The Attackers’ Perfect Instrument: How APIs are Harming Your Organization

Application Programming Interfaces (APIs) are integral to today’s tech landscape. They shuttle data from end-users to processes, while single-handedly supporting the rapid integration of pre-existing applications. Despite their critical role, APIs are suffering from a crisis of mismanagement. A just-good-enough approach to development, alongside severely neglected API security best practices, have created organizations teetering on the edge of devastating data leaks.

 The Differences Between Web Applications, the Cloud, and APIs

Web applications form the backbone of your organization’s tech stack. These applications shuttle data between the relevant parties; keep your finance, HR and sales teams going, and provide the data from which an entire company flourishes. These applications traditionally used to exist as individual components, regularly requiring on-premises implementation and upgrading. With the rise of the cloud over the last decade, however, apps have shifted in architecture and design.

Now, the burden of application infrastructure no longer rests solely on an organization’s on-premises server stacks. The cloud has freed not only app infrastructure, but also the components that make up each web application. Modern application infrastructure is highly segmented; the simplest rely on servers that may be located in remote data centers; the most complex tech stacks are made up of dozens of microservices, each working in tandem to ferry data to and from an end-user.

The benefits of cloud applications are easy to see: now that the physical infrastructure is outsourced to third-parties, companies are free to scale more rapidly than ever before. Alongside this, cloud apps are far more agile, boasting faster responses to adapting business needs. They’re updated, developed and deployed at more rapid-fire rates, providing dev teams with even faster time to markets. Managed capacity means that infrastructure maintenance is fully outsourced to cloud providers.

Thanks to this, cloud services have exploded in popularity: 94% of all enterprises rely on them, with 67% of enterprise infrastructure now resting upon the shoulders of large cloud providers. The cloud computing industry today is worth $445.3 billion.

Though web apps have revolutionized the development and implementation of apps, their success is facilitated and dependent upon one thing: the Application Programming Interface, or API.

APIs act as the interface between two or more different applications – or even between individual components of an app. The vast array in which APIs can be implemented, has combined with the development industry’s focus on the shortest time-to-market possible. The result is a mess of slightly misconfigured – but technically functional – APIs, which often do not implement the same authorization demands as their overarching applications. Thanks to their supportive role facilitating each and every service, APIs have rapidly outstripped applications in sheer quantity. The ramifications of this are critical: as organizations have prioritized application security, many have totally overlooked the danger that ballooning APIs present.

Overlooked APIs Damage Security Positioning

 Throughout the US and UK, a recent study found that over three quarters of senior cybersec professionals had recently experienced at least 1 API-related security incident. A suspiciously similar number also admitted that the organization kept no full inventory of APIs within the organization’s systems. The security gap represented by APIs is immense. The first component of zero-trust security is complete visibility, and with so few organizations tackling the API challenge, their security positioning is the first to take a hit.

Not only does the data show that many organizations are overlooking API security, but many professionals are outright overconfident in their own position. Over 70% of respondents claimed that they were confident in the API security provided by their communications provider, despite the lack of real visibility. This overconfidence has true ramifications for customers, end-users, and the organizations themselves, as a growing number of API attacks lend more ammunition to attackers.

The running trend within API security is that organizations do not notice until it’s too late. Despite the OWASP’s best attempt to spread more insight on the matter, by issuing a Top 10 list of vulnerabilities specific to APIs, it’s clear that more education is needed around the danger of API misconfiguration. Furthermore, it’s rare that researchers know for certain the true level of damage caused by each misconfigured or leaky API. One recent example is Experian’s data leak, estimated to have affected most Americans.

The credit-checking company was supporting a number of third-party sites, through which customers could check their validity for various credit cards and loans. A site would then check Experian’s own database for personally identifiable information (PII) of the customer. The API responsible for requesting this data from Experian’s systems was greatly misconfigured however, and requested very little verification before sending all of this PII to the requesting server. The information involved included the customer’s first name, last name, zip code, birth date, and contact information. Should this API be called upon by a malicious site, this data could swiftly and easily be added to an attackers’ database.

 Keep Your APIs Secure

 API security should be defined by two major factors: authentication and authorization. The first of these is focused on defining and verifying the identity of the end user. The TLS protocol offers decent authentication, and should be a requirement throughout your tech stack. Authorization, on the other hand, defines what data or resources that each user can access; in the same way an application wouldn’t grant VP-level info to a part-time employee, your APIs should be treated with the same amount of suspicion. This can be achieved through the liberal usage of access tokens. This means, once a trusted identity is established, the user is assigned a certain token that fully defines the data that they’re allowed to access.

Ultimately, the key to secure API creation is in proactive security positioning. Complacency is the greatest risk to your organization; even the process of patching up leaky APIs can be complacent. Following the discovery of Experian’s API misconfiguration – by a sophomore at the Rochester Institute of Technology, no less – the student alerted Experian of the issue, without explicitly naming the site he was using. This, he hoped, would force the company to reevaluate its entire network of APIs. However, his hopes were quickly dashed: they found and patched only the single instance of API leakage he had identified. Krebs on Security noted that unpatched API versions are still active throughout hundreds of partner sites.

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here