APIs are an integral part of the increasingly popular headless content management systems, which I’ve written about recently. On their own, there are many indicators that APIs are becoming increasingly popular. The API management market, according to Deloitte, is set to grow at a 34.42% CAGR. Perhaps more revealing is the fact that 56% of enterprise leaders say that APIs help them build better experiences and products.
If not already, then you’ll probably start making use of APIs at one point in the future – perhaps as you start experimenting with headless CMSs to simplify content management across different channels. This post covers the basics of API security, and why it’s important.
What is an API?
An API is a set of rules, protocols, and tools we can use as an intermediary between software applications. It facilitates communication between these applications by defining how they can interact with each other. APIs specify the methods and data formats that applications can use to communicate.
APIs can deliver several important benefits to organisations, depending on how they are used:
Integration and Interoperability: Perhaps the most notable benefit of APIs is that they enable different software applications and systems to work together seamlessly, often using prebuilt functions. This makes it easy to create complex systems that leverage multiple services while at the same time reducing development time and effort.
Scalability: APIs make it easy to scale applications, adding more capacity or functions without overhauling the entire application. An eCommerce site offering basic payment options can, for example, use APIs to offer more advanced payment options.
Cost and Innovation: APIs help developers build on existing technologies, which reduces the resources needed for development, testing, and maintenance, and ultimately leading to lower development costs. This can also lead to more innovation and the development of products and services that may not have been possible before.
But as APIs gain popularity among businesses, so do threat actors also take note. Salt Labs recorded a 400% increase in API attackers measured over a period of six months. Worryingly, almost 80% of these attacks occurred over authenticated endpoints. According to the State of API Security Q1 Report 2023, 94% out of 400 respondents experienced a security-related issue with an API in the past year.
Common API Security Pitfalls (and Solutions)
These statistics emphasise that it’s up to businesses to ensure proper security by adopting tools and practices capable of providing effective security at every stage of the API lifecycle. Luckily, according to Graylog CEO Andy Grolnick, 2024 will see enterprising cybersecurity vendors turning their attention to the API space.
“Agile cybersecurity vendors will focus in 2024 on building solutions that offer visibility into the API attack surface. We will likely see multiple newcomers who offer purpose-built solutions as well as traditional vendors expanding their product portfolio. “
Even so, being aware of the most common API security threats and how to fix associated vulnerabilities will help ward off some of the most common attacks. Such threats/fixes include:
Insufficient authentication / authorisation
APIs without sufficient authentication can simplify entry for intruders and expose systems to data breaches. A common real-world example is one where users on a system can access and view the eCommerce order details of other users due to weak authorisation. To address this robust authentication and authorization checks should be implemented, using standards like OAuth 2.0, OpenID Connect, and JWT (JSON Web Tokens).
Insecure Direct Object References (IDOR)
With IDOR the API exposes a reference to an internal object that can be manipulated to access information or objects without the proper authorisation. A file sharing API may allow access to a user’s other files by simply modifying the file ID or name in the URL. This can be remedied by avoiding exposure of object identifiers in URLs, using surrogate IDs, and forcing authorisation checks before returning data to users.
Not using rate limiting
Rate limiting refers to the number of API requests a user, system, or service can make within a given time period. Without rate limiting, APIs are vulnerable to various types of attacks, such as brute force and DDoS attacks. The remedy, therefore, is to implement rate limiting that offers adequate protection without impacting normal usage.
Unintended data exposure
Inadequate API input and output sanitisation may lead to unintentional exposure of data. Where a third-party service is allowed to fetch user data, inadequate sanitisation may provide additional user data, such as email addresses. The solution is to limit the data returned by an API to only what’s necessary, implementing proper data filtering and sanitising responses before they are returned to the user.
An injection attack occurs when an attacker sends malicious data as part of a command or query. For example, where a field isn’t properly sanitised, an attacker could include a malicious SQL statement in a field which results in database changes or data loss. As such, it’s imperative that inputs are validated and sanitised, and that parameterised queries or prepared statements are used.
Use SSL / TLS
Unencrypted communication between the client and the API server can lead to Man-In-The-Middle (MITM) attacks. Ensuring all data transmitted to and from the API is encrypted using protocols like HTTPS (HTTP over SSL/TLS) is crucial to prevent such attacks.
Improper error handling
Incorrectly configured error handling may result in sensitive data such as information about the database structure or server configuration being leaked through error messages. Proper error handling is crucial. API responses should contain only the necessary information, with error messages designed to avoid revealing sensitive data.
Missing security headers
Without appropriate security headers, APIs are vulnerable to XSS or Clickjacking attacks. An example is an XSS attack to steal users’ session cookies. Using security headers like Content-Security-Policy (CSP), X-Content-Type-Options, and X-Frame-Options can protect against such attacks.
As we navigate the rapidly evolving digital landscape, APIs emerge as both a cornerstone of technological innovation and a target for increasing security threats. As the API landscape continues to expand and evolve, it becomes imperative for organisations to prioritise security at every stage of the API lifecycle, ensuring that the immense potential of APIs is harnessed safely and effectively for a more interconnected and innovative future.