Over the last decade, software architecture has made a major shift. Developers are taking a more modular approach, breaking tasks down into individual microservices rather than building monolithic applications. On the one hand, this can help speed software to market at a lesser cost and with better functionality. Because developers can lean on third-party APIs to provide standard functionalities, they can focus on the new content of their own app instead of starting from scratch. On the other hand, this comes with new security risks.
As always, attackers are following the trajectory of software development. As the applications between them and the sensitive data, they are trying to access shift to an API model, attackers are adapting. They are incorporating attacks based specifically on API models. This can lead to widespread issues. The Equifax breach in 2017, traced back to a Struts vulnerability, brought API security to the forefront. Since then, companies as prominent as the RSA conference, the United States Postal Service, Facebook, and Venmo have been the targets of data breaches thanks to vulnerable APIs. Companies that develop or use software based on APIs need to know the major categories of API vulnerabilities and learn what they can do to keep the data behind those APIs secure.
API Security Issues to Consider
API security concerns are important enough that OWASP has released a list of its Top Ten security issues in APIs. It provides a good general overview of flaws that are common in APIs, and what the ramifications of those issues can be. To look in more detail at flaws that are causing real security problems, consider these common vulnerabilities in the design and implementation of modern APIs:
Insufficient Security Configuration
Much of the advantage of the API model comes from being able to build on existing code components. But third-party code is probably not secure out of the box. Implementing a framework may be the right choice in many cases, but it requires thoughtful consideration of its security as well as knowledge of what security measures have to be configured and added to ensure sufficient data protection. Security configuration should also take into account how the API will be used; often, security controls on an API can be customized to better fit how it will be used in real life.
Authentication and Authorization
Many APIs accept and release information when a properly designed request comes in, without checking if it’s properly authenticated or has the correct authorization. By intercepting traffic, analyzing application code or packages, or possibly by public documentation, an attacker can figure out the syntax of the API. Without authentication and authorization controls, that allows an attacker to expose sensitive information, access privileged functionality, or sometimes run unauthorized code on the system.
Like other types of code, APIs suffer from several kinds of input validation errors that can lead to remote code execution, data exposure, privilege escalation, or denial of service.
Classically, input validation is associated with SQL injection. That is still an issue; vulnerable APIs can allow attackers to access or adulterate data by executing arbitrary SQL or NoSQL database commands in API calls. However, that is not the only input validation issue to consider. XML injection is still an issue among some APIs, allowing attackers to craft XML responses that lead to data compromise or code execution. Furthermore, APIs that handle serialized data can be vulnerable to deserialization attacks. Programming languages often contain powerful serialization and deserialization capabilities, though those features can also lead to critical security flaws if they are used without regard for secure coding practices.
Insufficient logging of API activity is also a common security issue. If an API is being explored by a potential attacker, useful logging on the back end can help the security team monitor the API better and identify that anomalous activity more quickly. They can then secure the API and thwart the attacker before they can do more, compared to if there were not sufficient forensic information being saved and analyzed.
Best Practices for Securing APIs
The best strategy for API security is a defense-in-depth approach that breaks down the silos between development and security. A multilayered approach rooted in both processes and attitudes can lay the foundation throughout the entire development lifecycle.
Ongoing developer training builds the foundation for secure development. As attackers think about the full range of security problems an API may have, and consider both classic and cutting-edge ways of exploiting them, developers must also receive consistent training on secure development practices and the current state of software security.
When API design begins, include threat modeling in the process. That way, the insights from the threat model can become part of the API from the very beginning, instead of requiring changes or additions later.
While building the API, ensure that consistent and well-defined secure coding requirements exist for developers in the company to follow. Internal documentation should also include documentation of secure coding problems and vetted examples of how developers have prevented security issues in the past. Documentation helps developers get from problem to secure solution faster, since they will not have to start from scratch when addressing common API security concerns.
Security testing is also crucial. During the development process, both source code review tools and dynamic analysis tools can help developers identify and correct security issues as soon as possible. And, once the APIs are fully developed, it is time for penetration testing. A penetration test before it goes into production helps ensure an API has been viewed from an attacker’s perspective and gives developers a chance to correct those issues. Once it is in production, it should be penetration-tested yearly, or at a regular interval recommended given the sensitivity of the data behind the API, so that its security can be tested with newer attack techniques.
When Thinking API Security, Think Security Compass
Security Compass has the right expertise and the right culture to be your partner in API penetration testing. Our deep bench of security experts brings a broad base of expertise across industries and technologies, and those experts are consistently engaging in training and research to stay on top of the threat landscape.
Security Compass’s collaborative approach stands out. Inside the company, our broad pool of experts ensures that security questions will be looked at from multiple angles with the full range of security expertise available to solve your problems. This collaborative approach also applies to client interactions as well, and leads to real security wins beyond the API being tested. For example, a collaborative partner can help you be proactive about API security by identifying issues in an application, bringing them to the team, and helping your business make sure that those issues aren’t compromising other APIs and code your team has developed as well.