Time to wake up to API security, the overlooked vulnerability
Time to wake up to API security, the overlooked vulnerability
Cyber-security threats come in many guises, from trojans to viruses, malware or good old fashioned malicious hacking. Yet while most of these threats hit the headlines with relative consistency, one type of threat has largely remained under the radar – API vulnerabilities.

API vulnerabilities are the sleeping giant of our technology-led world. The threats posed by an exposed API are significant, yet, they remain the most overlooked threat to information security today.

The fundamental challenge with APIs is they are everywhere. You use them all day, every day, and most of the time you are not even aware of it. They underpin almost everything we do, from banking to shopping to controlling our heating. Almost every interaction with our smartphone relies on an API to communicate to a server or database somewhere.

The sheer scale at which APIs are used means the potential impact of an API-related attack is significant. But as with other cyber-threats, the impact of a breach depends on the specific scenario and the data being shared through the API. Take these two recent contrasting examples, where Instagram's unchecked API vulnerability led to the embarrassing leak of Justin Bieber photos, while a data breach at Equifax reportedly affected 143 million Americans and cost the jobs of its CEO, CIO and CSO. Imagine the consequences of a similar breach to your mobile banking app or home security system.

Gently awakening the giant
The industry is  starting to wake up to this threat.  Having been on the front line of API security management for over 15 years, this is something we have been lobbying for some time.  It seems that API Security awareness has indeed moved to the next level of industry awareness with the Open Web Application Security Project (OWASP), which publishes its annual “Top Ten” now has references to APIs in nine  out of 10 of the top listed vulnerabilities. Furthermore, OWASP has indicated that API Security Gateways should be considered for protecting against API exploits such as Risk 4 - XML External Entities (XXE).

Victims of their own success
APIs have become the primary channel for business transactions in most modern enterprises due to the increasingly complex nature of their IT infrastructures, which often consist of a myriad of external partners, public cloud providers, mobile devices, and virtualised data centres. In a well-planned architecture, APIs can dramatically accelerate application development, create new revenue opportunities, and reduce costs in the modern IT environment.

But APIs can only deliver these benefits without compromise when this same IT infrastructure employs centralised identity control, security enforcement, and proactive business transaction monitoring. Without these checks in place, APIs risk exposing sensitive information or providing unscrupulous actors with unrestricted access to applications and systems. An IT infrastructure built on APIs is extremely vulnerable if security is not embedded throughout the network.

The API security gateway
API security gateways are one method which has emerged to allow organisations to embrace the benefits of APIs without exposing them to the risks of API vulnerabilities. API security gateways provide three layers of protection:
Centralised identity management to validate the identity of users interacting with the API, including multi-context and multi-factor authentication for added peace-of-mind.

Real-time monitoring and security enforcement to proactively monitor traffic through the network and issue alerts if threats are found. Proactive monitoring will include deep-content inspection, bi-directional information assurance and embedded antivirus and PKI cryptography.

Cloud integration: The gateway is useless if it cannot integrate seamlessly with the broadest spectrum of client and server technologies as possible, so integration with common API standards such as SOAP, XML, REST, and JSON is essential.

API gateways protect the data, application and user because they protect traffic at the point at which it enters and leaves the organisation's IT infrastructure (ie at the API gateway itself). They also enable application and API developers to focus their time on improving the functionality of their applications, since they know their APIs are inherently secure.

API vulnerabilities are the under-reported dark side of modern innovation, but with greater attention on this issue and the right security approach, we can all rest easy that this giant will remain undisturbed.

Contributed by Jason Macy, CTO, Forum Systems 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.