The company’s use of APIs (application programming interfaces) is exploding, as more and more companies are embarking on digital transformation and finding ways to make money by exposing their data to outsiders through apps, websites and other integrations from outside parties.
The disadvantage of all these APIs is that they pose a significant risk to IT security.
“APIs pose a mushrooming security risk because they expose multiple avenues for hackers to try to access data from a company, ” warned Terry Ray, Imperva ‘s chief security officer. ” In order to close the door to security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business – critical web applications.
“Scott Morrison, a distinguished engineer at CA Technologies, explains the source of the risks posed by APIs in a white paper on API security.”
The problem with APIs is that they often provide a road-map describing the application’s underlying implementation–details that would otherwise be included under web app layers, “he said.”
This can give hackers valuable clues that could lead to attacking vectors that they might ignore. APIs tend to be extremely clear and self-documented at their best, providing insight into internal objects and even internal database structures–all valuable intelligence for hackers.
“If the number of potential calls increases, the attack surface also increases, which means that a hacker simply has more to use.” Risk, “he said, ” increases with opportunity.”
How API security can be violated
In practice, there are three main ways (but not the only ones) that malicious actors can use APIs to gain access to data or computer infrastructure, Morrison says. These are:
Attacks of parameters
These include the submission of unexpected data to exploit applications and databases ‘ weaknesses. The most common type of parameter attack is an attack with SQL injection, which can be successful if developers do not sanitize input. Morrison points out that APIs often clearly identify the underlying use of a parameter by its name in contrast to many web apps, making it much easier for an attacker to do the job.
Attacks on identity
A key API is a code used by individual apps to identify with an API. They are meant to be secret and hidden by developers, but they are often easily discovered in practice. This means that APIs using API keys as authoritative credentials are at risk –anyone with the API key can use them to write malicious code for another legitimate application.
Man in Middle (MITM) attacks
This happens when an attacker sits between an API and an app / user, intercepts the traffic between the two and sometimes impersonates each other. It is possible because many APIs do not (or do not) use SSL / TLS properly.
Prevention of API attacks
There are a number of ways that organizations can reduce the risk of API security.
Threat: Parameter attacks
- Mitigation 1: validate all incoming data
- Mitigation 2: use threat detection, including threat to virus detection: identity attacks Mitigation: use effective methods of authentication and authorization.
Morrison recommends using practical factors such as IP source, time windows for access, device identification and Geo-location.
Threat: MITM attacks
Mitigation: Use TLS for all data exchanges
API security platforms
The top three API attack vectors are by no means the only vulnerabilities that risk APIs. The use of a proven API security solution is recommended to minimize other risks posed by APIs.
In general terms, API security platforms can:
Help expose recording systems and other systems and applications safely through APIs by consistently applying policies such as onboard authentication and manage internal and third – party developers to create applications using those APIs.
- API security market growing The API security products market is potentially enormous.
- To get an idea of the scale of API use, consider these statistics: according to an Imperva poll conducted by 250 IT professionals, 69 percent of organizations expose APIs to their customers and partners, and each organization manages a staggering 363 different APIs.
- Not surprisingly, the sales of API security products are growing rapidly as companies see the need to protect their API-related activities increasingly.
According to Gartner, the market was $ 961 million in 2017 and is expected to exceed $ 1 billion by the end of 2018. Gartner expects the market to grow at an annual compound rate of nearly 15 percent between 2016 and 2021. In fact, many API security products are API management products that centralize APIs and allow security and other policies to be applied systematically and uniformly.
They can also help avoid uncontrolled API sprawl, which results in the creation of APIs by different developer groups in different parts of the organization without a consistent approach to security.
They can also help to prevent APIs from being safely abandoned and forgotten instead of retired. “When you have visibility throughout your organization in your APIs, you can then set up controls, ” said Subra Kumaraswamy, former head of product security at Apigee, a Google – owned API security vendor.”
You could decide that only in-house developers should be exposed to a certain API, not external third party developers. If you have no visibility, you can’t see who accesses what.”
“If you’ve got API sprawl, it’s bad too. API management ensures consistency and you’re not duplicating things, “he added.” This is not consistent, for example, if you have five departments using five different authentication methods for your APIs. A management product allows you to apply two – factor authentication if you want that. API security platform vendors and products.
The market for API security products is growing
Many of the smaller participants have been acquired by larger companies: Apigee has been acquired by Google, Apiary by Oracly, Akana by Rogue Wave, Red Hat, and Salesforce by MuleSoft, for example.
Although API security is still sold as an on-site solution, it is also increasingly available from Amazon, Google and Microsoft as part of a cloud service.
- Google Apigee
- CA Technologies CA API Management
- IBM IBM API Connect
- Software AG webMethods API Management Platform
- Salesforce Mulesoft Anypoint Platform
- TIBCO Software Mashery
- Red Hat 3scale API Management
- SAP Cloud Platform API Management
- Amazon Web Services
- Amazon API Gateway Axw
- Axway AMPLIFY API Management
- Microsoft Azure API Gateway