So you have an API vulnerability. What does that mean and what can be done?
Let’s begin with a little introduction to APIs, their use within the current climate, and the dangers of an insecure API.
At the turn of the century, the modern API was born. Salesforce, a software company providing customer relationship management software, created its first API in February 2000 to share data across their different business applications to reduce friction within the business. This API was shortly followed by eBay and Amazon with their own APIs which allowed customers of e-commerce websites to view products and services all on one website by interfacing with partners and third-party sellers’ inventories.
Because APIs are so useful, their userbase has grown immensely, even just in the last five years. According to the API platform Postman, in January 2017, 3.1 million API collections were published on their site. This number jumped to 38 million in 2022, over a 1,000% increase in API collection publications. To further emphasise the grip that APIs have on the current market, the internet security company Akamai stated that over 83% of all internet traffic comes from API-based services.
With the scope of API usage being almost the entire internet, it’s no surprise that APIs have quickly become the target of cyber attacks. According to Noname in their 2022 report, 41% of organisations had an incident involving insecure APIs in the last year. These attacks can have massive financial losses, with annual losses of $41 — $73 billion reported in 2022, due to poor API security. Of these insecure API attacks, 63% involved a data breach or data loss, which can have further consequences such as loss of customer trust and thus a further loss of revenue.
Anyone is fallible to these attacks, with companies such as Experian, Peloton, and LinkedIn being affected by API-focused attacks in 2021 alone. Even within the past few months Optus, the second-largest telecommunications company in Australia, was hit with a massive API attack. This was due to unauthenticated traffic, allowing the attacker to directly access the entire customer database. Obtaining 11.2 million customer records and 3.6 million driver’s licence numbers, detailing names, dates of birth, email addresses, phone numbers, home addresses, and passport numbers.
So you understand the prevalence of APIs and the dangers of an insecure API. What can be done to secure these critical components?
API security can be an overwhelming topic, with terms like REST API security and SOAP API security thrown around a lot. The best way to break down the vast expanse of API security is to look at OWASP. The Open Web Application Security Project, or OWASP, is a non-profit organisation that aims to improve web application security. In 2019, OWASP released a Top 10 for the risks surrounding API security, which is a great place to start learning about the topic. We have even written some blog posts concerning different risks on the Top 10. This Top 10 can narrow down the scope of what is most critical to fix.
But what do you specifically need to fix? Although the API Top 10 from OWASP can give a good baseline and good understanding of the subject, how do you know what applies to you or not? A good place to start is API data detection, such as Darkspark, or API security testing. With detection, you can see what data you are passing and can minimise the amount of sensitive data being passed, thus condensing the attack vector. Testing will allow you to mimic potential attacks against your APIs, giving a comprehensive look at what is vulnerable.
Either detection or testing is a great start to fortifying your APIs against possible attackers and is less intimidating than going at it alone. APIs and API security are vast and growing topics, feel free to reach out to learn more on any API security best practices.
Originally published at https://bycontxt.com on November 28, 2023.
Sources:
