The API vulnerabilities lurking in your architecture
The API vulnerabilities lurking in your architecture
Securing an organisation's systems, data and business-critical processes is harder than ever in this era of hyper-connectivity. Major trends such as the cloud, BYOD, IoT etc. have resulted in more people and entities connecting to corporate IT assets than ever before. At the heart of these connections are APIs - APIs underpin almost every interaction or process within this hyper-connected world and have quickly become a prime target for attackers.

As APIs have become more prevalent, so too have API vulnerabilities. But they are not always very easy to spot, as they are often a component of a broader threat. In fact, according to the latest OWASP Top 10 list of vulnerabilities, nine of the top 10 vulnerabilities now include API components of some kind. As this so clearly demonstrates, while API risks are not always called out, they are certainly prevalent.

Taking into account the latest OWASP top 10, plus our own experience in processing over 10 billion transactions per day in mission-critical environments, there are two specific types of vulnerability that are particularly prevalent today, yet continue to be overlooked by most.

The first common vulnerability that has only recently begun to be significantly exploited is the weakness in Identity Access Management (IAM) products. IAM is fundamental to any cloud computing architecture because it allows the organisation to control who accesses the APIs and cloud services. Since most organisations are adopting the cloud as part of their digitisation efforts, IAM solutions have become particularly prevalent in most corporate IT architectures.

The risks posed by IAM are being exacerbated even further by the growing trend of deploying cloud-based, centralised IAM solutions. As cloud-based systems these solutions present a central point of attacking the architecture by compromising the IAM enforcement points. The fundamental issue here is that IAM products are platforms, not security systems. They were never designed to be cyber-security hardened against attack. In 2017, a major vulnerability given the highest classification of severe was discovered against the Oracle Access Manager platform, where an attacker could take control of the entire system, and deemed by NIST as a 10 out of 10 on the CVSS score. An attacked IAM could compromise any identity and impersonate any user. Building an IAM trust model needs to be able to be done by first trusting the IAM enforcement points. Without doing this, your IAM is just another weak point into your architecture.

The next common API vulnerability that you won't find in any “top 10 list” is the API architecture itself. The point here is that the API gateway in particular must not become the target of compromise, yet this is often the case. This requires fundamental product architecture principles such as a locked down secure operating system, self-integrity health checks to detect compromise and independent security certifications that prove claims beyond just those stated by the vendor. Consider the latest Spectre and Meltdown vulnerabilities that affected any system running potentially vulnerable third-party applications. A locked down OS does not run third-party applications and is therefore not susceptible to this type of vulnerability or any other of its type. This is where the type of architecture adopted by the API gateway can quickly become its biggest vulnerability.

As a security topic in its own right, API security and API vulnerabilities are still relatively unknown to most organisations and even many security professionals. Unfortunately, as we have found over the past decade, most attacks and vulnerabilities are only discovered when they are widely publicised. But just because you haven't heard about a vulnerability doesn't mean it isn't out there, it means the hackers currently don't know about it yet (or worse still, they do know but you haven't detected the breach in your system yet).

API vulnerabilities are everywhere, and they will only become more prominent as our dependence on APIs continues to grow. Given the threats highlighted in this article and the recent examples of the Spectre and Meltdown vulnerabilities, it is important to pay close attention to your API architecture to ensure it is designed effectively against such vulnerabilities.

Jason Macy, CTO, Forum Systems
Jason Macy, CTO, Forum Systems

Contributed by Jason Macy, CTO, Forum Systems.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.