Of all the different vectors that bad actors can use for a cyberattack, one of the most popular is through application programming interfaces (APIs). APIs are uniquely important and useful tools, but they also come with unique security risks, vulnerabilities, and hurdles making them harder to protect. Fortunately, professionals such as those behind the Open Web Application Security Project (OWASP) work to keep organizations informed as to the biggest threats and help to overcome those difficulties. Armed with the most recent information about API security threats and trends, an organization can build an effective security strategy to protect against attacks.
API Security Trends
APIs are “the building blocks of modern applications,” and API security is absolutely essential for organizations to understand and address. According to one survey, the vast majority (94%) of companies have experienced API security issues within the past year, but many organizations (30%) remain unprotected against API attacks. As bad actors grow in number, attacks become more frequent, and tactics advance over time, businesses and their APIs are increasingly at risk. Where once API attacks were primarily “one-and-done” techniques like SQLi and XSS, attackers are more and more favoring “low-and-slow” methods that are more difficult for traditional security tools to detect.
Part of the appeal of the OWASP Top 10 API Security Risks list is the ability to keep track of the most pressing threats to API security as they shift and adapt over time. While many of the risks are longstanding and unlikely to disappear from the list anytime soon, trends in API attacks and vulnerabilities are reflected in the list. It is important to take this into consideration when attempting to protect APIs against cyberattacks, accidental data breaches, and other security incidents. Changes in the OWASP Top Ten—such as the combination of “Excessive Data Exposure” and “Mass Assignment” into the single category of “Broken Object Property Level Authorization”—are a good indicator of where to focus API security efforts.
Challenges to Securing APIs
There are a number of unique hurdles to overcome when attempting to secure APIs that make it more difficult to prevent attacks. Attackers take advantage of API traffic to hide their attacks using methods like encoding their attacks or embedding attack traffic within protocols. APIs handle traffic and data in many formats, and decoding inputs is crucial to detecting attacks. Additionally, APIs make it easier for bad actors to gain visibility into the backend of processes; this access can be extremely helpful in launching an attack. Visibility is also an issue from the other side of things, as organizations often lack transparency and proper documentation of their APIs.
Due to the nature of APIs, it can be difficult to understand or decide what acceptable use looks like. Combined with the lack of visibility into who is using APIs, this makes it nearly impossible for users to be accountable for API security. API attacks are also often complex and take place in multiple stages, making it harder to detect and identify suspicious behavior that could mean trouble. Furthermore, many bad actors are increasingly relying on bots to carry out these complex attacks.
API Security Best Practices
The most significant vulnerabilities in API security are laid out in the OWASP Top Ten, including broken object level authorization, broken authentication, unrestricted resource consumption, server-side request forgery, and security misconfiguration. While each of these vulnerabilities comes with its own difficulties and poses its own dangers, many of them can be mitigated by the implementation of relatively basic security measures. There is no one size fits all solution for API security, but an effective API security strategy should account for each of the numerous threats and challenges that accompany API use.
It is vital to ensure that all API technology has proper authorization and authentication and uses the principle of least privilege to make it more difficult for unauthorized parties to access sensitive data. Organizations are also suggested to use a zero-trust approach to security and implement access control via firewalls, gateways, rate limits, or geo-velocity checks. API requests and responses should be encrypted, along with all other network traffic. Data cleansing and validation routines are crucial and should never be treated as a given—organizations should ensure their own routines are implemented to protect against injection flaws and forgery requests. Regular API risk assessments, documentation, and security testing are a must as well.
APIs provide much-needed services to internet users everywhere, from account linking to streamlined online payments. For this reason, much of the data that goes through an API is sensitive, such as login credentials and financial information. The way that APIs are designed makes them uniquely vulnerable to attacks for a number of reasons, as well as uniquely difficult to protect, but using the OWASP guide to API security risks and the recommended API security measures and practices, it is possible to defend your organization against API attacks.