Written by Shay Levi, Co- Founder and CTO at Noname Security
APIs are unseen. They are not typically a technology that end users interact with directly and are somewhat hidden from their day-to-day activities. Therefore, user understanding of API vulnerabilities and the impact an API security incident could have, when it comes to data breaches, is often lacking.
While data breaches are big news, what regularly isn’t reported is the way in which some of these incidents happen. But the reality is that for many data breaches, the weak links, more often than not, are APIs and improper security around those APIs.
API components are often seen in the second stages of an attack
For example, the recent MoveIT hack had an API component in the second stage of the attack involving deserialisation abuse of the MoveIT API. This resulted in thousands of companies getting breached but there was almost no mention of APIs, with SQL injection as the cause of the breach taking front and centre stage.
There are countless other equally high-profile breaches such as Twitter, Peloton, Optus and Medi Bank that are the result of an API security incident. In fact, it is fair to say that we don’t really know the real extent of the API security problem based on public disclosure alone.
However, what we do know is that API security incidents are escalating. Two years on from our first study our second annual API Security Disconnect research highlights this, with the number of businesses reporting API security incidents up from 76% in 2022 to 78% in 2023. As a result of growing digital transformation trends and APIs being the glue that facilitates the integration of many, once disparate, systems, API security incidents are becoming so apparent that organisations can no longer afford to ignore them.
API security is a crucial pillar in an organisation’s security strategy
For those less familiar, API security is the practice of preventing and mitigating attacks that originate at the API level, and it is a crucial pillar in any organisation's overall security strategy. APIs not only enable users to interact with applications, but also facilitate communication between their underlying internal services, many of which transmit or store sensitive data. An insecure API can therefore provide an entry point for attackers and seriously compromise an application's security posture.
The most common API security vulnerabilities happen during development, which is why the “shift left” testing movement is central to API security as it pushes API testing toward the early stages of software development. By testing API vulnerabilities early and often, a project can reduce the number of bugs and increase the quality of the code. Below are a few of the common issues that occur and create API security vulnerabilities:
·Broken object-level authorisation occurs when a request can access or modify data the requestor shouldn't have access to, such as being able to access another user's account by tampering with an identifier in the request.
·Broken function-level authorisation arises when the principle of least privilege isn't implemented, often because of overly complex access control policies. It results in an attacker being able to execute sensitive commands or access endpoints intended for privileged accounts.
·Broken user authentication happens if the authentication process can be compromised; an attacker can pose as another user on a one-time or even permanent basis.
·Excessive data exposure. API responses to a request often return more data than is relevant or necessary. Even though the data may not be displayed to the user, it can be easily examined and may lead to a potential exposure of sensitive information.
·Improper asset management. API development and deployment are usually fast-paced, and thorough documentation is often omitted in the rush to release new or updated APIs. This leads to exposure and ghost endpoints, as well as a poor understanding of how older APIs work and need to be implemented.
·Lack of resources and rate limiting. API endpoints are usually open to the internet and, if there are no restrictions on the number or size of requests, are open to DoS and brute-force attacks.
·Injection flaws. If the request data isn't parsed and validated correctly, an attacker can potentially launch a command or SQL injection attack to access it or execute malicious commands without authorisation.
Unfortunately, many businesses still don’t approach API security proactively and often there is a series of knee- activities because peers in their industry have just been exposed to an attack. Many organisations believe that web application firewalls are enough from an API security perspective.
However, our second API Security Disconnect research highlighted that WAF is one of the primary attack vectors. The primary causes or top attack vectors cited by the survey respondents were Web Application Firewalls, Network Firewalls, and API Gateways. WAFs are great at filtering easily identifiable threats but are not so reliable at detecting vulnerabilities that don’t have the attributes of a typical cybersecurity threat. In essence, WAFs lack the reality and context of a threat.
A lack of visibility and API inventories
Organisations also lack visibility, and many don’t have full API inventories or know which APIs return sensitive data. Often companies don’t conduct real-time or continuous testing of their APIs, meaning that a piece of code that was found to be secure a week ago may now have a vulnerability. So, what should organisations do to better secure their APIs?
Ensuring they have good encryption, validation, and visibility of their API inventory are all good initiatives to undertake. Regularly auditing, logging and being vigilant is also important and this includes continually monitoring APIs while proactively securing their environment from API security vulnerabilities, misconfigurations, and design flaws.
The OWASP Top 10 for 2023
The OWASP (Open Web Application Security Project) Top 10 is a list of the ten worst vulnerabilities, ranked according to their exploitability and impact. The OWASP Top 10 has just been updated for 2023 and organisations should review their API systems to ensure they have secured all OWASP vulnerabilities. To do this they need a holistic platform approach with the right context to evaluate each category using both static and behavioural validation.
In our modern infrastructure, APIs are only set to become even more important. Developers know agility is critical for businesses to grow and survive and that APIs are the key to gaining the speed and flexibility necessary to make this happen. Securing APIs will therefore be paramount, otherwise the organisation may find it is the latest victim of a data breach.