Fatih is an experienced software developer specialising the design and development of core back end systems with a strong focus on agile development practices. He is passionate about working closely together with businesses and techical teams to drive innovation and deliver high quality software.
APIs have seen widespread adoption for a number of reasons. Not only do they provide a standardized way for services and data to be accessed, but they allow existing functionality to be leveraged by newer systems. This can save a lot of development effort as systems don't always need to be built from scratch.
While APIs enable businesses to innovate rapidly, they also pose a risk and have become a prime target for cyber-attacks.
Why API security should be a top priority for everyone.
As the gateways to valuable data and functionality, the impact of compromised API security can have far-reaching ramifications, not only in terms of financial loss and damage to a company's reputation but also to the wider community as a whole. Some such implications include:
Service disruption: Businesses may face directrevenue loss due to the disruption of services and be forced to spend money and resources to investigate and remediate issues.
Compliance breaches and risk of litigation: Failure to protect customer data may result in compliance breaches leading to significant fines, legal fees and additional penalties. In severe cases, this could even lead to litigation cases against the business which can be very costly to settle - in 2017, Equifax paid $700 million in penalties and restitution as a result of numerous class action lawsuits that were filed against them after a massive customer data breach.
Loss of reputation & competitive advantage: A security breach can damage a company's reputation and destroy customer trust which can be very difficult to win back. Optus’s late 2022 customer data leak exposed the details of 10 million customers due to an API vulnerability and is the most recent example of this. A survey performed by Ping Identity in 2019 revealed that 81% of customers would stop engaging with a brand online after a data breach.
Customer & Community Impact - an API breach that exposes sensitive data immediately puts customers at risk of financial fraud and identity theft. Moreover, leaked personal data makes customers feel violated and vulnerable which can lead to stress and anxiety.
Common reasons for API Vulnerability.
Securing APIs is crucial for safeguarding sensitive customer information and preserving business operations. The Open Worldwide Application Security Project (OWASP), a trusted source in the technology industry, has just released its candidate categories for API Security Top 10 2023 for community review. Some of the key reasons for API Vulnerability are:
Broken authentication and authorization mechanisms - Attackers can exploit API endpoints that are vulnerable to broken authentication and authorization mechanisms leading to unauthorized access to sensitive data or restricted functionality. A common example of this is broken object-level authorization when the API request is intercepted and manipulated.
Unrestricted Consumption of API resources - When configuring APIs it is a standard practice to limit the rate of client interactions. Systems without this limit can allow malicious attackers to overwhelm APIs by flooding them with requests exhausting their processing resources. This denies legitimate users access to the services and can hence disrupt business.
Sharing too much information - APIs should limit what is shared to only what is required. Superfluous data can be exploited by an attacker to gain access to more sensitive data. Details of internal errors should never be exposed through the API as this can reveal the inner workings of the system and technology stack which can help perpetrators build further on their attacks.
Poor API design or implementation makes it vulnerable to security risks:
APIs that accept generic inputs without any validation are at risk of running malicious code or allowing the injection of harmful data into the system, which can compromise the system's data or functionality.
Attackers can exploit gaps in business processes by probing and exploring APIs to understand how different processes are linked, allowing them to take advantage of business logic gaps at their own pace.
Proactive steps you can take for API security.
Prevent injection of malicious code through input validation - When developing an application that interacts with user input or third-party systems through APIs, ensure that all inputs are validated and bound to data types in code wherever possible. This would prevent the injection of malicious content by attackers.
Monitor and log all activity - Monitoring and logging all API activity is important to identify and respond to security threats or breaches in a prompt manner. By tracking all events and errors, organizations can quickly detect any suspicious activity and take appropriate action to prevent potential security breaches.
Regular security audits - Performing regular vulnerability assessments and penetration testing is essential for ensuring the security of an API. Vulnerability assessments involve examining an API to identify any weaknesses in its security posture, such as configuration issues, coding errors, or system misconfigurations. On the other hand, penetration testing involves actively trying to exploit identified vulnerabilities in a controlled environment to understand the level of risk they pose to the API and the organization as a whole.
Keep APIs up to date - APIs must always be kept up to date with the latest security patches and updates to minimize risk. A chain is only as strong as its weakest link, APIs are often integrated with old/legacy services or infrastructure that might have outdated security, this is often overlooked and could prove detrimental to API security.
Educate developers and users - The most important element in ensuring a robust API security posture is ensuring ongoing coaching of developers and users about API security risks and best practices can help to prevent common mistakes. This can include providing training on secure coding practices for developers and regular security awareness training for users.
Key takeaways
API security is a constantly evolving landscape with new threats and attack methods showing up regularly. APIs must be designed and used with security in mind from the outset. This not only means following industry best practices but also keeping up with the trends.
A new threat entering the OWASP API Security Top 10 in the 2023 RC is “Lack of Protection from Automated Threats” whereby an attacker exploits a business model by leveraging automated processes to their advantage. The Nike Sneaker Bot is a good example of using brute force methods to achieve this – attackers deploy an automated process distributed across a variety of IP addresses to automatically purchase large quantities of Nike Sneakers at retail prices as soon as they are launched to later sell them on other platforms.
Smart devices these days are often wearable or are present in our vehicles, which means they come with us wherever we go and often connect with APIs. As these devices grow ever more common, issues with API security open new privacy concerns such as the potential for attackers to gain access to your location or device functionality at a given time - Web application security researcher, Sam Curry, was able to do in-depth research on critical vulnerabilities in the way the auto industry leverages APIs.
The Australian Government API Design Standard is a useful resource being introduced to help businesses ensure that they are building APIs to a good standard. This reference documentation also provides helpful guidelines for API security.
APIs have become central to modern-day software architectures, allowing businesses to innovate rapidly and build new functionality. However, compromised API security can have significant consequences for businesses, leading to financial losses, operational disruption, damage to reputation, and negative impacts on customers and the wider community.
The best way to protect against the most common API security threats is to follow API design and development best practices. Resources such as the OWASP Top 10 risks and the recent Australian government reference can help in this regard. Organizations must take proactive steps to protect their APIs, including regular security audits, good logging, and keeping APIs up to date. Technology and security are continually evolving, so staying up to date and addressing new challenges is essential.
