4 minute read
Time to hide your API
by d2emerge
Manage the ones you write — and even those you didn’t — to keep them safe from attacks
The need for robust API security is growing rapidly in response to the increasing dependence of organizations on APIs for their digital operations
With 70% of respondents to a report expecting to use more APIs in 2023 than last year, this presents a heightened challenge for API security, which only comprises about 4% of the testing efforts at organizations today
The 4th annual State of the APIs Report collected insights from more than 850 global developers, engineers, and leaders from across the technology community spanning over 100 countries including the US, the UK, Germany, and India.
The increased API usage is especially prominent in telecommunications, which is projected to rise to 72%, up from 59% last year. This is followed by smaller, yet still considerable, increases in the fields of technology and professional services
Mark O’Neill, VP analyst, and chief of research for software engineering at Gartner, correctly predicted in 2021 that by this year, API breaches would be the number one threat vector for web applications
“Part of the reason for that is because with mobile and web apps, along with any other type of modern application that you ’ re using, it all involves the use of APIs,” O’Neill said Gartner research has estimated that by 2025, fewer than half of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools and “security controls try to apply old paradigms to new problems ”
This vast number of APIs floating around the organization is further complicated by multiple teams building and managing APIs all while using different cloud platforms and frameworks, according to O’Neill
“When you have different platforms where your teams are building and deploying APIs, there’s no one place to put the gateway, which is a problem for traditional API management solutions,” O’Neill said.
To secure this wide API landscape, many companies have put up multiple gateways, which means that now there are more gateways in front of APIs, but it created a new problem of learning how to manage all of these gateways together.
“Many clients have asked us for a federated solution that would work across different API gateways and allow teams to have a single picture of their API traffic and to have a single control plane for management and security, but at the moment, that is a gap in the market,” O’Neill said
A single federated solution would allow users to set up authentication and authorization schemes across different APIs, ensuring that only the right users have access to the right resources It also enables administrators to set up rate limiting and other security measures, such as IP white/blacklisting, to protect against malicious attacks.
With such a solution, teams would also gain visibility into API performance and usage, allowing teams to identify and address potential security issues quickly.
A hodgepodge of APIs in use
The other problem APIs present for API management solutions is that there are many different types of APIs in use
The API jumble often consists of REST, Webhooks, Websockets, SOAP, GraphQL, Kafka, AsyncAPIs, gRPCs, if not more
“If you look at a typical organization that has deployed API management, they may believe that all of their APIs are being managed on one platform,” O’Neill said “But typically, there are a lot of other APIs that they have that are part of web applications, part of mobile apps, and they’re not managed, they’re effectively under the radar for that organization And these are the ones that get breached ”
The APIs to watch out for in particular are GraphQLs, according to O’Neill Users can do very wide and deep queries on data, which can also be their downside because it’s difficult to set up proper access control rules The complexity of the query can make it hard to predict what data will be accessible
Additionally, the use of variables in queries can make it difficult to prevent malicious users from exploiting the API. GraphQL APIs are often stateless, which means that security teams need to ensure that all requests are properly authenticated and authorized. These types of APIs are also new so many organizations are just building up their security teams’ skills around GraphQL and graph APIs in general.
Another challenge is to consider where all of your APIs are coming from.
While internal APIs were still the most common API type developers reported working on for their organization, more developers in 2022 reported working on partner-facing or third-party APIs than the year prior In addition, the SaaS applications that developers utilize also often use their own set of APIs
The percentage of developers who reported working on partner-facing and third-party APIs grew by almost 5% in 2022 compared to 2021, according to the 2022 State of the API report This change was even more dramatic with partner-facing APIs in industries like technology, which grew by nearly 10%
One hotspot of security issues tends to be around the APIs that require access to data: customer data, preferences, and all sorts of account information Issues also surround APIs that run a function to do something because often that requires a transaction, so payment information might be at risk, O’Neill said
“One is the whole area of loyalty cards where you get points for making purchases, traveling, and so on Those involve many APIs. So you have an API to look up how many points a certain person has or you have an API to spend the points. We’ve seen security breaches where attackers have been able to find people who have accrued many points and then spend those,” O’Neill said. “Often the person is not aware, because they simply were not aware that they were running up all these points in the first place, and then they’re not aware when they get spent.”
Best practices for API security
The first step for ensuring API security is to catalog all of the APIs in the organization and to have an inventory Often, companies only look at their existing API gateway to see what APIs are registered there, but even multiple gateways don’t paint the complete picture, O’Neill explained
“The way that we advise people to do this is to see what APIs your business depends on, ” O’Neill said “So those of course can be your own APIs, but they can also be important to APIs that you ’ re consuming from third parties as well It’s