API Security: Why the Gap
Developers and security professionals have different concerns and motivations. It’s easy to see why gaps emerge. The ability to quickly ship new products, features or functionality is a real source of competitive advantage in the digital economy. Business needs demand speed. Engineers constantly work to tight deadlines and are always focused on that next release. And with the rise of microservice architectures and the proliferation of cloud services in modern software, APIs are an essential part of effective and speedy development. No one in a business wants to hinder the pace of innovation. On the other hand, in an ever-evolving threat landscape, cybersecurity is a constant concern for organizations of all sizes. Novel attack vectors, particularly those related to APIs, emerge as quickly as technology evolves. It is more important than ever for application and security teams to work together. Failure to close the gap can be catastrophic.
The Dangers of Unsecured APIs
APIs, by design, serve as a gateway to your data. It makes them extremely attractive to attackers. APIs are also often the interface where business functions can be invoked. For that reason, APIs are the only construct that has both data access and transactional capabilities, so APIs are a doubly enticing target. Our research shows that API breach incidents are accelerating at a rate of 227% year-on-year and the average volume of records exposed is close to 3M per event.
Even the largest and most sophisticated organizations are at risk. Here are just a few examples:
API Vulnerability - In 2021, the exercise equipment company had to deal with fallout as researchers identified a bug in its API that allowed unauthorized access to users' private data, including user IDs, instructor IDs, group memberships, location, workout stats, gender, age, and studio status. The vulnerability arose due to the fact that the API authenticated once, but then didn’t require subsequent authorization to access additional functions. Furthermore, sequential numbering made scraping very easy. It was a major concern, especially given the fact that the smart exercise bike company’s user base included President Joe Biden. The potential risks of built-in cameras and microphones in the bikes were highlighted, with questions about the security of such features in sensitive locations like the White House.
API Flaws - In 2020, web application security researcher, Sam Curry identified a vulnerability in a popular coffee chain’s web application that would allow attackers to access over 100 million records. The data included sensitive items such as names, emails, phone numbers, and addresses. The APIs in question allowed attackers to traverse API calls to hit URLs that weren’t supposed to be accessible on the internal host. Overly verbose error responses were a major factor. The internal API also had an exposed Microsoft Graph instance which would’ve allowed an attacker to exfiltrate those 100 million records. The bug was reported, patched and a bounty was awarded.
API Attack - The Australian telco was rocked by an attack in 2022. An internal API was inadvertently made public due to a DNS or network configuration change. Once public the API had inadequate authentication. This resulted in a significant cyber-attack which exposed the data of about 10 million customers, nearly 40% of the Australian population. The breach involved personal data, including names, birthdates, addresses, and ID numbers, with passport and driving license details for approximately 2.8 million individuals. There were ransom demands for $1 million in cryptocurrency and the situation became more complex as data samples were released and then retracted.
As illustrated by these examples, any API vulnerability or misconfiguration can open the door to data breaches that could cause reputational damage, financial loss, regulatory repercussions, and more. If data is the new oil, API breaches have the potential to be the next Deepwater Horizon or Exxon Valdez. Keeping your security teams and application developers on the same page is vital. But what if examples like those above aren’t enough to keep everyone aligned? How can you ensure API security without sacrificing speed to market? How can you protect your organization’s data without stifling innovation?
Here we look at some of the components of an effective API security strategy and how they bring benefits to both security teams and developers.
- A Security First Mindset - Culture eats strategy for breakfast. The first-step in bridging the gap between application and security teams is about fostering a culture of security awareness and collaboration. It has to be a two-way street. It can’t all be about policy diktats and enforcement. Security teams need to work with developers to provide them with the knowledge, tools and support needed to protect APIs without sacrificing speed and efficiency. Finger-wagging will only go so far. CISOs need to strive for the right balance between protection and productivity. Their security teams need to push themselves to find the approaches that will minimize vulnerabilities while maximizing output. It’s not always the most obvious option. Whenever possible, focus on finding lightweight, low-overhead solutions for API security that have minimal impact on development velocity. Similarly, application teams need to appreciate that security is everyone’s responsibility. It’s not a bothersome afterthought that gets in the way of pulling down tickets and pushing new code to production. Security is existentially important to the organization. Creating a collaborative, ‘Security First’ culture is easier said than done. It takes time and requires real buy-in at every level. But it lays the foundation for the other more practical steps toward effective API security that follow.
- API Security & Effective Discovery - We all know about the pitfalls of ‘shadow IT’ and nowhere have these challenges become more pronounced than in the realm of API security. The volume of ‘shadow’, ‘rogue’ or ‘zombie’ APIs you find in even the most security-conscious organizations can be shocking. And if you can’t see it, you can’t secure it. So, effective discovery across your entire API ecosystem is vital. It also helps in aligning the efforts of security teams and application developers. For security teams, API discovery serves two essential purposes. Firstly, it helps pinpoint potential security vulnerabilities by uncovering unauthorized or poorly secured APIs that might be exposing sensitive data. This allows them to neutralize threats before breaches occur. Secondly, comprehensive discovery helps security teams to formulate better policies and specs by identifying all of the outliers and possible configurations that might give rise to threats in future. For developers, effective API discovery can even boost productivity by providing a clear inventory that allows them to quickly locate APIs that suit their application needs, reducing development time and minimizing the likelihood of creating duplicate or unnecessary APIs. Effective API discovery programs can be a real win-win. It’s important though to ensure that wherever possible discovery is automated and ongoing. This is not a ‘one and done’ exercise and the need for manual development needs to be minimized. Integration with your various cloud environments, scanning of your repositories and a defined system of API inventory management all contribute to ensuring that both application and security teams have an accurate and up-to-date view of your entire API landscape.
- Enhanced API Visibility and Monitoring - So you’ve identified all of your organization’s APIs and developed systems for ongoing discovery and inventory management. Now you need a way to see what’s happening across those APIs. Effective visibility and monitoring of API activity brings benefits for security teams and developers. On the security side, it provides a real-time window into the organization's API ecosystem. This visibility empowers security professionals to detect and respond promptly to potential threats, unauthorized access attempts, or anomalous behavior. By having a clear overview of API interactions, security teams can identify vulnerabilities and proactively address them, reducing the risk of data breaches and cyberattacks. At the same time, application developers gain valuable insights into how their applications interact with APIs, enabling them to optimize performance, enhance user experiences, and troubleshoot issues more effectively. This real-time feedback loop helps developers fine-tune their code, resulting in higher-quality applications that meet user expectations. Developers can share data-driven insights with security teams, leading to a deeper understanding of application behavior and potential security risks. This partnership enables developers to make informed decisions that align with the organization's security objectives.
- API Security Posture Management - Comprehensive API security posture management offers a dual benefit too. For security teams, it means the ability to define standards, enforce policy and ensure consistency of APIs across the organization. While developers can leverage these predefined security policies and configurations to create new APIs more quickly, eliminating the need to figure out complex security measures for each new deployment. Ultimately, it allows them to code with confidence and get more done.
- Streamlined Incident Response - An effective API strategy will minimize the risk of significant breaches and if an incident does occur, it equips your organization to respond quickly and efficiently. This brings benefits to both application and security teams. From a security perspective, the benefits are obvious. A robust API security strategy with comprehensive discovery, accurate API inventory, centralized logging and sophisticated posture management makes digital forensics and incident response much easier. And that’s good news for application teams too. It means reduced disruption to their development workflows with no need for developers to compile logs from disparate sources or to get bogged down in the investigation of an event. It also means that developers are informed promptly about security incidents that might impact their applications. This enables developers to take immediate action, address vulnerabilities, and implement necessary changes, contributing to the overall security posture.
The trade-off between productivity and protection will never be eliminated entirely. Security and application teams will always be driven by different motivations. But when it comes to API security, the ability to communicate the benefits of an effective API security strategy to both developers and security teams will go a long way towards bridging the gap. And by doing so you’ll achieve increased security while giving developers the confidence to deliver even greater innovation through APIs.