[ad_1]
We interviewed Colin Tankard, managing director of cyber security and data encryption company Digital Pathways, pictured, in our July print edition. Here he writes about APIs as the new threat.
Application programming interfaces (APIs) have become a must-have option for many organizations, with enterprise developers relying heavily on them to support the delivery of new products and services. This is no surprise, as APIs allow developers to integrate functionality from externally provided services, rather than having to build these functions themselves.
While the interconnections offered by APIs have existed since the first programs were written, the landscape is changing, especially with the rapid growth of mobile applications. Even old applications already have APIs written for them to extend their lifecycles, which would otherwise make them redundant, as rewriting an old application to work with new processes would be too expensive.
However, with the growth of APIs comes the potential for more security holes, meaning developers must understand the risk to keep corporate and customer information safe. The challenges start with developers’ priority lists, as they are usually driven by functionality and style rather than areas like security. This is seen as a speed bump in the design. Companies rely on their APIs to build applications that drive innovation and revenue, so there’s no room for delay in deployment. But many reports indicate that projects have had to delay new application deployments due to API security concerns.
In addition, the increasing regulatory focus on the leakage of sensitive data is impacting profitability and the public is taking notice. Poor API design and security practices are often at the root of sensitive personal data leaks. Consider the Experian breach, where a flaw was exploited in an API designed to assess a person’s creditworthiness. The API was found to be leaked based on the information it used to identify the API caller and the private data it returned in the response. Credit information returned by Experian’s API included Fair Isaac Corporation (FICO) scores and risk factors that affect an individual’s credit history, such as balance-to-credit ratio, number of accounts, and length of time accounts have been open. This information was not meant to be shared outside of Experian, but was an example of how the API could be used to extract more information than it should.
Gartner reports on API security in “Forecast 2022: APIs Require Improved Security and Management,” which outlines the risks and even predicts that API security will be the most popular exploit in 2022.
This report contains the latest key trends and insights on what security and engineering leaders can do to proactively secure APIs. Gartner recommends that software engineering leaders responsible for API technologies:
“Manage and manage all APIs by investing in discovery, cataloging and automatic validation and by using an adaptive management approach to manage a wide range of use cases and API types.
“Improve your API security posture by developing a security strategy for threat protection, API security testing, and API access control that leverages newer approaches and vendor solutions.”
“Improve architecture resiliency by proactively managing API consumption—that is, the use of internal and third-party APIs.”
Whether you realize it or not, application programming interfaces (APIs) are everywhere and exchange highly sensitive data constantly, making them a rich target for attackers, which explains why we’ve seen a significant increase in attacks targeting APIs in recent years.
Attackers have moved beyond well-known methods such as cross-site scripting (XSS) and SQL injection (SQLi) attacks to focus on finding unique vulnerabilities in APIs. Again, traditional solutions such as web application firewalls (WAFs), which depend on signatures and known attack patterns, cannot detect or prevent these new attacks targeting the unique nature of APIs. Because they validate transactions one at a time and cannot correlate activity over time, they cannot detect the intelligence behavior of a bad actor looking for a flow of business logic in a company’s API.
There are many tools and solutions for API testing, but the starting points are:
Parameter tampering test
Parameter tampering is often done through hidden form fields. You can test for hidden fields using the browser’s element inspector. If you find a hidden field, experiment with different values and see how your API reacts.
Command injection test
To test whether your API is vulnerable to command injection attacks, try injecting operating system commands into API inputs. Use operating system commands appropriate for the operating system running your API server.
Test for API Input Fuzzing
Fuzzing means providing random data to the API until you find a functional or security problem. You should look for signs that the API has returned an error, mishandled input, or crashed.
Test for raw HTTP methods
Web applications that communicate via APIs can use different HTTP methods. It’s easy to test whether HTTP methods are supported server-side by making a HEAD request to an API endpoint that requires authentication. Try all the common HTTP methods — POST, GET, PUT, PATCH, DELETE, etc. If the HTTP method is not supported on the server side, it creates a security vulnerability in the API.
APIs are incredibly powerful tools that can help an organization achieve its business goals and better integrate with customers, suppliers, and business partners. However, faced with ever-changing application development methods and the pressure to innovate, some organizations have not fully understood the potential risks associated with exposing their APIs to the public. Regardless of how many APIs are shared publicly, security considerations should never be forgotten, and it is the job of security and governance leaders to ensure that development and network teams never lose sight of establishing strong security policies upstream and manage them proactively over time, for every development.
[ad_2]
Source link