How secure are your API’s?
Application programming interfaces (APIs) have become the must have option for many organisations, with enterprise developers relying heavily on them to support the delivery of new products. API’s allow programmers to integrate functionality from externally provided services instead of having to build these functions themselves.
While interconnections offered by APIs have been around since the first programmes were written, the landscape is changing, especially with the rapid growth of mobile applications. Even legacy applications have API’s written for them in-order to extend their life cycle rather than making them redundant.
With the rise of APIs come the potential for more security holes. This requires developers to understand the whole API code and not simply focusing on the part they need to integrate, as other sections could leak data from rogue applications coming from a bad actor. It is this lack of a full code review that is leading to data breaches and the bad press they bring, mandating Boards to review the need to keep corporate and customer information safe. Companies rely on their APIs to build applications that drive innovation and revenue, so there is no room for deployment delays.
The increasing regulatory focus on sensitive data leaks is impacting profitability and, the Public is taking notice. Poor API design and security practices are often at the root of sensitive PII data leaks.
APIs are everywhere, and they exchange highly sensitive data constantly, making them a rich target for attackers, which explains the significant increase in attacks targeting APIs in recent years which have moved beyond methods such as cross-site scripting (XSS) and SQL injection (SQLi) attacks to focus on finding unique vulnerabilities in APIs.
And traditional solutions such as Web Application Firewalls (WAFs), which depend on signatures and known attack patterns, cannot detect or prevent these new attacks targeting the unique nature of APIs. Because they validate transactions individually and cannot correlate activity over time, they cannot detect the reconnaissance behaviour of a bad actor looking for a business logic flow in a company’s APIs.
APIs are incredibly powerful tools that can help an organisation advance its business goals and better integrate with customers, vendors, and business partners. However, in the face of constantly changing application development methods, and pressures for innovation, some organisations have not fully grasped the potential risks associated with making their APIs available to the Public. Regardless of how many APIs are shared publicly, the security considerations should never be forgotten, and it is for the executives, responsible for security and governance, to ensure development and network teams never lose sight of establishing strong security policies upstream and managing them proactively, over time, for each development.