Almost all applications use an application programming interface (API). From a security perspective, however, APIs also present common issues. Gartner has predicted that API abuse will be the most common type of attack seen in 2022. So what exactly are the issues facing APIs? And what can data security advocates do?
Common API risks
In 2019, OWASP named 10 web application data security risks to watch out for. These include:
- Data exposure: This type of threat arises when developers expose all the properties of their objects without considering how private those elements can be. Therefore, it is up to clients to perform data filtering before showing anything to a user.
- Bad security configurations: These data security weaknesses take various forms, including misconfigured HTTP headers, error messages containing sensitive information, and exposed cloud storage. Often, they are the product of insecure default configurations.
- Injection: In this case, a command or a request sends unreliable data to an interpreter. Attackers can use these types of vulnerabilities to trick an interpreter into executing malicious code or commands involving sensitive data.
- Insufficient logging and monitoring: Both of these data security risks can offer attackers opportunities to hide in their network without being noticed. From there, threat actors can expand the network, move to business-critical assets, and exfiltrate data.
The Effects of Data Security Risks on Businesses
API issues haven’t held back companies just when it comes to their plans to roll out new applications. They also cost time and resources in the event of an attack.
A lot of that happened in 2020. As Salt Security noted, 91% of respondents’ employers experienced at least one API issue during the year. Of these respondents, more than half (56%) had more than 55 API data security incidents per month during this period. During that time, 22% treated up to 200 monthly attacks.
The start of a new year didn’t end these API problems either. Here are several API incidents that made headlines in the first six months of 2021:
- In February, the researchers found that all 30 healthcare apps they studied were exposed to API attacks. They also learned that the apps exposed 23 million users to potential threats.
- An API tool used by one of the major credit bureaus exposed the credit scores of almost all Americans. The tool allowed someone to perform a credit check through the credit bureau using only public information.
- Another API issue involved a popular stationary bike maker. A researcher found that they could send unauthenticated requests to the company’s API for user account data. This weakness allowed the researcher to access information from other bicycle owners.
How to improve API data security
The cases discussed above highlight the need for businesses and agencies to secure their APIs in the future. One of the ways they can do this is to always use SSL and TLS certificates. Using valid certificates with APIs can help protect data exchanges with encryption. This will allow defenders to protect applications from man-in-the-middle attacks aimed at exposing user information.
Next, optimize the firewalls. These are essential to help control the flow of information enabled by APIs. Revoke any data security rules that are too permissive for application needs. This will likely require first examining firewall rules and network objects to learn more about the use of the API by the specific company or agency.
Finally, businesses and agencies should implement proper authentication and authorization of their customers. They may consider using protocols to limit the access that third-party applications can get to an API. This can help prevent too many parties from accessing and sharing too much.
Don’t forget your APIs
Security models for APIs have not kept up with modern networks that are increasingly borderless. These frameworks failed to discover vulnerabilities involving their APIs. As such, API violations, like the ones described above, are becoming more and more common.
By keeping an eye on APIs, businesses and agencies can begin to formalize their API data security efforts. By doing so, they can stay abreast of a threat landscape that is evolving into more and more API attacks.