Blog

Securing APIs: Mission impossible?

Pieter Danhieux
Published Jun 06, 2022

Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.

Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs. 

The rise and possible ruin of APIs

It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.

The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.

Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.

Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.

The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.

If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.

Defending the APIs

As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.

That said, there are a few really good best practices that can be implemented right now in terms of API security.

The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.

You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.

The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.

View Resource
View Resource

API security is tough, but with adequate training, planning and a focus on best practices, even the most insidious vulnerabilities can be mitigated.

Interested in more?

Chief Executive Officer, Chairman, and Co-Founder

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demo
Share on:
Author
Pieter Danhieux
Published Jun 06, 2022

Chief Executive Officer, Chairman, and Co-Founder

Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.

Share on:

Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.

Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs. 

The rise and possible ruin of APIs

It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.

The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.

Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.

Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.

The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.

If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.

Defending the APIs

As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.

That said, there are a few really good best practices that can be implemented right now in terms of API security.

The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.

You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.

The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.

View Resource
View Resource

Fill out the form below to download the report

We would like your permission to send you information on our products and/or related secure coding topics. We’ll always treat your personal details with the utmost care and will never sell them to other companies for marketing purposes.

Submit
To submit the form, please enable 'Analytics' cookies. Feel free to disable them again once you're done.

Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.

Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs. 

The rise and possible ruin of APIs

It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.

The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.

Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.

Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.

The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.

If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.

Defending the APIs

As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.

That said, there are a few really good best practices that can be implemented right now in terms of API security.

The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.

You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.

The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.

Get Started

Click on the link below and download the PDF of this resource.

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

View reportBook a demo
View Resource
Share on:
Interested in more?

Share on:
Author
Pieter Danhieux
Published Jun 06, 2022

Chief Executive Officer, Chairman, and Co-Founder

Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.

Share on:

Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.

Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs. 

The rise and possible ruin of APIs

It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.

The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.

Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.

Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.

The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.

If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.

Defending the APIs

As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.

That said, there are a few really good best practices that can be implemented right now in terms of API security.

The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.

You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.

The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.

Table of contents

Download PDF
View Resource
Interested in more?

Chief Executive Officer, Chairman, and Co-Founder

Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.

Book a demoDownload
Share on:
Resource hub

Resources to get you started

More posts
Resource hub

Resources to get you started

More posts