Why You Should Care About API Security
Do you remember the press buzzing about the recent Equifax high-profile data breach when hackers stole 145 million consumer records? Or maybe you’ve heard of Facebook data leaks that affected nearly 50 million user accounts? API vulnerabilities lie at the heart of these attacks, and both corporations paid a high price for compromising their security.
Hundreds of API attacks happen daily. The majority of them are so miserable that targeted organizations don’t even notice any attempts, but this doesn’t mean you can neglect security. One day, your API might be exposed to serious threats, and the cost of failure will be too high.
Even if such giants as Facebook and Equifax fail, isn’t it high time you checked your APIs?
APIs are everywhere. They function as a communication joint for applications and trade information that adds consistency to customer experience.
API is not a server or a database. Then why is it a frequent target for cybercriminals? Because it is a direct access point to an application that can approach a database: reaching it means owing data stored in systems. Used to connect services and to transfer valuable data, APIs become a clear target for cybercrime aimed to expose sensitive personal data like medical or financial records.
In most cases, businesses run a high risk voluntarily. According to a recent research by Imperva, a typical organization has around 360 APIs, and nearly 80% of its respondents use the public cloud to manage them. What a perfect opportunity for hackers to approach!
All the breaches we see highlighted in media pinpoint the need for more reliable protection of API infrastructures. Recurring audits, thorough testing, periodic assessment of the traffic trail, continuous analytics and ability to detect atypical activity on an API is the way to ensure your systems are safe and sound.
Informed means armed. A typical application or API may have up to 27 vulnerabilities, and yours is not an exception. Knowing the weakest spots of APIs allows you to eliminate risks at their roots.
Code Injection Attacks
Cybercriminals can inject malicious code lines into the back-end servers through the API code. This way attackers can extract sensitive data for public consumption.
Preventive measures: Make sure each API includes threat protection against injections. You may perform SQL injections and remote code execution through APIs the same way it’s done in traditional web application testing.
Phishing is a common problem on the web. This one is more difficult to mitigate from the organization’s side, as hackers attack not the organization itself but users, inducing them to download malicious content, forcing to install malware or redirecting a legitimate application’s API to malicious sites. That’s how attackers steal credentials and obtain access to sensitive data.
Preventive measures: Do your best to make sure all client-side software is patched. Educate your partners and clients on what is phishing and how to recognize it.
Denial of Service (DoS) Attacks
These may come in two types: flooding and crash attacks. Flooding occurs when cybercriminals overwhelm APIs with calls and large amounts of traffic the server is unable to handle. Such flood causes websites to either slow down or shut down.
DoS crash attacks are not that common, but you should still be aware of them. These attacks aim at sending bugs into APIs that will exploit faults and result in a system crash.
Preventive measures: Ensure you block malicious IPs, perform rate-limiting and enable anti-scraping policies.
A brute-force attack is an attempt to access a site or server by manipulating application APIs. Hackers repeatedly try various combinations to crack access keys to reach the target and follow the process to get the most of users’ or organizations’ data.
Preventive measures: Lockdown accounts with repeated login failures, block IPs when login attempts are initiated for multiple accounts, use a CAPTCHA and 2-factor authentication.
Poorly Authenticated API
The lack of a robust API authentication results in lots of sensitive data being open to cybercriminals.
Preventive measures: Such authentication methods as password or biometrics check can’t be applied to machine-to-machine environments, so you have to depend on cryptographic authentication. You’ll have to use industry-standard authorization measures like TLS, OAuth/OpenID Connect, OTP or even blockchain.
Focus on REST APIs
REpresentational State Transfer (REST) architectural style aims to jump at existing protocols instead of installing additional libraries or software. Making your APIs RESTful is a proven way to cut the unnecessary complexity of an application and ensure its security.
By using HTTP protocols and JSON, REST APIs become faster, more reliable and secure.
By enforcing encryption and signatures, you cover the weakest spot in the request-response cycle. Cryptographic protocols allow to encrypt the communication flow and ensure proper protection of authentication credentials like API keys, tokens and passwords. Add signature requirement to safeguard access to data and allow only authorized users to decrypt and modify it.
It’s common practice for lots of enterprises to consider security systems robust, stable and safe. Companies forget to check their IT infrastructure on a regular basis or assess it once in a while. Don’t repeat these mistakes! Perform audits consistently and regularly. We advise testing your APIs with injection, brute-force and DoS attacks to see if all proper risk mitigation tools are in place.
Where data is flowing, hackers are following. As organizations benefit from applications, APIs, databases and back-end servers, cybercriminals benefit from the variety of access points to organizations’ data. And as long as companies use tech solutions to advance their offerings, hackers will strive to find vulnerabilities and take advantage of them. Today, it’s crucial to address such issues and make sure each solution or service you implement is secure.
Investing in APIs security and using a holistic approach to infrastructure protection are critical steps towards risk mitigation. And if you need help fortifying your API security, Skelia is here to help. Businesses that place a proper focus on API security throughout 2019 won’t appear in data breaches press headlines anytime soon.