[BreachExchange] Insecure APIs a Growing Risk for Organizations

[Destry Winant]

https://www.darkreading.com/application-security/insecure-apis-a-growing-risk-for-organizations/d/d-id/1339402

Security models for application programming interfaces haven't kept
pace with requirements of a non-perimeter world, Forrester says.

Application programming interfaces (API) that connect enterprise
applications and data to the Internet are subject to the same
vulnerabilities as regular web applications and need to be addressed
with at least the same rigor.

In fact, the direct external access to transaction updates and mass
data that APIs enable subject them to additional threats that web
applications rarely encounter, according to Forrester Research.

In a report summarizing some of the major security issues surrounding
API use, the analyst firm warned about API breaches becoming
increasingly common and the next big attack vector for threat actors.

"As organizations are securing their web applications, they can't
forget about their APIs," says Forrester analyst Sandy Carielli.
"Security pros must specifically build in API security and not assume
that it's rolled into their existing web application protections."

An API basically allows applications or components of applications to
communicate with each other over the Internet or a private network.
Initially, most organizations used them within a secure private
network or accessed them through secure communications channels. But,
increasingly, organizations have begun using APIs to open up access to
internal applications and data to partners, suppliers, customers, and
others. Many see APIs as fundamental to enabling digital
transformation initiatives and powering a new generation of mobile
applications.

A survey of 1,500 developers, architects, QA professionals, and others
conducted earlier this year by SmartBear found 77% of organizations
represented in the survey both develop and consume APIs. The most
common use case for APIs continues to be interoperation between
internal tools, teams, and systems and reducing development time and
cost. Other popular use cases include partnering with external
organization, extending product or service functionality, and
absorbing data and features from external products.

According to Forrester, many of the security issues surrounding APIs
have been years in the making and have to do with the shift away from
early SOAP messaging protocol-based APIs to today's REST APIs.

Previously, SOAP APIs were typically accessed securely over VPNs or
two-way encrypted connections. REST APIs, on the other hand, are
designed for access through browsers and mobile apps. When a mobile
user makes an airline reservation on his phone, for instance, a REST
API conveys the user's instructions to the airline or travel services
vendor's back-end applications and delivers the response back to the
user.

REST APIs are open for exploitation through commonly available
client-side inspection and hacking tools, just like web applications
are unless protected. Long-held security best practices such as
least-privilege data access and server-side data validation are
therefore as critical to APIs as they are to web applications,
Forrester says.

The tools for exploiting APIs are not complicated, Carielli says.

"Basic proxies that attackers use to manipulate HTTP and HTTPS
requests would apply here, too," she says. "Sometimes it's as simple
as changing a parameter in the HTTP request."

Rogue Endpoints
Additionally, REST APIs can provide direct access to transaction
updates and other important data on back-end systems. That's because
firms can often fail to track all API endpoints buried deep within
their mobile apps or web apps or put adequate controls in place to
authenticate and verify API calls. Such rogue endpoints can put them
at heightened risk of unauthorized access and data exposure, Forrester
says.

Carielli says if a publicly accessible API doesn't go through the
organization's API authentication and authorization gateway or through
a web application firewall that might validate the request format,
then an external party might have access to any data to which the API
has access.

"Remember that APIs serve to make various application data and
functionality available to developers outside of the organization,"
Carielli says. "Because API endpoints can be accessible to anyone
externally that calls the API, a rogue endpoint that returns sensitive
information is high risk."

One common result of unauthenticated API endpoints is that customer
data gets exposed. For example, if an API to access customer
transaction data is accidentally deployed without putting in the
proper authentication and authorization checks, anyone who used the
API could see a lot of sensitive customer information, Carielli says.

The sheer diversity of technologies, designs, and contexts in which
APIs are used makes securing them a challenge, Forrester said in its
report. The analyst firm outlined several measures that organizations
can take to bolster API security.

For instance, in developing APIs, organizations need to pay attention
in the design stage to security measures like default deny and
verification of any client-supplied data. Organizations should ensure
that all API traffic, just like web application traffic, is encrypted
but in a manner so as not to impact performance. Also critical is the
need to authenticate API calls at every layer and to stop thinking of
APIs merely as an interface layer between applications, Forrester
said.

"Whether the API ultimately touches data, legacy, or modern
application architectures, or even hardware or firmware, work through
those touch points collaboratively with the security owners of the
relevant systems," the analyst firm advised.