Security

The Security Toolbox: 7 Tips for Securing APIs

This blog is part of a series to help organizations of any size optimize their security. Our experts provide insights and recommendations based on common security use cases, customer questions, and security software developer needs.

The surge in application programming interfaces, or APIs, to connect services and transfer data allow for the invaluable benefit of adaptability. This adaptability leads to more efficient data, application, services, and information sharing between systems, which is particularly helpful for processing speed and collaboration of different technologies within IT ecosystems.

But what happens when an API is misconfigured, forgotten, shared, or simply not fully tested? According to research from Salt Security, 94% of companies experienced security incidents in production APIs in the past year and one in five organizations suffered a breach due to API security gaps.

Recent news headlines have included API breaches of several major social networks, mobile services providers, and two out of three credit bureaus. Millions upon millions of records were exposed and captured by threat actors from largely preventable errors in API integration.

APIs are now the center of communication for most data, and the only way to reduce security vulnerabilities from APIs is for developers to proactively tighten their processes for sanitizing inputs and monitoring for vulnerabilities. The following are a few of the steps that can be implemented to help make any APIs within your ecosystem more secure.

Tip #1: Integrate an API gateway

An API gateway accepts all API calls within a system before the calls can get into a system and fulfill requests. It’s the tool that conducts the traffic between a client and all services.

API gateways provide a single point of entry for all calls and route calls to back-end services. They can be configured to enforce policies such as authentication, authorization, and traffic management.

Tip #2: Set throttling targets

Throttling, or the process of limiting the number of API requests users can make in a given period, helps prevent sudden surges in requests from overwhelming your system. Setting throttling targets can help protect a network or IT ecosystem from denial-of-service (DoS) attacks, limit slow performance, and improve the user experience. Any API calls made in excess of the rate limit will be throttled—they will fail.

Tip #3: Add authentication and authorization procedures to back-end APIs

Both authentication and authorization to access an API are crucial in securing the data within your systems and network. Authentication verifies a user’s identity, and authorization determines a user’s access privileges.

One example of the importance of addressing back-end APIs is the recent breach of a major exercise equipment retailer. Back-end APIs without authentication or authorization configurations were at fault in allowing the threat actor to call the API endpoints directly and obtain PII that included identification, location, age, and much more. The back-end APIs were used by both the retailer’s web and mobile applications, with these interfaces’ front ends interacting with the back-end APIs for enhanced data and functionality. However, the back-end APIs were left to rely on the front-end to filter data and provided an entry for reverse engineering.

Upon investigation, it was found that anyone with internet access could have queried one of these back-end APIs and obtained the PII. Even after better authentication was put in place, the lack of authorization mechanisms continued to allow anyone with membership credentials to query for any other user’s PII. While the retailer eventually remedied both authentication and authorization, the lack of back-end authentication and authorization processes left millions of records exposed for an extended period.

Tip #4: Configure APIs for appropriate input and validation in all fields

If you’ve ever tried to enter “1234” into the password field of a big box retailer’s computer displays and gotten in, you’ll quickly understand the importance of field configuration.

A very large data breach of a credit bureau occurred because an API wasn’t configured to validate key identifiers in pertinent fields. The threat actors were able to enter “00-00-0000” in the birthdate field and obtain sensitive data for hundreds of millions of people.

The quest for a sleek and minimal user interface led to the implementation of a leaky API that was configured for ease of use without the necessary security considerations.

Tip #5: Document API architecture, configuration, and visibility procedures

The limited resources of many organizations have led to many IT architectures evolving continuously with new API functionalities, but without documentation around what was changed, added, or deleted.

The lack of visibility results in a lack of control of an ecosystem, creating more attack surfaces from what’s known as API sprawl. Because you can’t protect what you don’t see, there’s inherent unknown risk in this scenario without a consistently well-managed procedure for documenting IT ecosystem and API changes.

A recent mobile carrier breach exposed tens of millions of subscriber records due to one single targeted API that wasn’t noticed for at least six weeks as it accessed and retrieved data.

Tip #6: Secure both internet-facing and internal API calls

The 2021 vulnerability called “Log4Shell” or “LogJam” worked in Java environments within the Log4j logging library. Due to the prevalence of Java in many systems and devices, this vulnerability struck both major and minor organizations worldwide.

But what may be less apparent is that this vulnerability can be used by attackers to access internal resources such as employee records or financial reports. Attempts to use the Log4j vulnerability continue to arise in many systems.

Other attack mechanisms—including unknowns and those yet to be developed—can also target internal APIs.

Tip #7: Reduce dependencies on shared and open-source API components

This is a tough one for resource-constrained teams who depend on repurposing components to be able to deliver applications, services, and functionality faster. Unless every component used in your APIs has been vetted with a time-tested procedure (see tip #5 above), latent vulnerabilities can impact your system and allow the spread of inherited bugs and security gaps. Sharing components can also lead to unexpected issues when components are placed in different scenarios than those they were originally developed to address.

Learn more about security for your unique environment

Get the basics at-a-glance in this infographic. If you’re not sure about your security posture or the level of vulnerability in your organization’s IT environment, a security assessment can help you develop a clear view of your current state and possible remediations needed. You can also rehearse real-time scenarios and threat-hunting through our Cyber Defense Simulation service. Visit the Professional Services for Security resources section for overviews on the different types of assessments available, and contact us at [email protected] to learn more.

For more support, read the other blogs in this series: