We visit websites backed by API software every day. We see the log-in box. We type in our username and password. The process to secure a digital offering or service takes place right in front of our eyes. But the software behind the scenes is a little less tactile.
Unless you are a developer, you may never see the code making up an API behind the front-end. APIs are a technology purposefully built for one machine to communicate with another machine. And when something is out of sight, it’s too often out of mind.
APIs are a lucrative target
With the rise of modern software architecture, APIs have become a de facto standard for mobile applications, micro-services, cloud computing, and IoT (e.g. API-first companies). A common pattern is to deploy a static “front-end” like a website or mobile app and a backend API, which contains most of the interesting (including security) parts. A large organization may employ dozens of APIs which communicate with front ends, mobile apps, or just other APIs.
Does your bank use a mobile app so you can view your account balance, track spending, and set up direct payments? The API system powering that mobile app manages all the business logic, executes the transactions, and keeps your account secure.
Because APIs operate at machine speed, they are a popular target for threat actors. In 2021, someone utilized a publicly exposed API from LinkedIn to collect 700 million user records. In 2022, Uber suffered an insider threat attack against some of its APIs, Dropbox had its source code exposed due to an API attack, and attackers exploited a 0-day in a Twitter API, exposing 5.5 million user’s data.
Given the prevalence of attacks, we aren’t the only ones who think API security is important. The Gartner API Hype Cycle reports from the previous three years (2019-2022) indicate API security has been a rising and trending topic in each of the reports. The movement along the hype cycle indicates the existing “technology” solutions are slow to address the challenge and the requirement for organizations to tackle API security is an on-going battle.
APIs require a rethought security strategy
Application security is not a new concept for many organizations, but API security is not exactly the same. Many of the tenants of AppSec also apply to API security, but some do not. And APIs introduce some new requirements and considerations.
The increased vulnerability and business value of API software requires rethinking some of the ways we consider and apply security to applications.
In simple terms, APIs are often the most efficient, friendly choice for a software product stack. It provides a way for machines to interface with one another at machine speeds. It allows for loosely coupled components to be scaled at demand pace. It can often be deployed in such a way that third (or external) parties can use, access, and interface.
At its core, API exposes business logic via the web—a powerful software capability, but not without risks.
Consider an e-commerce company with a mobile app. A common practice is to create a mobile app which interfaces with a backend API. The mobile app has buttons and screens to log in, buy a product, and set shipping information. When a user clicks in a mobile app, the API completes the actions.
But what if an attacker chose to access the API, bypassing the mobile app? Because the API is created to operate at machine speed, the attacker can write code to attempt 1000x log ins a second, automatically change shipping information, or exfiltrate payment information for 10,000s of users automatically, never having to use the mobile app.
So how should we start to tackle API security?
Thinking about API security requires multiple perspectives to successfully protect these business-critical assets. Everything from application security practices to securing resources in the cloud. There are best practices, frameworks, and tools available to support protection of APIs which can fit well into an organization’s overall security strategy. There are best practices, frameworks, and tools available to support protection of APIs, which can fit well into an organization’s overall security strategy.
Microsoft recognizes APIs are business-critical resources which require special consideration. They recently released a platform which offers prevention, detection, and response, specifically designed for APIs in Azure. As a Microsoft partner and winner of the 2023 Security Trailblazer award, we love to see releases like this.
We believe people over process over technology is crucial to tackling any security problem. That’s true for API security too. Watch for advice on how to address API management and security with your leadership in and out of IT. If you’re interested in determining threats most likely to target your business, reach out to us at email@example.com for more information.