Modern tech stacks are varied and complex. Never before have so many pieces of software had to work together smoothly, and most of these operations are conducted via APIs. As the unsung heroes of the tech world, Application Programming Interfaces (APIs) allow multiple applications to ‘communicate’ with one another, making the end user’s experience more fluid and intuitive. With the growing numbers of APIs swirling throughout each organization, many are overlooking the vital importance of a sound API security strategy.
Why APIs Are Everywhere
APIs connect apps with external services. The last word of the acronym – ‘interface’ – refers to the connected surfaces of two different pieces of software. Highly adaptable, APIs act like building blocks within application development, allowing developers to drastically reduce the time to market of their new software.
To lend some context into the sheer ubiquity of APIs, let’s consider a ride-share app. As an end-user, you’d first need to create an account and login. Then – all within the app – you’ll want to see a map of your route, find a suitable driver, and pay for the ride.
It’s highly likely that the app is using APIs to enable all of these mechanisms. For example, one API may be in charge of verifying the phone number you provided at sign up. Once you’ve found a route and driver, the distance of the route is handled by another API, perhaps using Google maps data. Once the driver arrives at the pickup location, an SMS API will alert you of his location. Finally, when it’s time to pay, your payment is likely processed through an API such as Stripe.
Overall, APIs offer a wealth of ways in which companies can solve problems and empower both users and employees.
API security is a growing problem
Around half of all businesses make use of between 50 and 100 APIs, although larger organizations may rely on thousands, scattered throughout internal and public applications alike. As digital transformation projects grow in scope and number, APIs are only becoming more prevalent.
Unfortunately, security has already begun to lag behind. The traditional cybersecurity focus has been largely placed on the application itself, with AppSec neatly dividing attack vectors upon the dividing lines of each app. However, as APIs have enabled a tech stack that is more interconnected than ever, it is becoming increasingly urgent to separate the app vulnerabilities from its API counterparts.
Vulnerable APIs currently directly cause over 7% of cyberattacks. Within the IT sector, APIs are even more dangerous, making up to 23% of all attack vectors. APIs have already reared their heads in multiple high-profile attacks. The 2021 LinkedIn breach was one such example.
The LinkedIn Breach
LinkedIn is the largest professional social media site on the planet, hosting just over 800 million users. The precise API and its particular flaws have not been made public, but in 2021 an attacker – dubbed Tom Liner – discovered an API vulnerability that allowed him to make an unlimited number of data requests. No function flagged or prevented this process, and so Liner was able to scrape the personal information of 700 million users. The breached information includes user email addresses, phone numbers, inferred salary, and location. He then went on to commit the same API attack on Facebook, creating another database of 533 million Facebook users.
This was a massive data scraping campaign conducted over several months. It’s understood that, as a consequence of this attack, the contact databases of scammers and phishers will be swollen by the details of 90% of LinkedIn’s user base. Liner has stated that each set of credentials is selling for roughly $5000.
Neither LinkedIn nor Facebook are willing to recognize these large scale scraping campaigns as data breaches. This is despite the fact that Tom Liner explicitly stated that he was selling this personally identifiable information to malicious actors.
How to Prevent API Blindness
The fact is that many companies are completely blind to the vulnerability risks inherent to APIs. Recent research found that 92% of interviewed organizations believe that they had completely adequate API protection in place. Whilst this statistic appears promising on the surface, the vast majority (over 60%) also admitted to leaving one-third or more of their APIs undocumented.
Undocumented interfaces are an especially risky form of API. Not only is the developer reliant on an external package of software, but it’s almost impossible to understand the interface and its parameters through either reverse engineering, or by guessing. Guessing – sometimes called black box testing – can, from a developer’s standpoint, work just enough. The undocumented interface may give you a correct instance, and the result appears fine. However, if the developer missed only a tiny amount of information, the API could still be incompatible with certain machines or specific instances. This leaves a gaping hole in the end-user’s security. Even worse, undocumented APIs can be subject to change without notice. This means – if the API developer’s account is compromised – it is possible to stealthily implant backdoors or other vulnerabilities into every single application that relies on that one API.
The most dangerous component of APIs is the false sense of security that many companies are trapped within.
Protecting your attack surface from APIs demands a security solution that detects vulnerabilities and shields from exploitation. Tracing and managing an organization’s API footprint is a painstaking yet vital role; this is where automated security solutions can help identify and classify data, building a more transparent view of your API surface. Not only does an API security solution protect user data and proactively mitigate attacks, but there’s a growing expectation for these solutions to reduce the complexity around API management. This is to compensate for the all-too-common lack of API knowledge within the dev team itself.
Securing APIs is possible with an adaptive, market-leading API protection solution. Longer-term API protection needs to see closer conversations between app development teams and security. Most of all, companies need to wake up to the growing threat that APIs pose.