While cybercriminals have been going after credentials for several years, we now see attackers target the credentials held by application programming interfaces (APIs). In fact, research by Akamai found that almost 75% of attacks directly target such API credentials.
It’s no wonder APIs have become such popular targets. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-premises assets at most companies, organizations, and government agencies. It’s not possible to run any sort of business or task these days without the cloud, especially those that are public-facing. And that means APIs are the glue that holds quite a few services together in every network.
APIs are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that security teams can task them to perform almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. Security teams can use them to perform very specific functions, like accessing data from a host operating system, application, or service.
Unfortunately, it’s this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can continue to function even if the core program they are managing becomes modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.
Sadly, the problem has quickly gotten out of hand. According to Gartner, during 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.
Attackers look to compromise APIs not so that they can take over whatever specific function the API performs, but to steal the credentials associated with it. APIs often are way over-permissioned in regard to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker redirects them toward, their actions can often bypass traditional cybersecurity monitoring because the API does not break any rules thanks to its access-all-areas VIP backstage pass.
If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.
As dangerous as the situation with APIs has become, it’s far from hopeless. There’s a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. It’s important to include API security as part of developer training for any organization that wants to buck the trend of API exploitation through 2022 and beyond. There are a few really good best practices that organizations can use to secure APIs:
- Include tight identity controls for all APIs.
Consider APIs like human users when assigning permissions. Just because an API has been designed to do a specific function, think about what could happen if an attacker can compromise it. Consider using role-based access control. Ideally, organizations should also apply zero-trust principles to APIs and users. It’s also important to include APIs as part of the identity management program.
- Tightly control the various calls made by APIs.
By limiting those calls to very context-centered requests, then it’s much more difficult for an attacker to modify them for nefarious purposes.
- Use a layered approach.
Start by having an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That’s an effective way to limit the functionality available to a threat actor even if they can exploit and compromise an API within that chain.
The threats leveled against APIs can certainly appear overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, companies can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of the organizations, tiny, yet essential APIs.
Pieter Danhieux co-founder and CEO, Secure Code Warrior.