Security models for Application Programming Interfaces haven't kept pace with requirements of a non-perimeter world.
Today's adversaries are focusing on APIs in particular, which are quickly becoming the new attack frontier. Recent reports suggest that by 2022, API abuses will be the vector most responsible for data breaches within enterprise web applications. This is primarily due to the extensive growth of API implementations worldwide, providing a new target that hasn't been widely exploited yet. With this, protecting APIs is becoming more important.
Every modern architecture concept, like mobile, IoT, microservices, cloud environments, and single-page applications, deeply rely on APIs. APIs allow applications and application components to communicate with each other on internal networks and, increasingly, over the Internet. Initially, APIs were typically used on secure private networks and communications channels. These days they have become integral to enterprise efforts to make internal applications and legacy systems and services accessible over the Internet to business customers, partners, suppliers, and other third parties. Many see APIs as fundamental to enabling digital transformation initiatives and powering a new generation of business systems.
Although the concepts of API security are somewhat new, the attacks that can be performed through them are not. Most organizations have been experiencing similar threats targeting their networks and Internet-facing applications for years. Now, they must focus their efforts on mobile apps, APIs, and back-end servers being targeted by similar methods as seen in the past.
The most common use case for APIs continues to be interoperation between internal tools, teams, and systems and reducing development time and cost. Other popular use cases include partnering with external organization, extending product or service functionality, and absorbing data and features from external products.
Previously, SOAP APIs were typically accessed securely over VPNs or two-way encrypted connections. REST APIs, on the other hand, are designed for access through browsers and mobile apps. When a mobile user makes an airline reservation on their phone, for instance, a REST API conveys the user's instructions to the airline or travel services vendor's back-end applications and delivers the response back to the user.
REST APIs are open for exploitation through commonly available client-side inspection and hacking tools, just like web applications are unless protected. Long-held security best practices such as least-privilege data access and server-side data validation are therefore as critical to APIs as they are to web application.
The OWASP API Security Project aims to develop, release, and track an ongoing top 10 list of the risks that organizations face concerning their use of APIs, similar to the OWASP Top 10 Most Critical Web Application Security Risks. From broken object-level authorization to insufficient logging and monitoring, this list rounds up the most critical API risks facing businesses while also providing example attack scenarios and recommendations for mitigating these threats. IT teams, security professionals, and developers alike can now be well-advised to carefully read through this list to better understand the benefits of APIs, as well as the potential risks presented through their implementation as adversaries set their sights on this emerging target.
If your team has concerns around API security, please feel free to Reach Out To Us. We would be glad to help you understand what it would take to resolve it.