This post was originally published to The New Stack here

The number of hackers learning to use web applications and APIs to exploit data has increased rapidly. Yet Gartner predicts that by 2025, less than 50% of enterprise APIs will be managed, showcasing the ever-increasing importance of web application and API security.

Why Are Attackers Targeting Web Applications and APIs?

With the number of web applications and APIs continuing to skyrocket, it’s important to understand what web application threats are out there. A web application threat (WAT) targets an organization via its website or applications. Organizations should address these security concerns at each stage of development. WATs are categorized into several different types. Some of the most common ones include:

  • External WATs
  • Internal WATs
  • Social media WATs
  • Malicious code WATs
  • Phishing/hacking WATs

Failing to address the security of a web application can lead to serious threats and long-term damage. The same goes for APIs. The rise of APIs that are freely open for public use has enabled nearly the entire computing world to use them to improve connectivity between applications and data. While this might provide some great advantages, the openness also makes them a target for attackers.

Over time, attackers have mastered methods of writing code specifically aimed at abusing APIs. Just as developers can write code to fetch data from an organization’s system, attackers can do the same with a piece of malware. They can use malicious apps and APIs to wreak havoc on unsuspecting users. The goal is to infect innocent users with malware so attacks can later be launched against organizations or even individuals.

When a web application or API is breached, attackers have easy access to data. Further, the attackers could be able to access private data and also spread malware across multiple devices. For organizations to protect themselves from such attacks, they must put tight security measures in place.

WATs and API threats will only become more sophisticated and dangerous in the future.

Therefore, finding the correct protective measures is a must.

5 Tactics for Protecting Your Organization

Finding the best tactics to protect your organization from WATs and API threats will depend on the type of threat you most want to avoid, as well as the kind of resources you have and how much time and money you’re willing to invest in these protective measures. 

Let’s discuss some of these tactics and why they are important for your organization.

1. Use a Web Application Firewall (WAF)

Attackers often target unsecured web apps with distributed denial of service (DDoS) attacks. With this kind of attack, multiple web applications are hijacked and used to bombard a single target with traffic. This makes it easier for attackers to gain access to restricted information. To mitigate such attacks, organizations need to have an appropriate firewall in place. A web application firewall can be network-based, cloud-based, or host-based. 

2. API Discovery and Posture Management

As the popularity of APIs continues to grow, most attackers are now targeting them. Therefore, organizations need to be able to monitor APIs and their related security risks. There are tools to check for risks, vulnerabilities, misconfigurations, malware, the location of sensitive data and lateral movement risks. These tools help us effectively prioritize the API risks that present the most danger to the organization.

3. Use OAuth

Organizations can also implement protective measures within the system itself. This can be done by requiring two-factor authentication on critical web applications to keep unauthorized users out. In addition, the use of time-based one-time passwords (TOTPs) has recently increased, especially among cloud application providers. This method uses the current time of day as one of the authentication factors.

Whitelisting employees when you’re setting up new web applications also ensures that they’re only accessing trusted systems and servers when working remotely. This will enable you to monitor and receive notifications when a third party tries to infiltrate your internal network via an external server without your knowledge.

4. Data Encryption

Every piece of sensitive data managed by an API must be well encrypted. Having a good encryption methodology in place ensures that attackers won’t be able to access any sensitive data. It also ensures that authorized users have unique signatures that can be used to decrypt or modify the data.

5. Manual Penetration

As scary as it sounds, this is by far one of the safest ways to protect against WATs and API threats. If you don’t already have a security expert on hand, it’s highly recommended that you consult with one for this purpose. A security expert’s main tasks range from scanning for vulnerabilities to performing security audits and monitoring malicious activities. Additionally, implementing automation alongside the security expert’s manual checks can help to ensure threats are not missed. This enables the organization to get real feedback from an expert’s point of view, along with details about where attackers are most likely to target.

Based on the tactics described above, you can see that a good web application and API security strategy begins with understanding the risks. That knowledge will help you keep preventative measures in mind. Although we’ve discussed multiple tactics that you could use, we recommend that all organizations start with the following:

  • Leverage API discovery and posture management – You can accomplish this with physical hardware or by leveraging a software solution like Orca‘s agentless API, which helps organizations identify, prioritize and address API misconfigurations and security risks across multi-cloud environments. Within a single solution, it provides users with a complete and continuously updated inventory of managed and unmanaged APIs, actionable data on API misconfigurations and vulnerabilities, and alerts on potentially risky API drift and changes that might have occurred.
  • Scan for Vulnerabilities – With the right tools in place, this is one of the most effective ways to ensure the security of web applications. Performing continuous scans makes it easier for organizations to identify the vulnerabilities they’re exposed to. Orca’s vulnerability management tool, which covers every layer of your cloud, including cloud workloads and configurations. It combines all this information into a unified data model to prioritize risks and recognize when seemingly unrelated issues can be combined to create dangerous attack paths.

Conclusion: Integrating Web Application and API Security Best Practices

Putting strong security measures in place will not only prevent outside attackers from infiltrating your system, but it will also help you stay informed about current threats, implement appropriate safeguards and protect your organization from WATs and API threats. 

To learn more about improving web application and API security for cloud environments, get the “Addressing the Top Five API Security Challenges” ebook from Orca or sign up for a free cloud risk assessment.

Further Reading