This post was originally published to The New Stack.
TLDR:
- Demand for APIs has skyrocketed, and securing them can be a challenge.
- The Open Web Application Security Project (OWASP) released the “API Security Top 10,” which helps raise awareness of the most common security risks affecting APIs.
- In this post, we explain the top 10 ways to manage common API security risks, including discovery, runtime maintenance and more.
In a world where the information age is at its zenith, with hundreds of thousands of applications being launched every day, the use and demand for application programming Interfaces (APIs) has increased significantly. Powered by open web technologies, APIs have transformed interdependence and partnerships between various commercial enterprises and sectors, allowing them to extend their offerings through in-app connections. Following the growing popularity of microservices and the perpetual need to reduce time to market (TTM) for new products, more developers and entrepreneurs are designing and integrating APIs than ever before.
This increased API usage, however, comes with its complications – a major one being security. APIs are popular among hackers because they enable direct access to stored sensitive data and allow them to quickly circumvent security measures. Given the interconnectedness of modern applications and microservices, API security management is critical for all stakeholders involved. Gartner predicts that API attacks will become the most-frequent attack vector for data breaches in enterprise web applications. API misuse or malicious attacks can disrupt applications or cause a loss of service, resulting in lost revenue, customer frustration and the potential disclosure of sensitive data.
In this post, we will discuss API security risks and explain 10 key ways to manage them.
Common API Security Risks
The increase in API-related security threats in recent years has prompted the Open Web Application Security Project (OWASP) to release the “API Security Top 10,” which helps raise awareness of the most common security risks affecting APIs. The OWASP Top 10 API security challenges include broken object-level authorization, broken user authentication, excessive data exposure, lack of resources and rate limiting, broken function-level authorization, mass assignment, security misconfiguration, injection, improper asset management, and insufficient logging and monitoring.
API-based attacks continue to rise exponentially as hackers target known API security vulnerabilities. For distributed denial of service (DDoS) attacks, for example, an attacker bombards an API with multiple simultaneous requests within a short period; consequently, this affects the API’s responsiveness and renders the service unavailable to users.
The Top 10 Ways to Manage API Security Risks
Regardless of whether an API was built from scratch or integrated from a third-party source, securing it requires organized and active end-to-end visibility. APIs figure prominently into the software delivery life cycle, and their security depends on how well the CI/CD workflows follow best practices for API development.
1. API Discovery
As API changes occur and new versions are developed, it is easy to miss untracked updates and undocumented parameters that could present entry points for attackers. According to Sandy Carielli, a principal analyst with Forrester Research, “companies do not know the extent of their API inventory and whether those application interfaces are secure.” This is why API discovery is a best practice for ensuring proper API asset management. API discovery gives you an extensive view of the API attack surface with no blind spots and a continuously up-to-date inventory.
A good API discovery solution ensures a thorough understanding of the API endpoints, parameters, attributes and interpretations of the API protocols used (including gRPC, GraphQL, SOAPand REST), as well as the discovery of any third-party API configurations. It should also spot any API changes and version updates while also discovering patterns in application usage.
2. API Risk Detection and Remediation
The security posture of your API is primarily determined by how efficiently and quickly you are able to manage threats based on their severity. A good API management framework should be able to detect and remediate your API threats to prevent escalation. You must first understand the extent of the sensitive data exposure, as well as the risk level of the affected API endpoints and policy violations. Additionally, it should use this prior knowledge to identify, prioritize and address the API security and compliance risks that were found.
3. API Runtime Maintenance
At runtime, API security is at risk as attackers try to infiltrate applications at different endpoints. A good API security solution ensures API protection at runtime by detecting and preventing attacks as well as protecting sensitive data against exfiltration. It also flags any anomalies, tracks recently added or deleted APIs and monitors API drift.
4. Data Encryption of all Requests and Responses
Data encryption is the process of converting human-readable plain text into another form, such as codetext or ciphertext. The encrypted data is only accessible using an encryption key, and decrypted data is accessed using a decryption key. In APIs, the encryption of requests and responses ensures that any data being transferred between the user and the API server is protected from attacks. It guarantees that the data will be of no use to the attacker if it is intercepted at any point, since the attacker will not have the encryption key.
5. Implement API Gateways
An API gateway is a software pattern that connects a client to a set of backend services. It accepts all API requests from customers and routes them to the relevant microservice. In terms of security, API gateways operate as gatekeepers, checking your identification (authentication) and whether you have permission to get in (authorization). This way, API gateways offer an additional layer of security and control. They also validate incoming requests using an authentication method specified in their service configurations before delivering them to the API backend.
6. Use OAuth and OpenID Connect
Access control for authentication and authorization is a critical part of API security management. Open Authentication (OAuth) collaborates with OpenID Connect to standardize authentication and authorization. OAuth is an open standard authorization mechanism that uses tokens to allow third-party websites or applications to get information from another system without exposing user credentials. OpenID Connect is a simple overlay built on top of the OAuth protocol that allows clients to verify end user identities and obtain profile information.
7. Identify Vulnerabilities
A major approach to securing APIs is to understand which phases of the API lifecycle could be exploited to breach the system and expose sensitive data due to insecurities. API vulnerabilities can be identified by performing routine tests and reviews, particularly during the early development period and in the event of new code updates. Penetration testing can also ensure API security.
8. Use Quotas and Throttling
APIs are a prime target for DDoS attacks because they flood the API server with requests from multiple sources. This eventually renders the system inoperable by degrading its overall performance. Throttling and API quotas, which limit the number of API calls a user can make in a certain time period, are tools that we can employ to manage API usage. For throttling, we use a throttle counter that increases when an incoming client request meets a certain set of conditions. API quotas determine the maximum number of calls that can be made during a set time based on the throttling setup. If the API quota is reached, traffic from that specific client is disallowed.
9. Validate API Parameters
When validating API parameters, data from API requests and responses are compared to a precise schema structure. This guarantees that the system or app that is integrated with the API is secure, and that only authorized inputs and data are shared. It can indicate the success or failure of the resources that were specifically requested. It also protects against information oversharing, which can expose sensitive data that could be exploited.
10. Build Threat Models
This is the process of developing a systematic representation of potential API security vulnerabilities, including how and when they could be mitigated. The crucial steps in developing a threat model include defining safety standards, identifying likely risks, assessing threats, mitigating threats and confirming threat mitigation. Threat models aid in the depiction of API attacks, which enables more informed risk management decisions.
Take Control of your API Security
API usage will continue to steadily increase as modern app development shifts from monolithic to microservices architectures. As a result, the importance of API security cannot be overstated. As we discussed in this post, APIs can be secured through tactics like API discovery, security posture management, and utilizing a well-defined framework of API security best practices. We can avoid data breach risks that could cost firms a lot of money by incorporating these techniques when creating APIs.
Implementing a thorough security framework like Orca’s agentless security solution is the first step in addressing API security threats. The Orca Cloud Security Platform instantly builds a comprehensive web and API inventory, and it also searches for the OWASP Top 10 API security risks, thus enabling large-scale adoption. To learn more, you can register for a free cloud risk assessment or watch this 10-minute demo.
