Web application security is important to the growing number of organizations that depend on web apps to interact with and sell to customers, but there is more to your online presence than your web apps. The apps communicate with one another through APIs, and those APIs are able to pull data out of the web apps to perform vital functions. To keep that data from falling into the wrong hands, organizations need API security.
The Expanding Role of APIs
Whether you’ve been using the Internet for a day or a decade, you have almost certainly used an API. APIs are everywhere, from the weather widget on your phone to all the accounts you logged in through Gmail. APIs include or interact with most mobile apps, microservices, IoT, and product offerings.
The modern Internet is built on interconnectivity. Applications are constantly talking to one another, and the API is what allows that communication. Without APIs, developers would need to spend substantially more time working on their applications as they would need to build all of the app’s functions from scratch. With APIs, developers can use code and data from other applications.
As more developers take advantage of APIs, the Internet becomes less able to function without them. Any web apps your organization has are likely dependent on APIs to interact with other applications, and your customers may pay, access data, and interact with your applications or website through API facilitation.
The Security Risks of APIs
As tends to happen with technology, APIs come with security risks. Some of the most common threats detailed by OWASP include:
Broken Authorizations
Because APIs facilitate communication between applications, they can be used as an attack vector. An attacker can, with some effort, take advantage of an exposed endpoint or vulnerability by manipulating a request sent to the API.
- Broken Object Level Authorization occurs when endpoints improperly respond to object identifiers.
- Broken Object Property Level Authorization occurs when specific aspects of the objects are improperly handled.
Both of these can lead to unauthorized data access via API endpoints. Additional authorization issues can occur when users are improperly categorized or given more access than needed, which often happens in an overcomplicated access control system. That type of issue is the Broken Function Level Authorization.
Broken Authentication
The risk of Broken Authentication is high, especially when users improperly store their credentials (or create weak credentials). It may also occur due to social engineering or phishing attacks. Verifying user identities is very important for security, but not all APIs have been developed with appropriate authentication protocols. Attackers who compromise user accounts can leverage poor authentication to gain unauthorized access.
Unrestricted Access or Consumption
Generally, unauthorized use of your application and network ends badly for both you and your customers. There are two primary methods of attack that largely consist of the attackers doing as much damage as possible until you are able to oust them.
- Unrestricted Access to Sensitive Business Flows. The amount of control that someone has once inside your infrastructure typically depends on the privilege of the user whose credentials or authentication tokens have been compromised. If the attacker gains access as an admin, the results can be catastrophic. However, whether admin access is compromised or not, any unauthorized access can expose sensitive data, proprietary information, and customer identification.
- Unrestricted Resource Consumption. This occurs when malicious traffic attempts to use up all of your computing resources, either to direct your attention away from a secondary attack or to take your application offline. A DDoS attack is the best-known example of this.
SSRF
A Server-Side Request Forgery (SSRF) occurs when an attacker manipulates an API so that it accesses its internal data. This gives the attacker unauthorized access to data, which can impact your compliance and relationships with customers.
Human Error
Working with APIs sometimes requires high-level knowledge and always requires attention to detail. However, to err is human, which means mistakes are bound to happen occasionally.
- Security Misconfiguration. Mistakes during configuration can create problematic vulnerabilities for the API and expose them to significant risk of attack.
- Improper Inventory Management. Although inventory is not always a priority within organizations, failing to keep an updated inventory creates vulnerabilities. Always know where your assets are and who has permission or authorization to use them. Attackers will capitalize on whatever slips through the cracks.
- Unsafe Consumption of APIs. Developers and users alike tend to trust APIs more than is wise. Consider how many websites your Google account is linked to. For an attacker to compromise your account, only one of these third-party websites needs to have exploitable weaknesses.
Managing API Security Risks
API security risks are everywhere. Since you can’t (practically, at least) avoid APIs, the next best thing is to ensure you are consistently applying API security best practices. Here are some best practices to get you started:
- Control authorized access. Only known and authorized users should be able to access data, and all known users must be authenticated. Use a strict authorization protocol to check permissions of all users attempting to access your API.
- Improve login protocols. All employees should use strong passwords and authentication methods. Multi-factor authentication is typically a good way to go. Additionally, be sure to monitor login failures as this may be an early indicator of an unauthorized access attempt. You can set up alerts to help with monitoring.
- Lock down data. Make sure that your API can only access and share data necessary to function. Label sensitive data and customize API settings as needed to ensure that it stays secure. This can be done through implementing integrated solutions like API protection or a WAAP.
Although you can address some of the threats and risks by improving your API use protocols and ensuring that all employees (yourself included) follow them, authorization and authentication issues need a stronger prescription.
A WAAP, or web application and API protection, is similar to a web application firewall. Both solutions protect your applications from malicious traffic and bots. However, WAAPs cover APIs as well, and they are able to classify sensitive data to reduce API misuse and unauthorized access. Because of its sophisticated detection capabilities, the WAAP is one of the most powerful tools you can use to protect your APIs, and by extension, your data.
APIs aren’t going anywhere, so protecting the ones you use as well as the applications and data that they access is essential. However, with a few best practices and tools like WAFs and WAAPs, you can keep your risk of infiltration low without sacrificing your web apps’ ease of use.