Experian had a high-profile API breach earlier this year, but there were many others, and that’s why today’s columnist, Lebin Cheng of Imperva, says security teams must make API security a top priority in the year ahead. Credit: Experian Images

Most of today's on-demand services that we rely on are driven by application programming interfaces (APIs) that were developed in modern application development. It’s the invisible connective tissue that development teams use to bridge applications and data sources so we have greater and more convenient access to digital services.

While APIs are the underpinning of IT innovation and transformation, it’s time we focus on the security risks. Too often, APIs are released into production faster than a security team can review and catalogue them.

Modern application development often takes place outside the purview of the CISO. This behavior sets up a dangerous precedent as APIs are expected to become the most frequently attacked enterprise web application vector by 2022.

One of our recent reports finds the vulnerability of APIs increased in 2020 at a time when other vulnerabilities decreased. Expect attackers to focus more on APIs as a vulnerable entry point in the coming months and years ahead as they’re a blind spot for most security teams.

While they are a powerful tool, APIs expose organizations to risk in complex ways because they are often connected directly to the data layer. Security teams need to worry most about the risk of data exfiltration through a compromised or vulnerable API. With application development teams under pressure to build applications more quickly, security becomes an afterthought. This won’t change any time soon.

How did we get here?

In some ways, security risks presented by APIs are self-inflicted, a derivative of the collective innovation and digital transformation the world economy has pursued the past several years. Within software development, there’s a growing trend towards the “backend to frontend” (BFF) pattern in which internal applications and services are made available to external users through an API gateway to support today’s self-service customer and partner model. This approach presents potential problems because it means external users have access to internal systems, and perhaps data, that they otherwise would not normally have access to previously.

For hackers, the BFF pattern gives them the opportunity to look for gateways that are not configured to closely monitor and filter the data access. Once the gateway passes the API calls from front-end to the back-end unfiltered, hackers can abuse the backend and exfiltrate data. Even worse, existing API management gateways rely heavily on manual configuration to perform API data validation. Further, most gateways are configured to enforce basic access control; not fine-grained data level authorization, a problem considering how quickly APIs change.

APIs are a preferred pathway for hackers because the malicious behavior remains out of sight and undetectable. In some more advanced cases, bad actors are even using APIs to automate their attacks. For example, using stolen credentials to obtain API tokens and using those to automate private data harvesting.

Organizations need to also worry about the preponderance of software supply chain attacks as many of these incidents involve compromised APIs. The SUPERNOVA vulnerability was the result of an authentication bypass that permitted hackers remote execution of malicious code by leveraging a vulnerable API as the command channel. This very public incident was particularly worrisome because the criminals weaponized the software’s APIs to communicate with their command and control server – without anyone knowing.

Extend beyond DevSecOps methodologies

Organizations are already challenged with trying to stop malicious traffic across the network, and it’s only exacerbated by the prevalence of APIs. Historically, organizations turned to network-based and log-based UEBA solutions, which have developed their own approaches to detecting lateral movement, but those solutions are not able to detect API attacks. It’s a complex form of lateral movement attacks that enterprises need to be able to detect and prevent.

Security teams may never manually create rules quickly enough to manage the volume of APIs that are published by the development team. Top security leaders don’t want to play the role of traffic cop. They want to establish a frictionless relationship where developers are able to move fast and innovate the business. However, both sides lack the tools needed to monitor what’s happening in development and production -- particularly the API calls between internal and external applications and services. A successful DevSecOps strategy should function as a fully automated process in which each autonomous organization can move at maximum speeds – not hovering over each other’s shoulders.

There are several steps that organizations can take to reinforce API security:

  • Prioritize visibility. Identify all APIs within the enterprise and have visibility into the traffic accessing those APIs.
  • Apply automation and machine learning to assess API behaviors. Do this preferably early in the development and testing stage. Evaluate against risk-based policies, and determine appropriate actions for mitigating the threats -- particularly data exchange patterns so that runtime protection can be enabled based on an always up-to-date baseline of behavior.
  • Establish a feedback loop. Develop communications between DevOps and SecOps that helps developers address vulnerabilities efficiently through enhancing API design and security testing.

APIs are the cornerstone of today’s digital economy. They let digital-forward businesses develop applications in new architectures, automate processes, and offer an easy-to-use, seamless backend for all types of applications. However, as with anything that increases the speed of business, it creates security gaps that malicious actors are keen to exploit. That’s why companies should make API security a top agenda item for any business heading into 2022.

Lebin Cheng, head of API Security, office of the CTO, Imperva