Defending Against API Security Risks: A CISO's Guide
Web application security is nothing new. Since the dawn of the World Wide Web back in the 1990s, we’ve seen what can happen in terms of web vulnerabilities and their impact on businesses. Today’s web application environments are complex. From the underlying Web servers to the applications and database servers involved, there are many moving parts. These parts not only have to be properly configured and deployed from the get-go; they also must be well-maintained and managed so that security attacks can be detected and, ideally, prevented in the first place. All this complexity can serve as a distraction for internal technical staff as well as outsourced vendors and end up facilitating security exploits against your most critical business applications. Something that you don’t want to happen on your watch as the CISO. And this is just the traditional web side of things.
API Security Vulnerabilities You Don’t Want to Miss
Web API endpoints have a relatively small footprint compared to the overall web application environment. Still, they provide an entry point into critical parts of the application that can let attackers interact and manipulate things for ill-gotten gains. Some API exploits can facilitate attacks against users. Others can lead to full compromise of the web environment.
What’s often overlooked is the reality that APIs are often vulnerable to the same web flaws that have plagued web applications for the past three decades such as:
- Authentication manipulation – including attacks that allow for the bypassing of credentials
- User session manipulation – including the capture and reconnection of sessions outside of the intended channel
- Unauthorized access – including privilege escalation attacks permitting someone to do more than what’s intended
- SQL injection – including being able to interact with the database and even obtain a remote command prompt
- Security misconfiguration – including exploits against default web server configurations and TLS
- Denial-of-service (DoS) attacks – including taking the application or entire server offline
Many of the above vulnerabilities can be exploited by external hackers or malicious internal users and would likely fly under the radar of any security alerts. Evidence of malfeasance may not show up until it’s time to invoke the organization’s incident response plan, if ever.
Key API Security Tools to Help Minimize Risks
There’s a silver lining among the dark clouds of API security exploits. It’s the fact that enterprises are not helpless. As with standard web applications, a lot can be done in terms of prevention or at least minimization of the impact when attackers do attempt to exploit these vulnerabilities. As the CISO, others both inside and outside your organization are looking to you to take the appropriate steps for ensuring things stay in check.
Solutions to help uncover the vulnerabilities and minimize the API attack surface across the enterprise include:
- Traditional penetration testing tools – web proxies and various browser plug-ins are a great tool for uncovering vulnerabilities associated with authentication, session manipulation, and unauthorized access.
- API security testing tools – static application security testing (SAST), dynamic application security testing (DAST), and interactive application security testing (IAST), tools such as web vulnerability scanners especially those that have dedicated API testing capabilities can often find more and better API related vulnerabilities than manual testing alone.
- API security gateways – mediators between client endpoints and backend API services that can also monitor and log API transactions and alert on potential threats.
- Web application firewalls (WAFs) – controls that work at the application layer (layer 7 of the OSI model) looking for and blocking specific application and API exploits.
- Developer training and shifting testing further left within the software development lifecycle – getting those responsible for building secure code better educated and involved earlier on in the process.
The important thing is to perform proper and ongoing web security assessments so that these challenges can be acknowledged and, therefore, at least partially mitigated if not resolved completely. You cannot secure the things that you don’t acknowledge so fully understanding the level of risk of your application and API environment is key.
Moving Forward with API Security
APIs are often overlooked in terms of security testing and oversight. This oversight sometimes happens in the scoping phase of vulnerability and penetration testing. Either the party doing the testing, or the system owner doesn’t think about whether a published API even exists. Some development and security teams fail to bring web APIs under the same umbrella of their security standards. Another scenario is when web API security testing is performed but it wasn’t properly tested from all appropriate angles using the right tools. Still, other times, the assumption is that web APIs can be skipped altogether because they’re not highly visible or don’t offer up much in terms of attack surface or value. The worst situation is when APIs are not adequately monitored as part of the organization’s overall security initiatives. When exploits occur, no one ever knows about it. These are all dangerous approaches that can, obviously, lead to unwanted events.
All these oversights can create a false sense that the web environment is secure. The work was performed. Money was spent. The box was checked. Yet, still, not every part of the system was evaluated and monitored for security weaknesses then or on an ongoing basis. It’s like how a doctor might not order the proper blood work or radiology tests for an ailing patient. Certain work was done, and the patient gets a clean bill of health, but unidentified disorder or disease is still lurking because of a simple oversight. The suffering continues.
As APIs become more pervasive throughout the enterprise, it’s important to bring them into ongoing security discussions. There are too many things that can happen and there’s simply too much to lose. Proactive threat modeling and security standards should apply to APIs as much as they do to other web application components. Standards such as the OWASP API Security Project should be integrated into your development lifecycle. Ditto for proactive security testing and system monitoring and alerting – across the entire lifecycle of the application. If an API exists, it needs to be in scope for oversight and scrutiny. Anything else is likely not enough and may just facilitate that exploit that you’ve invested so much time, money, and effort in preventing to this point. As your organization’s security leader, take action now on your terms before you’re forced to on someone else’s.
Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 34 years in IT and 28 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that are creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies (currently in its 7th edition) and The Practical Guide to HIPAA Privacy and Security Compliance (currently in its 2nd edition). Kevin has written over 1,300 articles on security and regularly contributes to various TechTarget sites including SearchSecurity.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech.