API security should be high on CISOs radar - here’s why
In recent years, use of Application Programming Interfaces (APIs) for businesses has soared. As reported by online API journal ProgrammableWeb, an average of 2000 new APIs were added to its API directory per year between January 2015 and June 2019, with an average of 220 new APIs being added every month in the first half of 2019 - an increase of over 30% compared to the previous four years.
As with many technological developments, they present significant benefits - in our case, interoperation, speed and efficiency. But with these come risks that must be mitigated. Today, we are hearing more and more about how APIs are vulnerable to security issues, which hackers exploit. The question is, how should CISOs best handle this emerging threat?
This article seeks to tackle the issue head on through an overview of the benefits of APIs, inherent security weaknesses, reasons CISOs must prioritize API security, and ways in which they can mitigate the threat.
Over 75% of organizations use APIs, with 59% beginning to develop APIs themselves in the last five years. The benefits driving this trend include, but aren’t limited to:
Interoperation of systems, tools and teams;
Reduced development time and costs;
Extended product or service functionality;
Reduced infrastructure overheads;
Mobile application powering;
Increased partnership opportunities.
Businesses wishing to fully leverage all that APIs have to offer recognize the need for a mix of internal (private) and external (public) APIs; hence, between 2016 and today, there has been a 15% increase in the number or organizations that develop both.
A risky business
While the benefits of APIs are strong and many, using them is not without its risk as far as organizations are concerned. When you consider that the average API has approximately 27 major vulnerabilities, and organizations can have hundreds, even tens of thousands, of APIs, the numbers certainly lead to the conclusion the CISOs must prioritize security for their APIs, if they haven’t done so already.
With all the (absolutely necessary) focus on high-impact attack vectors such as ransomware, distributed denial of service (DDoS) and malware, many security and IT professionals overlook the inherent lack of security in APIs. But hackers don’t!
Several factors make APIs vulnerable to cyberattacks:
Exposure of assets - Since their value lies in the creation of assets to be shared and reused in the building of new products and offerings, APIs inherently provide visibility of the underlying design and implementation of an application, which is normally buried deep beneath layers of functionality. This is a valuable roadmap for hackers to follow all the way to new attack vectors.
Transparency - Best practices in API development require them to be transparent and even self-documenting, meaning that clear visibility of internal objects, databases and more is built right in, providing hackers with valuable intelligence.
Increased attack surface - API calls, in which information is transferred, processed and fed back, create access points that an unauthorized user can exploit to enter or extract data.
The issue of API security has become so critical that a new category of ‘under-protected APIs’ was added to the list of top 10 application vulnerabilities compiled by the Open Web Application Security Project (OWASP) two years ago. Furthermore, in October 2019 OWASP published a dedicated top 10 list for API security.
It’s always preferable to learn from others’ mistakes rather than making your own - especially when it comes to business and security. A quick review of some recent API attacks will illustrate the points in this article.
MyCar - not YourCar!
Attack type: API abuse.
Background: Comprising a telematics unit and mobile app, MyCar Controls offersdrivers features such as geolocation, remote start/stop and lock/unlock capabilities at the tap of a smartphone screen. It has been installed in tens of thousands of vehicles either under the MyCar brand or other brand names including Carlink, Linkr, Visions MyCar, and MyCar Kia.
Vulnerability: The app uses hard-coded admin credentials to communicate with the server endpoint, enabling access to users’ accounts without requiring authorization by username and password.
Attack: Certain versions of the MyCar Control app were found to be accessible by unauthenticated attackers who could then send commands, retrieve geolocation data and gain access to vehicles.
Attack type: API abuse.
Background: The Domino’s Pizza app enables customers to place – and pay for - their order from their smartphones.
Vulnerability: A bug in the app’s API meant that payments were being processed via a payment gateway client side, rather than server side.
Attack: Thanks to the exposed payment approval process, tech-savvy ‘customers’ were able to fix the system so that it accepted invalid payments, providing them with free pizza.
Pass the Pepper
Attack type: Theft
Background: Pepper Pay, Bank Leumi’s online offering, provides mobile banking and a range of fee-free banking activities.
Vulnerability: When a transaction is performed via the app, no indication is given when a stolen card is being used. A full day (or up to 48 hours on weekends) can pass between the time the app transaction is made and the time the funds are deposited in the recipient’s account.
Attack: Thieves offering to buy bitcoin from sellers arranged for payment through a Pepper account that they managed to link to a stolen credit card. By the time the transaction has been identified as fraudulent and the transfer of funds has been cancelled, the bitcoin transfer to the thief had already gone through.
These three examples just scratch the surface of the potential risks that unsecured APIs can expose businesses to, but they do go some way to illustrate the importance of taking the necessary precautionary steps to prevent, mitigate and avert attacks by hackers.
A full security solution
General purpose application security solutions alone are not sufficient to effectively protect web APIs. ImVision Technologies’ unique NLP-based API Anomaly Management Platform (AMP) offers full security at scale, helping CISOs control their APIs, removing blind spots in codes, and identifying, analyzing and mitigating breaches and potential threats.
The bottom line
In short, APIs are a fantastic tool that can create great value for enterprises in terms of interoperation, speed and efficiency. However, to ensure that the benefits outweigh the risks, CISOs must prioritize API security and make sure they are well equipped to effectively disarm this threat.