Table of Contents
API Security Important
The internet has become a staple in the way we live and work. We rely on web-based applications to do everything from checking the weather to filing our taxes.
Many companies do not manage web API security, they use rest APIs from API providers rather than develop their own software and API security specific infrastructure.
Many company managers are not sure of what API security entails. Protecting a company from common API security risks requires specific skillsets. Many business owners don’t have a reporting overview of their API security infrastructure.
Businesses rely on specific API resources using an API key from third parties who do API development.
There should be constant API monitoring and reporting to ensure that API security requirements are met and that there aren’t deprecated API versions being used in company software.
API Security Risks
Some common security vulnerabilities in web APIs include:
- Sensitive data leakage: This occurs when sensitive data, such as passwords or credit card numbers, is inadvertently exposed in API traffic.
- Insecure API endpoints: API endpoints that are not properly secured can be exploited by attackers to gain access to data or to launch denial of service attacks.
- Insufficient rate-limiting: Rate-limiting is a security measure that is used to control the rate at which users can make requests to an API. If an API does not have sufficient rate-limiting in place, it can be overwhelmed by requests, leading to a denial of service attack.
- Lack of input validation: Lack of input validation can lead to security vulnerabilities such as SQL injection and cross-site scripting.
API Security checklist & Practices
By following a few simple security best practices, web API developers can help to keep their APIs safe from attack. Some of these best practices include:
- Using HTTPS: HTTPS is a protocol that is used to encrypt communication between a web server and a web browser. By using HTTPS, web API developers can help to prevent data from being intercepted by attackers.
- Authenticating and authorizing users: Web API developers should authenticate and authorize all users before they are allowed to access API resources.
- Validating input: All input should be validated before it is processed by the API. This will help to prevent security vulnerabilities such as SQL injection and cross-site scripting.
- Rate-limiting requests: Rate-limiting is a security measure that is used to control the rate at which users can make requests to an API. By rate-limiting requests, web API developers can help to prevent denial of service attacks.
- By following these best practices, web API developers can help to keep their APIs safe from attack.
Achieving common API security best practices in web services security is extremely difficult. A company should have an overview of their rest API security, API management layer and API traffic.
The good news is an Israeli cybersecurity start-up called Wib is launching a comprehensive platform that will deliver complete visibility and control across the entirety of the API ecosystem. The company is a promising solution for API security testing.
APIs are the most vulnerable point in cybersecurity
According to Gil Don, CEO, and co-founder of Wib, APIs have rapidly risen to the status of the most vulnerable point in cyber security and the most common entry point for cyberattacks.
Don says that APIs cause 91% of all internet traffic today and that enterprise IT and security teams only know about 50% of this traffic.
Undiscovered, unmanaged, and insecure APIs generate significant blind spots for chief information officers (CIOs), exposing crucial business logic vulnerabilities and raising the risk level.
Web application firewalls (WAFs) and application programming interface gateways (API Gateway) were never meant to protect against logic-based vulnerabilities like those that exist today.
The Wib platform has been designed from the ground up to operate in an API-driven environment, establishing a new subcategory of API-native security.
Wib’s goal is to address the information-gathering requirements of CIOs, CISOs, and other IT leaders by providing them with an all-encompassing view of their API landscape.
Wib is creating a solution that will provide real-time inspection, management, and control throughout the entire API lifecycle.
The solution provided by Wib will automate inventory and API change management, as well as detect rogue, zombie, and shadow APIs, analyse business risk and impact.
The Dangers of Rogue APIs
Rogue APIs can wreak havoc on an organization. By definition, a rogue API is an API that is not authorized by the company that owns the data or the resources the API exposes. While some rogue APIs may be created with good intentions, others may be created with malicious intent. Either way, they can pose a serious security risk.
For example in 2017 the Strava heatmap API went rogue. Strava, a fitness tracking app, released heatmaps that showed the location of every Strava user who had opted to share their data.
The heatmap showed detailed information about the location and activities of military personnel and other data. After the heatmap was released, Strava was forced to make changes to its API to prevent future data leaks.
What are Rogue APIs and Why are they a Threat to Organizations?
Rogue APIs can pose a serious security risk to organizations. They can leak data, expose vulnerabilities, and allow attackers to gain access to resources they should not have access to. Organizations should carefully monitor their APIs to ensure that only authorized APIs are being used.
What are Zombie APIs?
Zombie APIs are APIs that have been created without the approval of the organization that owns the data and which is no longer being maintained.
What are Shadow APIs?
Shadow APIs are those created without the organization’s approval that owns the data and are used by unauthorized third-party developers.
These are the types of issues and security threats that Wib hopes to address in the ecosystem of the API landscape.
Why You Should Choose Your APIs Carefully
Wib’s findings highlight the need for increased prudence when selecting APIs. The internet is rife with free, open-source APIs, but it’s crucial to consider the security dangers involved and only utilize reliable providers of curated APIs like APILayer unless you take extra precautions.
