Application programming interfaces (APIs) have proven to be a great way for businesses to increase the value of their offerings for customers. By making digital assets and services available to broader audiences, APIs have developed into a core business focus, giving rise to the “API economy” that has increasingly become entrenched in the business vernacular.
“A security strategy that manages access and protects systems from attack while still engaging digital ecosystems is essential to any API program. Application leaders must design, execute and govern an effective API security strategy, including the use of API gateways,” according to Jeremy D’Hoinne, VP Analyst and Sr Director Analysts at Gartner Dioniso Zumerle and Mark O’Neill in the December 2017 report How to Build an Effective API Security Strategy. And as this space grows and the number of players increases, so do the number of dangers posed by the adoption of insecure APIs in the enterprise. In fact, the report continues: “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches for enterprise web applications,” O’Neill continued.
To share an example, in October 2018, Facebook revealed that it was hit with a major breach, affecting over 50 million accounts. The attackers used Facebook developer APIs to gather profile information of impacted individuals, including name, gender and hometown—showing even the biggest players are still vulnerable.
APIs are doors into your data and applications, so pausing to include security is just as important as securing web applications.
To secure APIs completely, addressing the needs of security in architecture, DevOps, and production is critical. The inflection points for security assessment in the software development life cycle (SDLC) may vary depending on whether the development team is enabling APIs for legacy applications or building new API-first applications. While the assessment and remediation requirements will mostly remain the same, it’s important for the team to:
- Perform DAST of APIs for dynamic scanning, and create a plan for remediating/mitigating discovered vulnerabilities
- Perform SCA & SAST analysis for the API implementation code within the DevOps process
- Use secure design patterns within the enterprise application architecture. A few examples of secure design patterns include:
- Auto-encoding templates to prevent cross-site scripting (XSS) using output encoding via templates
- Using contextual input validation to prevent input attacks
- Using a synchronizer token to prevent cross-site request forgery (XSRF) via tokens
- Using variable binding to prevent SQL injection (SQLi) via adoption of object-relational mappers (ORMs)
- Using a crypto facade to reduce cryptographic vulnerabilities
- Implement a robust feedback loop within the SDLC to act on the findings of various scans
These steps ensure that APIs have full security coverage, and teams can find and fix vulnerabilities before problems arise.
You may think that you have a management tool that solves the API security problem, but having that is merely a first step to achieving API security. API management tools provide security policies that work at the perimeter, but they do not play a role in securing the business logic that is serving up the APIs. The goal is to embed application security (DAST, SAST and SCA) within the Software Lifecyle as a part of the overarching API security strategy to help you write APIs that are secure from the inside out.
The bottom line? The results of the security assessments become mission critical to development and security stakeholders within the sprint cycle, and these techniques can increase the integrity and adoption of a company’s APIs.