Every time we come up with new ways to build and deploy applications, we also come up with new ways to break them. Did SQL make it easier to access and manipulate large amounts of structured data? You bet, and it also led to SQL injection. Ready to join the cloud? Hope you didn’t put anything sensitive in that public S3 bucket. Moving to containers? Make sure you check your images for vulnerabilities.
So it’s no surprise that APIs follow the same pattern. Organizations leverage APIs to accelerate business opportunities, create engaging customer experiences, and open new revenue streams. APIs let customers, partners, and internal stakeholders build products that digitally embody the business, leveraging the organization’s functionality and data. This also means that an insufficiently protected API could let anyone access more functionality and data than they should. Examples of API-related breaches abound, from Panera Bread, the US Postal Service, and COVID-19 contact tracing apps in India and Qatar.
Where there was once a monolithic website with a reasonably understood set of input fields, APIs expand the surface exponentially. Many security pros have no idea which APIs should be publicly available — and even when they do know, they don’t know all of the functions and parameters associated with those APIs.
So what should security professionals know about the API security landscape? We’ll cover a few key points here. You can read more in our report, “API Insecurity: The Lurking Threat In Your Software.”
Discovery, Discovery, Discovery
Just like identities, keys, certificates, devices, containers, and everything else in your infrastructure, you can’t protect APIs that you don’t know about. (Stop me if you’ve heard this before!) Breaches due to “rogue APIs” are common, but remember that a “rogue” API is just an API that was made public, perhaps accidentally. API security vendors tell us that their clients often ask for help with discovery early in the journey.
New Challenges, New Risks
APIs provide new challenges that web developers are not accustomed to. Unlike traditional AJAX calls, APIs often provide direct access to powerful transactional and data access functionality. Developers accustomed to less sensitive AJAX calls are likely to have the wrong mindset for properly securing APIs, leaving room for security mistakes even for web development teams that have had a good track record for secure coding.
Not Just WAFs, Not Just Gateways
Effective API protection comes from a variety of tools, not all of which are traditional security tools. An API gateway is a key access control tool, while web application protections like WAF and bot management have expanded their functionality to detect API-based attacks. Throw in microsegmentation, pre-release testing tools, and emerging API-specific security tools, and the choices seem overwhelming. Things will shake out in time, but don’t be surprised to discover overlaps or gaps in your current tooling.
If the thought of opening your business and your data to third parties through APIs scares you, buckle up and focus on managing the risk. Fear ultimately didn’t stop us from using SQL databases, moving to the cloud, or adopting containers. Firms rely on APIs to accomplish their digital business initiatives, and security pros play a critical role in protecting the APIs and the data. Check out the full report here, and join us for a webinar on December 1.