Much of the digital innovation we see today is largely thanks to the application programming interface (API). Without an API, rapid development would be almost impossible. After all, API is the link between computers, software, and computer programs. But wherever there is a link, a potential weakness in data security exists.
Indispensable for modern mobile, SaaS and web applications, APIs are almost ubiquitous in everything from front office to back office to internal applications. By their nature, however, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII). This makes APIs juicy targets for database security attackers.
Meanwhile, due to market pressures and customer demand, omnichannel e-commerce has grown significantly. And the same goes for API security risk.
APIs and omnichannel are growing together
The number of Postman Collections (API folders allowing developers to aggregate API requests) grew from less than half a million to almost 35 million between 2016 and 2020. There is no doubt that usage APIs will continue to increase in the future.
Three major changes have generated this massive growth in API usage:
- Multi-device use: As people connect from many devices at once, APIs are needed to power those connections.
- Microservices: The shift from a monolithic architecture to a more flexible development based on microservices requires APIs.
- Move to the cloud: Driven by the benefit of rapid provisioning, the move from on-premises to the cloud means APIs are created and deployed faster than ever.
Meanwhile, all of this API activity has benefited (and has been driven by) the rise of omnichannel e-commerce.
Omnichannel retail is a multi-channel sales approach that creates a seamless customer experience. This means that whether the customer is buying from a mobile device, PC or physical store, the experience is unified across all channels. And omnichannel development would be impossible without APIs.
API-based connectivity overcomes the hurdles retailers face by collecting data from disparate systems and then consolidating it into monolithic data warehouses. Because each individual system is updated separately, the information may be out of date by the time it reaches the database.
APIs allow retailers to build a network of applications that serves as a connectivity layer for data stores and assets in the cloud, on-premises, or in hybrid environments. As a result, mobile apps, websites, IoT devices, CRM and ERP systems (order management, point-of-sale, inventory management, and warehouse management) can all function as a cohesive system that connects and shares information. real-time data.
Increase in API security breaches
The downside to this rapid growth and development in e-commerce has been a worrying increase in API security attacks. Here, threat actors have executed numerous high-profile breaches against applications intended for the public. For example, developers use APIs to connect resources like web registration forms to various back-end systems. This flexibility of tasks, however, also creates an entrance for automated attacks.
Some surveys show that an average web application or API has almost 27 serious vulnerabilities. Organizations can have hundreds or even tens of thousands of applications. It’s no wonder, then, that some of the biggest brands have been subject to API-related security breaches.
Real-world damage includes the exfiltration of personal data of high-profile figures, vulnerabilities in the food supply chain, and the theft of tens of millions of individual private records.
OWASP API Security Project
The growing risk of API and application vulnerabilities prompted OWASP to establish its Top 10 Success List for API Attacks. Here’s a high-level summary:
- API 1 – Authorization at the level of the broken object: APIs can expose endpoints that handle object identifiers, creating an access control problem at the extended attack surface.
- API 2 – User authentication interrupted: Poorly implemented authentication allows attacks to compromise authentication tokens or steal user credentials.
- API 3 – Excessive data exposure: With generic implementations, developers can expose all properties of objects regardless of individual sensitivity.
- API 4 – Lack of resources and rate limitation: APIs often do not place restrictions on the size or number of resources that can be requested by the client / user. This can facilitate DDoS or brute force attacks.
- API 5 – Interrupted function level authorization: Complex access control and administration policies can lead to authorization loopholes. This exposes user resources and / or other administrative functions.
- API 6 – Mass allocation: Attaching client-supplied data (for example, JSON) to data models, without proper permission lists, allows attackers to modify the properties of objects.
- API 7 – Incorrect security configuration: Arises from insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, Permissive Cross-Origin Resource Sharing (CORS) and detailed error messages containing sensitive information.
- API 8 – Injection: Injection flaws (SQL, NoSQL, Command Injection, etc.) occur when unreliable data is sent to an interpreter as part of a command or query. Malicious data can cause the interpreter to execute unauthorized commands.
- API 9 – Poor asset management: APIs can expose many endpoints, making proper and up-to-date documentation even more critical. The right hosts and the inventory of deployed API versions play an important role in mitigating threats.
- API 10 – Insufficient Logging and Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, enter other systems, and extract or destroy Datas.
API Vulnerability Assessment and Mitigation
Considering the risk and the high stakes, how can you strengthen your API threat management strategy? Here are some good practices:
Maintain an API inventory
It is important to know where your APIs are located, including APIs from older versions and different environments. API security is enhanced when you document the endpoints exposed by each API host, which endpoints are public (do not require authentication), and which endpoints can be accessed from the Internet.
Practice secure coding
Encourage your developers to use secure coding practices, as most API vulnerabilities come from code. Focus on secure coding in the production phase.
Access control for authentication and authorization is essential for API security. OAuth is a token-based authorization framework that allows user information to be accessed by third-party services without exposing user credentials. This is how websites use Google and Facebook to allow access.
Flow limitation and limitation
To defend against DDoS attacks, API spikes, and other performance issues, you can place rate limits on how often APIs can be called. Rate limiting smooths traffic by balancing access and availability.
Use an API Gateway
An API gateway is a central point of application of API traffic. A strong API gateway allows you to authenticate traffic, control API usage, and analyze API activity.
Use a Mesh service
Service mesh technology enables API management and control by routing requests from one service to another. A service mesh ensures that proper authentication, access control, and other security measures work together for enhanced API security.
A service mesh is particularly critical as the use of microservices increases. As the number of services increases, the number of potential ways to communicate increases exponentially. A service mesh provides a unified way to configure communication paths by creating a policy for communication.
A service mesh instructs the services and orchestrates the communication traffic according to a predetermined configuration. Instead of setting up a running container or writing code to do so, an administrator can provide a configuration to the service mesh and have it do this work.
Embrace zero trust
As a broader security philosophy, zero trust assumes you’re an attacker until proven guilty. Zero trust requires verification and authorization for every device, every app, and every user accessing every resource.
Ecommerce needs secure APIs
For competing brands, the omnichannel experience will continue to grow in diversity and breadth. The APIs will evolve in the same way. Taking a proactive API security stance now is important to keeping your customers, business, and assets safe.