98% of developers view APIs as a key contributor to getting work over the line, and 86% are planning an increase in the number of APIs they use in 2024. While APIs are critical for allowing software applications to communicate and exchange data, functionality and features, if they are not adequately secured, APIs can also open an organization up to risk. If you’re thinking about API security testing and how to secure APIs to unlock business agility without risking your security posture, consider this article your API security checklist for success.
What is API Security?
Today’s software application development couldn’t exist without APIs. They allow for seamless integration between various applications and software systems by governing how the elements of a program should communicate and interact. From web APIs which communicate with databases and servers, to operating system APIs which allow access to system-level functionality, and software library APIs for developers to integrate pre-written code into their own programs, APIs have made developing complex software applications simple, adding agility and shortening time to value for a wide range of business goals.
However, APIs can also be a source of risk, and threat actors can use APIs to obtain unauthorized access to an environment, launch malicious activity like DDoS attacks, and to gain a foothold to make lateral moves or steal data. When we talk about the meaning of API security, and API security best practices — we’re zooming in on the processes and measures businesses use to protect APIs from this kind of exploitation and misuse.
Types of API Security Threats
APIs have unique vulnerabilities and security risks, and need a targeted approach when organizations are looking to maintain a strong security posture. The latest OWASP API Security Top 10 discusses the risks of APIs that could cause the most negative business impact.
-
- Broken Object Level Authorization: By manipulating the object identifier within an API request, attackers can exploit API endpoints to gain access. IDs could vary from sequential integers and UUIDs, to generic strings, and are easy to identify.
- Broken Authentication: If your authentication mechanisms are vulnerable, this allows attackers to exploit authentication tokens, or gain access to your data by impersonating a legitimate user.
- Broken Object Property Level Authorization: These mechanisms segment access to specific parts of an object or property. Unauthorized users take advantage of a lack of authorization validation at the object property level to gain access.
- Unrestricted Resource Consumption: APIs need resources to handle requests, but when APIs have unlimited resources, attackers can launch successful DDoS attacks, causing downtime, and increasing costs.
- Broken Function-level Authorization: With many users, groups and roles in place, access control policies can get complicated fast. If user permission systems are incomplete or broken, this is an open door for attackers.
- Unrestricted Access to Sensitive Business Flows: Not caused by an implementation bug, overuse of sensitive information in the business workflow can allow attackers to find business flows, automate excessive access and cause harm.
- Server-side Request Forgery: Many businesses think a VPN or firewall is enough protection. However, if an API fetches a remote resource without validating the user-supplied URI, a crafted request can be sent to an unplanned destination.
- Security Misconfiguration: Changes to configurations and regular customizations are crucial, but every change comes with risk, especially if and when developers don’t follow API security best practices.
- Improper Inventory Management: OWASP reminds organizations that APIs expose more endpoints than traditional web apps. Documentation is therefore critical. Deprecated versions or exposed debug endpoints are attackers’ low hanging fruit.
Unsafe Consumption: Developers often trust endpoints that interact with third-party APIs, but attackers are known to go after third-party services integrated with the target API, and launch attacks from that foothold.
Shadow vs Zombie APIs
Two other API risks that are worth highlighting are shadow APIs and zombie APIs, two types of API that are unmonitored by the business, and can add a huge amount of risk.
Shadow APIs are similar to the concept of shadow IT, APIs that are created under the radar, usually for a small developer use case, or one which is unauthorized and uninventoried. These APIs will be created and deployed outside of the policies and corporate governance of the business, which means they can’t be monitored by existing API security testing tools. There’s no guarantee that shadow APIs have requisite authentication and access gates in place, and as they are unknown to the security team and the business, they may open your organization up to data leakage or privacy risks.
Zombie APIs have a similar challenge, but their existence emerges in a different way. A zombie API is one that has not been decommissioned, perhaps because development teams have updated it to a new version, and either forgot it existed, or thought it best to keep it running to make sure there are no problems with the update. You might have forgotten about an exposed API or API endpoint, but attackers are more than happy to remember them for you.
What Are The Effects Of API Attacks?
To understand the risk, let’s think about some examples of what happens once a threat actor has taken advantage of an API vulnerability.
Sensitive data exposure
APIs are responsible for a wide range of personal information, including healthcare details, financial transactions, and PII. Used by third-party developers and applications, maintaining API security should be a top priority to maintain both consumer trust and ensure regulatory compliance.
Unauthorized access
Once attackers have established a foothold via your API vulnerability, their opportunities for malicious damage are limitless. Threat actors could inject malware or ransomware, launch man-in-the-middle attacks, perform code injection, or make lateral moves to access crown jewel assets.
DDoS attacks
Especially when API resources are unrestricted, they can be a target for Distributed Denial of Service (DDoS) attacks, where the API is flooded with traffic and communication requests, causing downtime to legitimate users. These can be sent from multiple sources, increasing the impact of the attack.
How to Defend Against API Attacks with API Security Best Practices
Protecting APIs requires a multifaceted and layered approach. It starts with understanding the true extent of API risk in your environment, and then implementing controls to identify and remediate vulnerabilities as early as possible in the development cycle. If you’re looking for an API security checklist, best practices include:
- Putting strong controls into place: There are a number of core security measures that need implementing at the earliest possible stages. Multi-factor authentication can prevent attackers accessing your APIs, even if they have stolen credentials. Robust authentication like OAuth or JWT can also keep attackers out. Brute force attacks are much harder if you enforce rate limiting. And of course, always use data encryption to make data more difficult to steal.
- Ensuring visibility across all APIs: However strong your documentation is, the chances are there are APIs that you can’t see, and your API security testing tools can’t protect what they can’t see. Look for a solution that gives a single holistic view, including internal, external, third party, managed, unmanaged, shadow, and zombie, and gives details such as how they are being used, and changes made over time.
- Encouraging developers to limit the attack surface: One of the benefits of APIs is how they can be reused across different projects, but many developers are worried about modifying an existing API, and so instead, they start from scratch — unintentionally increasing the attack surface. Onboarding a tool that provides historical API visibility can empower developers to change their minds about going back to the coding board.
- Validating APIs early and continuously: For API security, shifting left is critical. When API documentation and code is scanned at the start, security is incorporated into the design stage, and teams can uncover misconfigurations, as well as risks in path definition, authentication schema, and transport encryption. Documentation can then be compared against implementation to identify any issues quickly and without disruption.
The Checkmarx Solution for API Security
At Checkmarx, we’re focused on shifting API security left and integrating right, discovering and validating every API at the code level so that problems can be identified and mitigated as early as possible in the software development lifecycle, and then integrating right with solutions like DAST so customers can protect live APIs in real-time.
Unlike many other solutions, Checkmarx API security provides complete API visibility, so that organizations can maintain an accurate and real-time view of their entire API attack surface, including shadow and zombie APIs, all from a single global API inventory.
To enable the necessary speed of development, and reduce ongoing API risk, Checkmarx includes a thorough Change Log, empowering developers to leverage and repurpose existing APIs without hesitation.
Additionally, when it comes to keeping APIs secure, Checkmarx identifies vulnerabilities in APIs, such as cross-site scripting, SQL injection, and more.
With a single solution, security and operational teams can gain a holistic view of all application security risk, alongside prioritized remediation guidance to channel focus towards alleviating their most critical concerns. Developers can feel certain that their APIs comply with industry standards and corporate governance, and that they are facilitating agility and innovation.
Want to see how it works for yourself? Learn more by requesting a demo.