Evolution of API Security
Application Programming Interfaces or APIs came into existence a couple of decades ago. It all started with the need for an interaction between two different software systems. APIs started gaining attention when web applications became popular. Today, a growing number of an organization’s business models and channels are based on secure access of functionality and exchange of their data. The enablement of turning an organization or business into a platform is referred to today as the API economy. The likes of Google, Microsoft, Facebook, Twitter, etc. built an interconnected world that created an explosion of data. In this age of the Internet, data is everything. Whoever owns the data can literally generate millions of dollars out of it. How? By exposing this data to consumers via APIs and charging for its usage. As a result, there is a need to protect APIs from unfederated and unsolicited access.
The security of the APIs is important to protect the organization’s data that is exposed to consumers. As APIs have evolved, the security of it has also evolved. This article elucidates the evolution of API security by covering history of API security, current state of API security, modern API security threats and using Machine Learning techniques for the API security.
History of API Security
From 1960s, RPC, CORBA, Java RMI to recent APIs, we see the need of the API is eminent. Soon, SOAP Web Services took control and XML became the obvious choice in the Service Oriented era of 2000–2010. The Modern APIs aka REST APIs came into existence with Roy Fielding’s dissertation, and it became the backbone of the world wide web in 2010s, widely called as web APIs. In 2020, yet another API style came into existence called GraphQL, an open-source API standard project. It became very popular among Web App Developers as it gives them the control.
As these API styles changed over the period, API security saw major changes too. In SOAP Web Services, security was enforced within the message, keeping the transport layer completely decoupled. SOAP messages included digital signatures and encrypted data for security. It soon fell out of favor as it remained with legacy systems without evolving.
With the advent of REST, Access Control rules started governing the API security. In REST, resource accesses are governed with the help of URI and HTTP verbs (GET/POST/PUT/DELETE) where middleware software can write access control rules. It worked well until GraphQL came into existence. In GraphQL, there is a fixed URI (/resource), and Web App Developer writes the query to fetch the data. Therefore, typical Access Control rules are no more relevant in GraphQL API endpoints.
However, both REST and GraphQL are going to co-exist as it’s an increasingly obvious choice.
Current State of API Security
The API economy grew in the last few years enormously. One of the catalysts to the growth was mobile application development, referred to as apps. The growth of mobile applications started with B2C and now we are seeing a massive growth in the B2B space as well. With this growth, there is a need to provide comprehensive security to APIs. Due to diversified portfolio of APIs, the security practices also need to evolve and consider unique needs of API usage across mobile, voice and other emerging applications. API management is playing a crucial role in bringing these diversified APIs on to a single platform.
The traditional security measures of APIs focus on API access through authorization, authentication, rate limiting and network security. Soon, all of them became the core security features of API management platforms. API management platforms started integrating with identity federation tools with proper transport layer security using TLS/SSL certificate verification by default. Today, API Management platforms are supporting advanced security measures like JWT/JWE verification, Oauthv2.0 and some previous ones including Oauthv1.0, Basic Authentication, and IP whitelisting. API management tools also bring the aspect of API security standardization through the enablement of API products. You can bundle APIs into an API product and apply the security policy on the API product.
There is another approach that industry has seen which includes WAFs (Web Application Firewall) sitting before the API gateway. WAFs can filter the API traffic even before it reaches the API gateway based on certain rules configured including IP intelligence, OWASP top 10, malicious bot detection.
Currently, at Blue Altair, with a 6+ years old strong partnership with Google (Apigee), we are using Apigee’s robust security policies, we have built multiple accelerators which are reusable and extensible as per the requirement. For our banking clients, we have a prebuilt encryption and decryption algorithms logic which can be readily integrated into the API flow. At the same time, a bunch of other security frameworks are created using shared flows feature of Apigee.
Modern Threats to APIs
There are traditional security mechanisms including authorization, authentication, rate limiting and network security which are powerful tools but not comprehensive solutions for addressing API specific denial of service (DoS), and application, data and log-in attacks. APIs face a myriad of threats today. API driven digital transformation is an attractive offer for black hat hackers to gain access to corporate data, sensitive information, and business applications.
Broken authentication is a type of attack in which hackers probe an environment and then execute attacks to bypass authentication or defeat login systems. APIs typically are created using off-the-shelf proxy software and published as is on the GitHub for disposal. This is a starting point for hackers as they can then predict different API endpoints and explore the environment. Hackers can even steal tokens and credentials using man-in-the-middle attack.
API DDoS attacks are unlike volume-based DDoS attacks. They are often executed by multiple clients sending traffic to overload API service. Since each client is sending normal traffic volumes, these attacks are difficult to detect without analyzing the aggregate traffic rate on each unique API service. Sophisticated hackers can even learn allowed rates and keep the traffic within limits. Main aim of DDoS attacks is typically to make applications unserviceable or generating high computation cost especially if the servers are in the cloud with a consumption-based model.
Application and data attacks include compromised security. Today, with open APIs and digital transformation initiatives, this often includes giving partners access to applications and data through APIs using their own corporate credentials. Less to no immediate knowledge of when employees leave one of these partner organizations imposes a great threat to data and applications. Since attackers with compromised credentials look like valid clients, API management tools have no way to filter legitimate requests from rogue ones.
Machine Learning and API Security
As discussed earlier, to tackle these intelligent cyber-attacks, there must be a comprehensive security solution which does not require only security capabilities, but also anomaly detection ability. Artificial Intelligence and Machine Learning are excellent tools for development of such comprehensive and intelligent capabilities and can be used to manage challenging and emerging security threats. With the self-learning cognitive capabilities of AI and ML, security models can be developed for identifying and flagging anomalous behavior and malicious data trends. It will lead to a blocking of API attacks and abnormal behavioral patterns under various environments and circumstances. Thus, it adds continuous learning capability to APIs and anomalous behavior is flagged without prior knowledge of attacks and written policy.
With API management tools in-place, an API consumer’s behavior and resource utilization data are easily available. Organizations must understand real-time consumer behavior from existing information such as platform logging. There are machine learning capabilities which helps us to classify positive against negative patterns. Various Machine Learning models such as Naïve Bayes, Decision Tree, Random Forest and Support Vector Machine, Deep Learning and Neural Networks are recommended and are being used in API security. We must have proper tools and services in place to have these machine learning models. These models need to be trained on multiple APIs across different service providers.
Cloud Armor is a solution provided as a service by Google which works seamlessly with Apigee to protect APIs from these modern threats using ML-based mechanism.
Summary
With all these tools and technologies, enterprises are leveraging smart learning and cognitive capabilities to transform their business models. Along with traditional way of securing APIs, API behavioral security is the need for today’s rapidly changing technology world. We can conveniently conclude that API security is the utmost important need of today and ML/AI are being used as an effective and intelligent tool for achieving API security at various layers. However, more research and development efforts are required to tackle some of the compliance and standardization issues
In next post, I will walk you through the implementation of Apigee’s security policies and complement it with Cloud Armor, GCP’s ML-based service.
References
How to Automate API Security? A white paper published on September 13, 2019, by Datatheorem. Retrieved from Link
The Evolving API Security Landscape. A white paper published on October 03, 2019, by Ping Identity Corporation. Kin Lane is the Author. Retrieved from Link
API Security in The Enterprise A white paper published in September 2017 by 42crunch together with APIdays and Platformable. Retrieved from Link
Roy Fielding dissertation Architectural Style and the Design of Network-base Software Architecture in 2000 Link
