Application Programming Interfaces or APIs are the mechanisms by which different software and applications can communicate with one another. APIs are a core component of the web-based applications that power our world today. They can be found in everything from weather apps to healthcare technologies to every smart device on the market. For as many exciting capabilities and benefits that APIs introduce, they also bring additional risk and securing them should be a priority for any organization.
Security Challenges
Securing APIs is particularly crucial since many web-based applications rely upon APIs to function. Furthermore, many companies today offer open APIs either for free or at a premium; in either case these are public facing and accessible to anyone using the internet. These open APIs will inevitably receive requests not intended by the developers and may leak sensitive data, create a denial-of-service condition, or be used to grant requests without proper authorization.
As with any technology, APIs can fall victim to many threats. The Open Web Application Security Project (OWASP) API Security Top 10 lists broken authorization and authentication mechanisms as the number one and two API security risks, respectively. Broken authorization occurs when checks are not properly in place to ensure the user is authorized to make their request. Broken authentication is usually due to improper implementation which allows a user to assume another user’s identity, like stealing one’s password. Denial-of-Service (DoS) and Distributed-Denial-of-Service (DDoS) attacks also make the list in the form of unrestricted API resource consumption, which could at the very least increase business costs if exploited.
Another aspect of APIs that present interesting security challenges is third-party integration. Data received from third-party APIs is generally more trusted than user-supplied input. Consequently, developers tend to relax security standards. As a result, attackers will often go after the integrated third-party services rather than directly compromising the target API.
Weaponizing API
In recent years, multiple groups, particularly nation-state-backed threat actors such as APT28, have been observed abusing Microsoft Graph API to conduct stealthy attacks. Microsoft Graph API has been leveraged to facilitate communication with Microsoft Cloud-hosted command-and-control (C2) servers. This can be used to download files from a malicious OneDrive or exfiltrate sensitive data. Attackers are driven to this technique by the idea that trusted entities, such as well-known cloud services, will appear inconspicuous compared to typical C2 connections which often raise red flags. In addition to evading detection, these methods are secure and inexpensive since basic accounts for services like OneDrive are usually free.
Mitigating API Security Risks
The importance of authentication and authorization in any API implementation cannot be stressed enough. Many APIs utilize a key for authentication, a unique string of characters assigned to identify the client and validate their request. This method relies on strong key management and encryption-in-transit such as Transport Layer Security (TLS) to remain secure. DDoS mitigation such as throttling and rate limiting can prevent attacks that attempt to overwhelm an API by passing large amounts of requests or data. Adopting a zero-trust model, which assumes all traffic is untrusted regardless of its origin, will also go a long way in securing APIs.
One response to “Safeguarding Your Digital Gateways and APIs”
Somebody essentially lend a hand to make significantly posts I might state. That is the very first time I frequented your web page and up to now? I surprised with the research you made to create this particular put up amazing. Excellent job!