Why APIs are Critical to Agile Development, The Security Gaps and Vulnerabilities That They Can
Offer Bad Actors, and What Should Be Done.
APIs can introduce security problems that make it much easier for bad actors to attack enterprises by exploiting common mistakes routinely made during app development. That’s why APIs – which simplify data sharing, system connectivity, delivery of new features, etc. – are increasingly a preferred conduit for cyber-attacks. Matt Keil, Director of Product Marketing with Cequence Security, looks at API security and the launch of API Sentinel.
By Matt Keil
APIs are used more heavily than ever before – mobile and IoT devices, the adoption of containers, and the move to decentralized or agile development are the driving forces behind the explosion in API usage. The challenge organizations have is they do not know how many APIs they have, so visibility into their API footprint in the form of inventory, usage, risk, and specification conformance is the problem we are solving.
- How does a company typically find out if & when its APIs are under attack?
API attacks come in many forms – automated attacks like Account Takeover, Fake account creation, and scraping are executed regularly against APIs today. They are discovered when users find their loyalty points stolen, or they are notified of suspicious activity. These attacks are prevented today by Bot Defense. APIs can also expose too much information when a request is made, or they can inadvertently grant users with elevated privileges (like an Admin), or they expose API keys that grant access. Organizations will often discover these types of attacks the hard way – when they are breached. By analyzing the APIs as they are published to discover these errors, API Sentinel can help eliminate the risks.
- What are developers in hyperconnected enterprises now doing typically to deliver secure APIs? Where does this approach fall short?
This is history repeating itself. We see vulnerabilities exposing data in commonly used apps still today. And we are seeing similar patterns of data exposure in APIs. All developers want to deliver secure code. They always have. But they are human. Errors are made in interpreting the application design; QA tests are missed; specifications not followed, or the API is published outside of the normal process.
- What if anything is being done to proactively eliminate vulnerabilities before publication and production of hyperconnected apps APIs? Is the gap between DevOps and security mainly a communications problem? A timing problem? A process problem? A budget or leadership problem?
Organizations that are actively adopting modern applications are moving to dispel the notion that is an us (security) vs. them (dev) – oftentimes by reorganizing teams that combine the two disciplines. All developers want to deliver secure code. They always have. But they are human. Errors are made in interpreting the application design; QA tests are missed; specifications not followed, or the API is published outside of the normal process. We see API Sentinel is also going to help customers eliminate the security risks associated with these types of errors.
- Many organizations were forced to rapidly adapt to online business due to COVID-19. Is this an example of the new pace of business & how does API Sentinel play into that?
The Covid-19 response by organizations is an extreme case but yes, it is an example of what we are seeing in organizations today. Containers, decentralized, agile development methodologies are all designed to help orgs move more quickly. API Sentinel will help these organizations protect their existing APIs from data loss, fraud, or abuse by identifying errors that can then be addressed by development. In pre-production, API Sentinel can act as a final security validation outside of the QA cycle discovering potential areas of risk that can be addressed before “go live”.
- When you discuss API conformance with the OpenAPI initiative, what specifically does that entail?
OpenAPI is a specification framework that defines how an API should be used. Organizations will write their APIs to adhere to the OpenAPI framework with the goal being to deliver consistent and secure code.
- How do current solutions compare?
The API Security market is very fragmented – ask 10 people what it is, you will get 10 answers. In our initial release, what we do differently is we combine inventory, usage, conformance, and risk into a single offering.
When deployed in conjunction with the other pillars of our platform, Bot Defense and App Firewall, we are delivering the first API security product on the market that unifies visibility, spec conformance, bot, and vulnerability exploit prevention into a single platform. On its own, API Sentinel provides security teams with unmatched visibility into the API footprint and the associated risks.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.