Application programming interfaces (APIs) are no longer a niche technology. Today, they are an essential element of digital transformation that help create better user experiences and work to connect applications constantly and seamlessly across the business infrastructure. Yaniv Balmas, VP of Research at Salt Security, sheds light on the need to protect your APIs from targeted attacks.
API-centric designs present an irresistible opportunity to cyber-criminals. Attackers use passive reconnaissance alongside low and slow approaches to uncover abusable business logic. Often the most critical assets of organizations, they are obvious targets in hacking attacks. Â
Vulnerabilities often go unnoticed, and purpose-built API security tooling has historically been in short supply. Eradicating the unknown is essential for mitigating business logic threats and defending against “zero-days.â€
The Business Logic Time-bomb
Business logic describes the sequence of operations ensuring applications meet the functional needs of businesses while enforcing the design phase workflow rules that determine business outcomes. But business logic can be a security time-bomb waiting to go off.Â
An API may work when measured by its ability to deliver application functionality. It may even be free of well-known exploitable conditions. But that same interface may still be abusable. Organizations often don’t consider misuse or abuse when designing systems and processes that power them, resulting in this business logic minefield.Â
The Open Web Application Security Project (OWASPOpens a new window ) defines business logic vulnerabilities as “ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.†APIs can function appropriately while allowing threat actors to access unauthorized data or functionality. Scraping and credential stuffing (leading to account takeover) are examples of attack techniques targeting well-secured interfaces. Â
See More: Deterministic Protection: The New Generation of Software Security
Recurring API-driven ExploitsÂ
Throughout 2021, many organizations found out how easily they can be exploited or abused. Leaky APIs with weak access controls exposed an excess of data and were a common theme over the past year. By abusing these leaks, attackers can access large troves of data.Â
These portals are often the initial attack vector or the most critical element of a complex attack chain. SolarWinds, Microsoft Exchange, and log4j were all such incidents. The OWASP Top 10Opens a new window API security risks list, while three years old, is still relevant – most of the risks highlighted in the report still play their part today. Unfortunately, this list only scratches the surface of potential security issues.Â
Shifting Left and Shielding Right
APIs are, by necessity, dynamic. Continuous change makes it difficult to understand what code or configuration changes should be re-tested for its supporting infrastructure.
Even fully automated security scanning is time-consuming and delays application delivery – a red flag for businesses trying to stay competitive. To make matters worse, traditional security application testing cannot identify many types of flaws. Security strategies must walk the line between pre-production testing (shift-left security) and runtime protection (shield-right security) to secure APIs throughout their life cycle.
Staying ahead of changes requires an automated, proactive approach that takes into account the entire life cycle. Organizations must realize there is no patch for their custom processing interfaces or integrations and continually analyze code and security posture. CVE-IDs, the language of traditional vulnerabilities, are often irrelevant or non-existent – these issues are, in effect, API zero-days.
Mapping Your API Footprint Requires Context
So, how can organizations mitigate vulnerability risk without any negative impacts? And how can they best map their inventory to manage a shifting attack surface?Â
It’s necessary to employ purpose-built tooling to analyze, protect and provide an appropriate context for APIs. Critical capabilities include discovery and testing and attack detection, prevention, and response. All risk-based approaches to security programs require an understanding of business context and relative risk. Relying solely on identifying infrastructure misconfigurations, known vulnerabilities, or network access control missteps isn’t sufficient.Â
Application security testing tools suffer from similar issues. They can’t detect business logic flaws, miss most API-relevant infrastructure-related misconfigurations, and fail to provide adequate context. They cannot parse business logic by design and are unable to understand complex call sequences that make up most modern applications and systems. Every organization’s implementations are unique, especially those enabling business logic through building or integrating, meaning that rules can’t be constructed accordingly or fast enough.Â
See More: Is Your Organization Monitoring the Dark Web Yet?
Closing the Gaps in API Security Strategies
Effective security strategies should incorporate a range of best practices, including secure design and development, documentation, discovery, security testing, front-end security, monitoring, mediation, network security, data security, authentication, authorization, runtime protection, and API-centric incident response.
Best practices aid in fleshing out security requirements for teams when building or integrating interfaces. It’s not just a matter of code-level security but also infrastructure security. Treating API security as its distinct discipline and incorporating best practices can help the organization avoid potential security mistakes that often result in brand damage, data exposure, privacy impacts, or a data breach. Ultimately, purpose-built security tooling must complement the practices and aid practitioners, but all these elements are essential within a mature security strategy.
How are you building stronger API security for your organization? Tell us about it on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to learn from you!