Why Overlooking API Security can Provide a Free Pass for Hackers

Have you wondered how MakemyTip or Cleartrip seem to have all the information under the sun? How do they procure information about hotel rooms, check the availability of trains and airplanes, and find the best prices? The answer is APIs (Application Programming Interface). APIs are enabling connected services and driving digital transformation across the globe. However. API security is often ignored, and can lead to data breaches.

API Security
API Application Programming Interface businessman pointing a visual icon.

What are APIs?

API or ‘Application Programming Interface’ is a gateway for two applications to communicate with one another using a set of rules. They do this by exposing to the rest of the applications a set of services with rules for access, primarily through HTTP (Hypertext Transfer Protocol). For example, bloggers can upload their Facebook handle on their blog’s sidebar, using Facebook’s APIs. The Facebook APIs enable developers and app users to access the functionality of the network such as user information, photos and videos, messages and more.

APIs come in several types – open API or public APIs, internal or private APIs, and web service APIs. They work on different data formats to ensure client to server communication. REST, jSON, SOAP and XML are some of the common types of web service APIs. The popular method for connecting components in microservices architectures is Representational State Transfer (REST) APIs. Also known as RESTful APIs, they provide a flexible, lightweight approach to integrate applications. Unlike other APIs, they can be developed using virtually any programming language, and support a variety of data formats such as JSON, that are then deployed for specific use cases.

The Role of APIs in Digital Transformation

Digital transformation is the future, and every enterprise is looking to provide connected experiences for consumers and employees. To provide this connected customer experience, businesses are exploring the IoT (Internet of Things), enabled by edge computing devices like Alexa, sensors or smart meters. They are also using advanced technologies like artificial intelligence and machine learning. APIs are the language by which all these devices share data to create a connected consumer experience. Similarly, in industry, APIs enable end-to-end workflow automation, smart manufacturing and digitalisation.

Businesses are adopting APIs for the world of possibilities they offer. Whether it is to create new digital experiences, offer new services or pursue efficiency, 83% of tech giants consider API integration critical to their business.

Compromising on API security opens doors to hackers

While APIs are enabling digital transformation of enterprises from start-ups to technology giants, API security is often brushed off. There is widespread awareness of cyber security at the user access level, but unknown to users, APIs access and share data with other apps, leaving open a route for hackers. Any application built on web APIs are vulnerable irrespective of the industry.

The focus of cyber criminals has shifted from traditional targets to APIs, especially web APIs. A report by Edgescan revealed that 81% of all vulnerabilities in 2018 were network vulnerabilities. It showed that 19% of the vulnerabilities were associated with web applications. Gartner reported that API callousness would result in the highest number of data breaches across enterprise web applications by 2022. 

A recent exhibition of API failure was that of Clubhouse – an audio app. According to sources, an unknown user managed to share audio from several chatrooms to a third-party platform. This led to the data of more than 1.3 million users being leaked. The hacker, disguised as a user, connected to the Clubhouse’s APIs to steal the audio files.

There are several ways hackers can exploit web APIs and gain access to sensitive data. Some of the most common API vulnerabilities are broken authentication, broken authorization, rate limiting, TLS/SSL misconfiguration, excessive data exposure.

When developing an API, developers consider the user authentication, but after that ignore the API authentication. This failed authentication check paves the way for hackers to steal data or get access to a third-party website. In one such data breach, a gas utility provider had access to the Aadhaar database through an API, which they relied on to check a customer’s status and verify their identity. But because the company hadn’t secured the API, it was possible to retrieve private data on each Aadhaar holder, regardless of whether they were customers of the utility provider.

Prevention of API Attacks

As the Internet of Things (IoT) takes shape, whether through Enterprise IoT or Industrial IoT, APIs are the future of connected systems, services and workflows. It is important for companies and developers to be aware of the risks and adopt best practices to build cyber security at the API level.

The OWASP foundation is an open source project that aims to improve security of software. API developers must ensure their apps adhere to the OWASP API Security Guidelines to understand and mitigate the vulnerabilities and risks associated with APIs.

API security also includes actions such as strong authentication and authorization, enhancing visibility into APIs, keeping security in mind at the API development life cycle, validating parameters, using quotas and rate-limiting, limitation on data exposure.

Apart from this, businesses should deploy their own test cases, educate themselves on APIs and evaluate their exposure to platforms. Enterprises can minimize risks pertaining to APIs and web APIs by adopting SaaS based solutions such as Entersoft’s API Critique, an advanced API testing penetration solution. API Critique performs a comprehensive API assessment at an affordable price, and generates a report in XML and jSON formats which could be integrated into DevSecOps. It mirrors real-world attack scenarios and assesses security risks, helping enterprises safeguard applications against API attacks and adhere to OWASP top ten API security guidelines.