shared responsibility across many groups, especially developers and security teams.
APIs must be secured using API security best practices. API management platforms help, with support for authentication and authorisation. But they cannot discover all APIs in an organisation and they cannot detect runtime attacks. Additional API security tooling that monitors API activity in real-time – by user and by API – is essential to protecting APIs.
About the Author: Ambler Jackson is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law. She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora about today’s most important cybersecurity and regulatory compliance issues.