Application programming interfaces (APIs) are the modern currency of today’s advanced enterprise IT systems. They drive countless innovations and streamline services across banking, healthcare and many other sectors. However, this explosion in API use comes with side effects in the form of security gaps — many of which remain hidden as APIs work largely out of view in most application environments.
Look no further than the recent case at T-Mobile, where hackers exploited a single API to steal the data of 37 million customers. This followed an incident at Twitter where an unsecured API exposed the data of over 5 million customers. Let’s examine the root causes of this API security challenge, and how the right approach to security scanning can clarify and mitigate these risks in both development and production environments.
APIs are ubiquitous and vulnerable
The API is the behind-the-scenes workhorse that powers content delivery networks, data back-ends and other core elements of modern web application environments. Unfortunately, along with the benefits can come major vulnerabilities that are largely hidden. Because many APIs only exist as an endpoint on a server, they can create security gaps that are not obvious to testers yet easy for malicious actors to exploit.
For a modern digital enterprise, this combined ubiquity, vulnerability and obscurity of APIs creates a perfect storm when it comes to application security. Even though APIs are embedded in the web application ecosystem via common tools, languages and technologies, they remain difficult to document and maintain, often evading basic security scans.
Basic security blunders such as storing API access keys directly in the code of web and mobile applications can contribute to an even greater security risk. Combined, all these factors paint a sobering picture of API security in need of a more thorough and proactive approach to security scanning.
Four priorities for effective API scanning
Security professionals must up their game on vulnerability scanning to manage modern API risks. And while each organization will need to tailor its own scanning approach to the nature of the API security threat in the operation, the most successful efforts draw from a common playbook built on these four priorities:
Obtain API definitions to know what to test
Vulnerability scanners crawl websites and applications to follow links to build up a list of URLs for testing, but security leaders can’t crawl an API in the same way. They can import API definition files in industry-standard formats like Postman, OpenAPI/Swagger, WADL and WSDL. Maintaining the definition files and keeping them updated allows security teams to configure and automate testing for inclusion of APIs as part of the scanning operation.
Integrate API testing into the development lifecycle
Integrating vulnerability testing into the development pipeline makes it far easier to include APIs in security testing workflows. When this happens, developers can ensure that every vulnerability scan covers the entire existing attack surface at every stage where security testing is integrated, including once an application is in production.
Ensure consistent accuracy across the entire application
Conduct the same security checks for API-based testing and conventional testing by running the same high-quality tests both on interactive pages and on API endpoints. This eliminates weak spots in security posture. The caveat here is to strike the right balance between being thorough and bringing on alert fatigue; this balance can be struck with the help of automatic and accurate vulnerability confirmation functionality to weed out false positives.
Enforce authenticated scanning
Since all APIs require some kind of authentication, support for authenticated scanning is an absolute necessity to allow the scanner to access API endpoints for testing. Authenticated vulnerability scanning provides maximum test coverage and the most realistic picture of the organization’s real-life security posture across all web-facing assets, including websites, applications, web services and APIs.
API security gaps are often missed by traditional vulnerability scans and remain hidden even from API developers who might not understand the risks involved and where to look for them. API security’s moment in the spotlight may be just beginning, and organizations must continue to take a more advanced approach to security scanning — one that can clarify API security risks, and do so proactively to identify and mitigate them in both development and production cycles.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.