Are you currently experiencing an attack?

Are you currently experiencing an attack?

API Security, Part 1: The Challenge

As the world becomes more connected, robust network security is vital. API protection is an increasingly important requirement — especially for RESTful APIs.

What are RESTful APIs?

An Application Programming Interface (API) is a set of clearly defined methods of communication between various software components. A good API makes it easier to develop a computer program by providing many of its building blocks. The end goal is to provide value by making services available by using the API.

Representational State Transfer (REST) is an architectural style that defines a set of constraints to be used for creating web services. Web services that conform to the REST architectural style, called RESTful web services (RWS), provide interoperability between computer systems on the Internet.

Why API Security Matters

Businesses use APIs to connect services and transfer data. APIs that are broken, exposed, or hacked can expose sensitive medical, financial, and/or personal data. Thus, security is a paramount consideration when designing and developing RESTful and other APIs.

Despite this, we still see frequent news stories about major data breaches. Many of these are the result of APIs that were compromised. Apparently, API security is still not widely practiced. But why?

Why Security is (Often) a Problem

There are multiple reasons why API security is often not what it should be.

Development processes within the organization: When developers work with APIs, they focus on one small set of services. Their goal is to make that feature set as robust as possible. They tend to think inside the box, but hackers think outside the box; they look for ways to use gateways for nefarious purposes.

Rising complexity: In today’s world, network connections are more numerous, and system design has become more complex. APIs often support thousands of possible connections. Meanwhile, programmers are under pressure to deliver new releases ASAP, so mistakes can be made, or important steps in the development and/or testing processes can be missed.

Rapid change: In a DevOps environment, APIs can evolve constantly. Again, security holes can be created.

Top Threats to API Security

Injection Attacks

In an injection attack, malicious code is embedded into unsecured software to stage an attack. The most notable forms are SQL Injection and cross-site scripting, but there are others. These can done through an API.

DoS/DDoS Attacks

In a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack, the attacker creates large volumes of incoming or outgoing connections, or exhausts server or network resources in other ways. A successful attack is capable of making an API non-functional.

Broken Authentication

Attackers can bypass or take control of the authentication methods that a web application is using.

Data Exposure

This can occur when an application is unable to properly secure data: private health information, credit card information, session tokens, passwords, or other sensitive information. If any data is left unencrypted, whether in transit or at rest, then it has the potential of being exposed and compromised.

This is especially a concern for RESTful APIs, for two reasons. First, these are an extremely common form of API. Second, they very typically use HTTP as the underlying protocol, which brings forth its own set of security concerns because it includes a number of potentially vulnerable operations:

  • A potential attacker has full control over every single bit of an HTTP request or HTTP response.
  • The attacker could be at the client side, or at the server side where he creates malicious content.
  • During the mapping of the HTTP message.
  • When accessing or modifying the data in the backend systems.

Parameter Tampering

This attack is based on the manipulation of parameters exchanged between client and server. The attacker’s goal is to modify application data, such as user credentials and permissions, price and quantity of products, etc.

Man In The Middle (MITM)

A MITM attack occurs when an attacker secretly alters, intercepts. or relays communications between two interacting systems, intercepting the private and confidential data that is passed between them.

Lack of TLS

The absence of Transport Layer Security (TLS) in an API is practically equivalent to handing out open invitations to hackers. Transport layer encryption is one of the most elementary “must-haves” in a secure API, yet we still see organizations using APIs without it.

Why Most Security Solutions Are Inadequate

Ideally, a security solution would compensate for any API vulnerabilities by putting a guardrail around all the APIs, scrubbing incoming network traffic and preventing any vulnerabilities from being exploited.

In practice, this rarely happens.

Most security solutions do not offer complete API protection. Some claim to offer protection, but it is incomplete; it lacks necessary features, such as API schema ingestion, or a client-side SDK for mobile/native apps.

Furthermore, few security solutions are adaptive. (This is especially a problem in fast-moving environments such as DevOps.) Each time an API changes, a typical security solution requires manual tuning and reconfiguring—which not only consumes time and resources, it can be an error-prone process. Thus, security can be compromised.

Addressing These Challenges

In Part 2, we’ll discuss how Reblaze tackles the problems described above.

image credit: Arget

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.