Application Programming Interface (API) use has eclipsed web app use in many sectors, with 70 percent of the 21.1 billion transactions analysed in the latter half of 2021 using this mechanism. APIs are popular because they the business to rapidly upscale development by providing mobile services, migration to the cloud and faster release cycles all of which results in a better connected ecosystem. Their use is expected to continue to rise, with 57 percent of organisations expecting to switch their applications to APIs over the next two years, according to the Enterprise Strategy Group (ESG).
Recognising this shift, attackers have been quick to capitalise on the move and have also turned their attentions to APIs. The latest Cloud Security Alliance (CSA) league table of threat vectors released in June revealed that API attacks are now the second biggest threat facing cloud computing, Two years previously they came in way down the list at number seven which means API attacks are real and growing and that businesses aren’t doing enough to secure their API infrastructure. But where are they going wrong?
APIs are abused differently
Threat attackers take advantage of the way APIs work rather than any particular exploit or vulnerability. Commonly referred to as a Living off the Land (LotL) attack, this sees the functionality exploited by crawling APIs, exploiting their weaknesses to then exfiltrate data, break deeper into systems or inject advanced malware, for instance.
As there is no signature or rule breaking involved this makes it difficult for traditional solutions to detect this activity. IPS or next gen firewalls or application security tools such as a WAF or bot mitigation tool cannot capture the anomalous behaviour that indicates an API is being abused, for instance. However, the ESG survey found that more than a third are unaware of this fact and think these tools are adequate.
Keeping pace with threats
The development of new API threat vectors is a problem, with 41 percent finding it difficult to keep up. API-based attacks are becoming more commonplace, according to the ESG report, with 28 percent reporting injection attacks and 23 percent the exploit of misconfigured APIs. The range of both web apps and API attacks makes it difficult for the business to identify the defence solutions needed, resulting in complexity and tech sprawl, with 31 percent of the tools in use not purpose built for API security.
Many of these attacks are automated, leading to large scale assaults that overwhelm defences. Over 40 percent reported downtime as a result of a web app or API attack. Other types of fallout ranged from negative customer and shareholder impact, revenue losses, and non-compliance, as well as knock-on costs affecting the workforce, from retraining to termination.
Prioritisation is a problem
While securing web apps and APIs is a priority, it is competing with other efforts such as the implementation of zero trust, cloud migration, threat detection and response, and securing remote or flexible working arrangements. There’s an understanding that budget needs to be devoted to APIs but the market remains confused over how to invest given that many of the tools aren’t API-specific or don’t cover the lifecycle of the API.
Inconsistent adoption of API specifications
Specifications help standardise API development and deployment, leading to more consistent APIs that are better documented and have a stronger security posture. However, the report found inconsistent adoption of specifications was a problem for 35 percent of respondents
Another survey focused on uptake carried out in 2021 found that 76 percent of businesses did not use API specifications for all their APIs with 27 percent following no standard at all. Over a third confessed to lacking skills, knowledge of best practice or awareness of why they were needed.
Yet even among those that did use a specification, their approach was ad-hoc, with 36 percent not using a tool to document their API specifications. Manual rather than automated practices were also used, with 58 percent manually verifying conformance and 64 percent manually tracking and maintaining their API inventory, a practice that is not only likely to result in errors but will also prove unsustainable as APIs use ramps up.
Lack of visibility
As API adoption grows so too do the number of APIs being spun up. If these aren’t recorded in an inventory this can quickly lead to zombie or shadow APIs sitting on the network which the business is unaware of and which attackers can then sniff out. The inventory should be updated whenever APIs, yet 37 percent found the inventory process challenging, according to the ESG report.
Discovering and remediating misconfigured APIs
Security misconfiguration is one of the OWASP Top Ten API vulnerabilities and provides the attacker with a window of opportunity so closing it is a must. Run-time discovery can help detect those APIs in use that are misconfigured and should be standard practice yet 32 percent found this problematic.
Data governance and exposure
Excessive Data Exposure can be triggered by many things, such as error messages that show too much information or display obfuscated information, and it’s ranked at number three by OWASP. It makes it far too easy to access and understand how the app works, jeopardising data governance efforts, leading 39 percent to identify this as the second biggest challenge associated with protecting APIs. It is recommended that the development and business teams collaborate to make ensure the minimum amount of metadata is transferred to lessen the possibility of an attack.
The danger is that API rollout will continue apace while the protection afforded to them will either lag or be sporadic in approach, leaving gaps. To overcome this, organisations need to take a unified approach to API protection that encompasses threat prevention and detection as well as active defence mechanisms that use machine learning and AI to recognise anomalous behaviour. Only by condensing down these defences into an API-specific toolset can the organisation hope to keep pace with threats and protect the API throughout its entire lifecycle.
For over 20 years, Jason Kent has been ethically peering into Client Behaviour, Wireless Networks, Web Applications, APIs and Cloud Systems, helping organisations secure their assets and intellectual property from unauthorised access. As a consultant he's taken hundreds of organisations through difficult compliance mine fields, ensuring their safety. As a researcher he has found flaws in consumer IoT systems and assisted in hardening them against external attacks. At Cequence Security Jason does research, community outreach and supports efforts in identifying Automated Attacks against Web, Mobile, and API-based Applications to keep Cequence's customers safe.