• Daria Chadwick

Why It's Time To Take The API Security Threat More Seriously

Most of us understand that our iPhones can be hacked. The same is true for our email and for the websites and apps we use. But there’s an invisible common denominator to many of these attacks, and it’s becoming a much bigger problem.


By Tom Gillis. Read the original article on Forbes here.


APIs — application programming interfaces — are the pieces of code that software developers create so that their applications can interact with other applications, devices and networks. They’ve been a foundation of the digital world for decades but have become far more critical. Unlike the “shrink-wrapped” software of last century, today’s web-based cloud services ravenously share data whenever we use them. Every time you buy something on Amazon, for example, hundreds of “API calls” are invoked as the store interacts with the merchandisers’ inventory system, shipping services to schedule delivery and with your PayPal account to take payment.


The problem is that the trillions of dollars of e-commerce enabled by APIs rest on a flimsy operational foundation. Although software development groups at many companies have the tools, processes and permission to use APIs to enhance their apps, ops and security teams lack a systematic way to spot, prevent and respond to API-based attacks.

Bad guys have figured this out


The Cambridge Analytica scandal and massive breaches of Venmo and the U.S. Postal Service were all made via APIs. Leading analysts say the number of attacks is skyrocketing and that there’s no end in sight. According to the results of a new study by Salt Security, API attacks have increased by 348% in the first half of 2021.

Clearly, it’s time to take this growing threat more seriously. Although a category of API security tools has emerged in recent years, we need to do better — just as we did when apps started moving online in the 1990s. Back then, the answer was to erect firewalls to keep suspicious traffic out of corporate data centers.


A Perimeter-Less World


Apps are now agglomerations of microservices, running on data centers around the world and operated by companies that practice varying degrees of security hygiene. This means security teams need to be able to look beyond the entry point and go deep within applications to make sure every API is safe to use and is being used as intended.


But API security requires breadth as well depth to understand the broader context of today’s highly sophisticated attacks. As things stand, many API security offerings are point products that are akin to the “check engine” light in a car. They can tell you something’s wrong but not exactly what the problem is or how to fix it. Imagine a hacker has found a way to control the anti-lock braking system of a certain model through an API to the car’s entertainment system. Without understanding all the systems in the car, it would be very difficult to spot carefully obscured attacks.


Given time, these products will get there. With today’s powerful silicon, we can apply machine learning to spot even carefully hidden API attacks. With improved automation, these tools will quickly squelch these attacks before much damage is done. But emerging technologies alone won’t get the job done.


Adopting New Practices and Philosophies


  • Consider all APIs a threat. APIs that govern how users interact with an application — to return to the car metaphor, attacks that lock the steering wheel and gas pedal — are an obvious threat. But so are behind-the-scenes attacks on the massive “east-west” flow of data between microservices. Something as mundane as a load-balancing API could be used to route a company’s traffic to a single, far-off data center, potentially slowing its website to a crawl.

  • Keep an accurate, up-to-date inventory of APIs. You wouldn’t let someone you didn’t know hang around your house and invite in strangers. Don’t let unknown APIs hang around, either. Make sure your teams have processes to choose, authenticate and authorize all APIs, as well as to prevent use of any others.

  • Look inside the luggage. Cataloging and authenticating APIs is necessary, but not sufficient — kind of like requiring everyone to show their passports before getting on the plane but not checking their carry-ons for weapons. For true API security, companies need to be able to look inside the payload of internet traffic to spot suspicious behavior.

  • Get serious about DevSecOps. None of these best practices are possible without coordination and some collaboration between your app development, security and operations teams. Chances are, there are people on your team who’ve been working on this in recent years. Let the threat of API-based attacks be the thing that makes those efforts a priority.


But don’t think your DevSecOps experts will be able to deal with the rise of API-based attacks on their own. This scourge isn’t going away. As with viruses, denial-of-service and other kinds of attacks, the best defense is to raise awareness as broadly as possible in your organization so that everyone whose job relates to designing, building and deploying software understands this enemy.