Securing APIs: Mission impossible?
Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.
Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs.
The rise and possible ruin of APIs
It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.
The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.
Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.
Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.
The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.
If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.
Defending the APIs
As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.
That said, there are a few really good best practices that can be implemented right now in terms of API security.
The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.
You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.
The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.
API security is tough, but with adequate training, planning and a focus on best practices, even the most insidious vulnerabilities can be mitigated.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.
Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs.
The rise and possible ruin of APIs
It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.
The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.
Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.
Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.
The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.
If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.
Defending the APIs
As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.
That said, there are a few really good best practices that can be implemented right now in terms of API security.
The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.
You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.
The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.
Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.
Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs.
The rise and possible ruin of APIs
It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.
The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.
Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.
Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.
The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.
If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.
Defending the APIs
As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.
That said, there are a few really good best practices that can be implemented right now in terms of API security.
The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.
You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.
The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demoChief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
Cyberattacks are, without a doubt, on the rise. According to the Verizon 2021 Data Breach Investigations Report, the threat landscape is more dangerous today than ever before. Organizations of all sizes are experiencing a higher volume of attacks and a greater sophistication level from threat actors who are targeting them. And the success rates for attackers are also skyrocketing.
Analyzing the most recent attacks helps to reveal some of the most common vulnerabilities and techniques being used by hackers during this unprecedented blitz against cyber defenses. Some of the most popular attacks, such as those that made the Open Web Application Security Project’s (OWASP) Top 10 Security Risks and Vulnerabilities for 2021, involved stealing or otherwise compromising credentials. And according to security research conducted by Akamai, the overwhelming majority, almost 75%, directly targeted the credentials held by APIs.
The rise and possible ruin of APIs
It’s no wonder that application programming interfaces, mostly just called APIs, are on the rise within almost every organization’s networks. They are a critical component of most cloud-based services, which are rapidly taking over the functions of on-prem assets at most companies, organizations, and government agencies. You almost can’t run any sort of business or task these days without the cloud, especially those that are public-facing. And that means that APIs are going to certainly be the glue that holds quite a few services together in every network.
The amazing thing about APIs is that they are mostly small and unobtrusive in terms of network resource allocation. And they are completely flexible so that they can be tasked with performing almost any job. At their core, APIs are individual pieces of software tailored to control or manage a particular program. They can be utilized to perform very specific functions, like accessing data from a host operating system, application, or service.
Unfortunately, it is this very same flexibility, and the fact that they are often small and overlooked by security teams, that makes APIs attractive targets. Most APIs are designed by developers for total flexibility so that they can, for example, continue to function even if the core program they are managing is modified or changed. And there are few standards. Almost like snowflakes, many APIs are unique in that they are created to serve a particular function with a single program on a specific network. If they are coded by developers who aren’t very security-aware, or who are not concentrating specifically on security, then they can and likely will have any number of vulnerabilities that attackers can find and exploit.
Sadly, the problem is quickly getting out of hand. According to Gartner, by 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.
The key reason that attackers want to compromise APIs is not so that they can take over whatever specific function the API performs, but instead to steal the credentials associated with it. One of the biggest problems with APIs, in addition to being ripe with vulnerabilities, is that they are often way over-permissioned in regards to their core functionality. For simplicity’s sake, most APIs have near administrator-level access on a network. If an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into a network. And because the API has permission to perform whatever tasks the attacker is redirecting them toward, their actions can often bypass traditional cybersecurity monitoring because the API is not breaking any rules thanks to its access-all-areas VIP backstage pass.
If organizations are not careful, the rise of APIs within their network and their clouds can also spell big trouble if they are targeted by attackers.
Defending the APIs
As dangerous as the situation with APIs is becoming, it’s far from hopeless. There is a big effort through movements like DevSecOps to help make developers more security-aware, and to bring security and best practices into all aspects of software creation from development to testing and deployment. Including API security as part of that training will be critical for any organization that wants to buck the trend of API exploitation through 2022 and beyond.
That said, there are a few really good best practices that can be implemented right now in terms of API security.
The first thing is to include tight identity controls for all APIs. You should almost consider them to be like human users when assigning permissions. Just because an API is only designed to do a specific function, you have to think about what could happen if an attacker is able to compromise it. Consider using role-based access control. Ideally, you should ultimately be applying the principles of zero trust to your APIs and users, but that is often a long road. Good identity management is a good place to start. Just be sure to include APIs as part of that program.
You should also tightly control the various calls that are being made by your APIs as much as possible. If you limit those calls to very context-centered requests, then it will be much more difficult for an attacker to modify them for nefarious purposes. You can even layer your APIs, with an initial API making a highly contextual call to another API that knows exactly what to look for, and what to ignore. That can be an effective way to limit the functionality available to a threat actor even if they are able to exploit and compromise an API within that chain.
The threats leveled against APIs can certainly seem overwhelming. But by implementing best practices along with assisting and rewarding developers who become security champions, the situation can seem a lot less hopeless. With good training and practice, you can erect a robust security program that gives attackers little room to maneuver even if they should somehow compromise one of your tiny but essential API workhorses.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.