top of page
©

Bad Guys Loves APIs!

Today’s global digital economy requires application programming interfaces (APIs) to connect application-based services to customers, consumers, partners, and employees. Legacy, modernised, and new applications are evolving towards API-based architectures to accelerate application development and reduce time-to-market. Moving application functionality closer to the customer to reduce friction is the beginning of decentralised and API-driven architectures.


Unfortunately, the efficiencies gained through APIs in Application Development are becoming overshadowed by the risk they introduce to an IT enterprise. Attackers have learned that compromising APIs is easy when they are lightly protected or not at all. No one would argue that APIs require secure practices, but there is no industry consensus on the best way to secure them.


The following are some of the top reasons APIs require more protection than they usually may receive:

 

API Vulnerabilities are Largely Unaddressed

A growing number of significant security breaches owing to poor API visibility and security occur and will continue for the foreseeable future. 

The race toward digitising organisations will put more inadequately protected APIs into production. Many organisations will attempt to solve API vulnerabilities through better design and coding, only to realize the same security failings as applications in general, partly because security is not a core competency for a typical application developer, and security teams may not be aware of all the third-party interconnections within their environment.

 

API Sprawl is Everywhere

The core of API sprawl is the lack of a holistic strategy that includes governance and best practices. Agile application development has led to multiple versions of the same API without the benefit of API version control. The move to microservices results in an app-comprising many dozens of APIs.

Unmanaged APIs create rogue, shadow, and zombie APIs. APIs will approach 2 billion by 2030, further exacerbating the problem…


API Gateways are Insufficient to Secure APIs in Complex Ecosystems

Operating in a distributed cloud environment is the norm today. However, using a dedicated API gateway as a single-entry point to control security has limitations, including single points of failure and performance degradation. Since API gateways today are a critical component of API infrastructure, it became evident that the proliferation of APIs increases the deployment of API gateways, leading to API gateway sprawl.

 

Web Application Firewalls (WAFs) Only Partially Protect APIs

Modern WAFs provide robust protection and security for API protocols, including GraphQL and gRPC, and provide a stop-gap for critical software vulnerabilities, but often they do not offer the necessary observability of APIs to detect advanced threats across hybrid and multi-cloud architectures. Many WAFs lack dynamic API discovery, automated detection and threat mitigation, testing, and OpenAPI document specification automation and enforcement capabilities.


So you may ask what should we do to protect them? Couple suggestions:

 

Leverage Regulations and Standards to Get Support for API Protection Projects:

Regulators have taken notice of the risk introduced by APIs and encouraged companies to mitigate their risk throughout their IT enterprises, including third parties. Governmental bodies are continuously issuing strong guidance to complying entities needing to protect APIs. From a Standards perspective, PCI DSS v4 requirement 6.3.2 requires API security, and NIST 800-95 Guide to Secure Web Services recommendation since 2007 – 800-24 Security Strategies for Microservices-based Application Systems specifies secure API management.

 

Focus on the Architecture

An API Security Architecture must consider integrating with a distributed IT enterprise, including multi-cloud, regional edges, and service tiers. The solution should be deployable to any hardware, virtualised environment, Docker, Kubernetes, etc. The solution must allow Security Policies to follow the API through its ecosystem. The

 

 

Final Thoughts

Attackers have long realised that APIs suffer the same security weaknesses as web applications, including weak authentication and authorisation controls. They have become adept at exploiting API vulnerabilities, abusing business logic, and creating zero-day exploits to access IT enterprises with little resistance.

Personal data is the property of the individual, not an application or service provider. The digital economy fuels open data sharing. APIs enable private, public, partner, and third-party data and services. APIs need to have privacy-preserving technologies applied to comply with data privacy regulations.

Deploying an API security solution requires infrastructure integration and connectors, some custom to deploy in an IT estate properly. Understanding the intricacies of deployment requires architectural planning. Selecting a solution that operates out of the box within an existing IT enterprise architecture reduces deployment time.




**Sources:

- Cloud Security Alliance (CSA) Reference Architecture (Version 2.0)

- (ISC)² CCSP certification exam materials

- 'AWS Certified Security Speciality' certification exam materials  

- 'Azure Security Technologies certification exam materials

- NCSC (National Cyber Security Centre); Cloud Security Principles

- Broad projects experience

- Online information

 

Comments


Commenting has been turned off.
©
bottom of page