Check out all the on-demand sessions from the Intelligent Security Summit here.
APIs — the application programming interfaces that efficiently connect disparate systems — have been likened to electrical sockets, bartenders, passport clerks, and magic. Though they have been around for more than two decades, in the past 10 years APIs have enjoyed exponential growth in lockstep with the explosion in mobile and web apps.
While not much to look at, these machine-readable snippets — and the data they help shuttle about — let programmers dream up and deliver amazing new combinations of existing resources at a pace previously unheard-of in software development.
Browse a real estate app and get a pin on a map to show the location of your dream home? An API did that. Check the weather on your phone before going for a run? That’s an API at work. Have your credit score accidently revealed to folks with no business looking at it? Whoops, also an API.
Security researchers revealed last week that major credit bureau Experian was serving up private credit data via a leaky API. Experian is just one of several companies to land on a growing list of API-related security blunders:
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
- A poorly protected API exposed user data on social platform Clubhouse.
- Vulnerabilities in two APIs owned by farm equipment maker John Deere exposed customer and dealer information.
- And most recently, Peloton, the stationary bike maker turned viral exercise craze, allowed unauthenticated API snoops to see private customer info like age, birthday, gender, city, weight, and workout statistics.
In a world that increasingly relies on the kinds of apps and functionality APIs enable, such data disclosures are a big problem.
API security is critical
In Google’s State of API Economy 2021 research, 58% of global enterprise IT decision-makers said APIs are speeding new app development, and 53% said APIs are vital to building better digital experiences and products.
That makes securing APIs an imperative.
“We are absolutely seeing more API security incidents of late,” Michael Isbitski, a technical evangelist at API security specialist Salt Security, told VentureBeat. “Applications today are built on APIs, and you can draw a straight line from digital transformation to APIs.”
A Salt research report on the state of API security published earlier this year found that 91% of organizations had suffered some sort of API security incident. Despite that, more than a quarter of businesses running production APIs have no API security strategy in place.
Two-thirds of respondents told Salt researchers they were holding off on new app deployments because of API security concerns, highlighting how security concerns can drain innovation.
Part of this API insecurity is rooted in how modern application development handles code. In decentralized, multi-faceted application development environments, “no single group is really building the full picture for a given app, top to bottom, anymore,” Isbitski said. “Little aspects get missed.” Combine that with the limitations of most dev-focused testing and it becomes impossible for developers to see everything an app will do when it is released to the public.
“Attack methods aren’t really changing. They rarely do. But it’s very true that hackers are targeting APIs in a much more concentrated way,” says Isbitski, whose company makes products that inventory APIs and monitor their use and behavior to thwart attacks. “APIs are the map to a company’s crown jewels, and the hackers know that. It’s very lucrative to attack APIs.”
More APIs means more risks
Security consulting, testing, and training firm Secure Ideas in Jacksonville, Florida specializes in probing web and mobile applications and the APIs and microservices that fuel them. Its CEO, Kevin Johnson, is a longtime project lead at the Open Web Application Security Project (OWASP) and author of the well-known SamuraiWTF app security training environment.
As an API security veteran, Johnson says the problem is growing because the environment itself is ballooning. Digital transformation initiatives and the ability to reach customers, employees, and partners in any place at any time depends on the API. “We are seeing more APIs deployed,” he told VentureBeat. “There’s definitely a bigger target space as more organizations are rolling out APIs either for themselves or to share with partners or customers.”
Johnson calls the Peloton incident a prime example of a decent company that had a good idea for using APIs to rapidly develop a new, valuable service “but with security as an afterthought.” He added, “In fairness, a lot of companies like this don’t even know what ‘make it secure’ really means.”
Isbitski says when auditing a client’s software environment, three things are universally true: Organizations have many more APIs than they realize, they are unwittingly exposing sensitive data via APIs, and their current API defenses are easily circumvented. Basic technology solutions are rarely the prescription for such ills.
“Every company running any amount of APIs has deployed WAFs and API gateways,” Isbitski says. “Even the simplest of API attacks get through every time. Companies are always surprised, and a bit alarmed, to see the level of exposure they’re facing.”
Johnson wholeheartedly agrees, saying when it comes to APIs, well-architected software, rare as it may be, trumps security point products every time.
“One of the most common issues [we see] is a lack of rate-limiting, particularly around the authentication routes,” Johnson said. “App developers have mostly been forced to put in anti-harvesting and anti-brute-force controls, but APIs rarely do this properly.”
One thing nearly all experts agree on is that the solution to the API security problem starts with developers. There’s a desperate need for standardized guidance to help developers target and eliminate the most common API flaws. While the Open Web Application Security Project (OWASP) published the API Security Top 10 to help developers think about ways to protect the API, it isn’t enough.
Even an OWASP evangelist like Johnson concedes the Top 10 effort has its shortcomings. “I find the Top 10s to be helpful in that they spread awareness, but harmful as often people will assume that is all they need to worry about,” Johnson said.
Gartner suggests improved API governance
Gartner recommends organizations up their API governance game in the following ways:
- Discovering, inventorying, and thoroughly documenting all published APIs before the attackers find them. This includes “shadow APIs” that developers publish without permission.
- Employing a combination of API management and web application firewalls (WAFs) to protect APIs where appropriate and using more specialized API security products where risks are especially high.
- Baking security into the API development lifecycle; ramping up API security testing; and developing strong, reusable API security policies.
- Using a distributed enforcement model to protect APIs across the entire architecture, not just at the perimeter.
For Johnson, the solution includes giving developers the tools to succeed rather than simply blaming them when things go wrong.
“We need affordable, accessible training for security professionals and regular, high-quality security training for every developer,” Johnson said. “There’s always going to be issues. There will always be some successful attacks. But mitigating the risk starts with education, which is also a tool to maturing the security program of an organization.”
“An organization with a mature security program will still have security incidents, but they’ll have measures in place to detect, respond to, and reduce the scope of the incident,” he said. Isbitski agrees with this approach and said such initiatives need to start soon.
“I would love to see companies educate their security teams, mandate better discovery around APIs, and demand runtime protection that’s capable of finding and stopping API attacks,” Isbitski said. “They present too great a risk to wait for the next six months of headlines.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.