The need for API Security:
API serves as an intermediary between different applications. It is the code that determines the functions and procedures that enable one software application to communicate with another. APIs can be readily incorporated into application development, saving a lot of time and energy for developers. Most applications we use today are built with a microservices architecture, where a typical application consists of hundreds of small applications that deliver microservices. In other words, an application is, in reality, a network of applications connected by APIs. Since every server is an endpoint, there are now hundreds of endpoints to secure. The use of RESTful web APIs is becoming more widespread through digital transformation initiatives and SaaS productization.
API security - market dynamics:
In 2017, it was revealed that an unauthorized API endpoint was to blame for Panera Bread leaking up to 37 million customer records. Many more API breaches and major vulnerabilities have been detected at Experian, Geico, Facebook, Peleton and other organizations A recently disclosed attack on Accellion revealed that chained SQL injection and OS command execution attacks allowed the threat actors to manipulate APIs, extracting a significant haul of sensitive data, including Social Security numbers. They determined that the attackers had to have had extensive knowledge of Accellion’s FTA software to carry out the heist, which would have been possible through substantial reverse engineering. In the age of GDPR and other data protection law overhauls, API errors and leaky endpoints could end up being incredibly costly mistakes.
Problem Statement:
Most importantly, the API itself can be exploited by hackers for targeted attacks. One API vulnerability is enough to compromise a network of servers and databases. Given its crucial role in processing data, the API is an appealing entry point for those seeking unauthorized access to sensitive personal and financial information.
Relevance in digital transformation:
When you set up a cloud environment, you use APIs to request and transfer data and commands. If your APIs are not properly secured, attackers can also use these interfaces to interact with your data and resources. This type of exploitation of vulnerabilities can enable attackers to gain control over resources, modify or steal data, or eavesdrop on communications. Essentially, if an attacker exploits your APIs effectively, they can take advantage of the other two top threats that exist.
Metmox's Recommendations:
- API security need to be implemented into the API lifecycle
- Increase visibility into your APIs through an attack surface management approach
- API endpoint supports only the secure transport layer security versions 1.2 and 1.3
- APIs should be restricted to authenticated users with rate limiters on your slower API paths to avoid API DOS attacks
- All the API communication should be secured on http, i.e., every API URL should start with https
- Multi-layered protections for APIs is basic, such as web application firewalls, gateways, and RASP solutions
- Traditional security measures, such as web application firewalls (WAF), API gateways and API keys, aren’t a sufficient response, as they don’t account for data exposure by malicious users who are authenticated
- Automated logging and monitoring to track failed login attempts, access denials, or suspicious traffic on a real-time basis - Setup up Alert criteria/use cases on API
- Perform regular security assessments/application security testing on API
- Access to production APIs should be separated from access to non-production versions
- APIs could easily be made vulnerable with a rogue key left in a Github repository
- Ensure that no resources are enumerable in your public APIs
- Use canary checks in APIs to detect illegal or abnormal requests that indicate attacks
Metmox API security services portfolio:
Metmox’s attack surface assessment, Comprehensive security assessment on API, will help you understand our API security posture. In order to Improve API security, Metmox offers hardening/standardization, implementation of API Gateways/web application firewall/RSAP, Implementation of API Security in API Lifecycle, SIEM logging and monitoring to determine API attacks.
Metmox’s Cybersecurity Practioners, Professional Services (PS) and Security Specialists are available to help determine next steps beyond the guidance for API Security provided in this blog. We can provide recommendations and best practices on getting started, tips on how to leverage our services as part of your threat detection and response. If you are interested in getting additional support or talking to us, you can write to us at info@metmox.com