The enterprise use of APIs (application programming interfaces) is exploding, as more and more businesses embark on digital transformation and look for ways to make money by exposing their data to outsiders through apps, websites, and other third-party integrations.
The downside to all those APIs is they can pose a major IT security risk.
“APIs represent a mushrooming security risk because they expose multiple avenues for hackers to try to access a company’s data,” warned Terry Ray, chief security officer for Imperva. “To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications.”
The source of the risks posed by APIs is explained comprehensively by Scott Morrison, a distinguished engineer at CA Technologies, in a white paper on API security.
“The problem with APIs is that they often provide a roadmap describing the underlying implementation of an application – details that would otherwise be buried under layers of web app functionality,” he said. “This can give hackers valuable clues that could lead to attack vectors they might otherwise overlook. APIs tend to be extremely clear and self-documenting at their best, providing insight into internal objects and even internal database structure – all valuable intelligence for hackers.”
Morrison adds that increased visibility is not the only risk APIs introduce. “Increasing the number of potential calls also increases the attack surface, meaning that a hacker simply has more to exploit.
“Risk,” he said, “increases with opportunity.”
How API security can be breached
In practical terms, there are three main ways (but not the only ones) in which APIs can be exploited by malicious actors to gain access to data or computing infrastructure, according to Morrison.
- Parameter attacks. These involve submitting unexpected data to exploit weaknesses in applications and databases. The most common type of parameter attack is a SQL injection attack, which can be successful if developers do not sanitize inputs. Morrison points out that in contrast to many web apps, APIs often clearly identify a parameter’s underlying usage by its name, making an attacker’s job much easier.
- Identity attacks. An API key is a code that individual apps use to identify themselves to an API. They are meant to be secret and concealed by developers, but in practice it is often easy to uncover them. That means that APIs that use API keys as authoritative credentials are at risk – anyone with the API key can use them to write malicious code that impersonates another legitimate application.
- Man in the middle (MITM) attacks. These occur when an attacker sits between an API and an application/user, intercepting the traffic between the two and sometimes impersonating each to the other. They are possible because many APIs do not use SSL/TLS properly (or at all).
Preventing API attacks
Here are a few ways organizations can reduce API security risks.
Threat: Parameter attacks
- Mitigation 1: Validate all incoming data
- Mitigation 2: Use threat detection, including virus detection
Threat: Identity attacks
- Mitigation: Use effective authentication and authorization methods. Morrison recommends using practical factors such as source IP, access time windows, device identification (for mobile apps), and geolocation.
Threat: MITM attacks
- Mitigation: Use TLS for all data exchanges
API security platforms
The top three API attack vectors are by no means the only vulnerabilities that introduce API risk. To minimize other risks that APIs pose, it is advisable to use a proven API security solution.
In very general terms, API security platforms can:
- Help expose systems of record and other systems and applications securely through APIs by consistently applying policies such as authentication
- Onboard and manage in-house and third-party developers so they can create applications using those APIs
- Allow organizations to choose which apps, developers and partners can access which APIs
- Help secure data in accordance with compliance regulations and other requirements
Gartner’s Paolo Malinverno categorizes the functionality that API security products supply into broad areas:
Effectively then, API security solutions offer API management over the entire lifecycle of an API, from inception to retirement.
API security market growing
The market for API security products is potentially huge. To get an idea of the scale of API usage, consider these statistics: 69 per cent of organizations are exposing APIs to their customers and partners, according to an Imperva poll of 250 IT professionals, and each organization is on average managing a staggering 363 different APIs.
Not surprisingly, API security product sales are growing rapidly as organizations increasingly see the need to protect their API-related activities. In 2017 the market was worth $961 million, according to Gartner, and it is expected to exceed $1 billion by the end of 2018. From 2016 to 2021, Gartner expects the market to grow at a compound annual rate of almost 15 percent.
Many API security products are actually API management products that bring APIs under centralized control and allow security and other policies to be applied to them in a systematic and unified way.
They can also help avoid uncontrolled API sprawl, which results when APIs are created in different parts of the organization by different developer groups, without any consistent approach to security. They can also help prevent APIs from being abandoned and forgotten about rather than retired securely.
“When you have visibility into your APIs throughout your organization, you can then put controls in place,” said Subra Kumaraswamy, the former head of product security at Apigee, an API security vendor owned by Google. “You might decide that a certain API should only be exposed to in-house developers, not external, third-party ones. If you don’t have visibility, you can’t see who is accessing what.”
“If you have API sprawl, that is also bad. API management ensures that you have consistency and you don’t duplicate stuff,” he added. “For example, if you have five departments that use five different authentication methods for your APIs, that’s not consistent. A management product lets you enforce two-factor authentication if that’s what you want. You can drag and drop a policy and secure all your APIs in one shot.”
API security platform vendors and products
The market for API security products is becoming increasingly mature, and many of the smaller participants have been acquired by larger companies: Apigee was acquired by Google, Apiary by Oracly, Akana by Rogue Wave, 3scale by Red Hat, and MuleSoft by Salesforce, for example.
Although API security is still sold as an on-premises solution, it is also increasingly available as part of a cloud service, from the likes of Amazon, Google, and Microsoft.
The leading products today, according to Gartner’s 2018 Magic Quadrant for Full Life Cycle API Management, include:
- Google Apigee
- CA Technologies CA API Management
- IBM IBM API Connect
- Software AG webMethods API Management Platform
- Salesforce Mulesoft Anypoint Platform
- TIBCO Software Mashery
- Red Hat 3scale API Management
- SAP Cloud Platform API Management
- Amazon Web Services Amazon API Gateway
- Axway AMPLIFY API Management
- Microsoft Azure API Gateway