An API, or application programming interface, is a way for two computer programs to talk to one another. A website, for example, may use an API to request information from a database or pass information to a third-party service. Mobile apps often use APIs to send data back and forth to central servers. And traditional websites are rapidly being replaced by highly interactive API-powered sites. APIs are also key for business-to-business applications, replacing older mechanisms of information exchange.
API calls now represent 83 percent of all web traffic, according to a report released by Akamai earlier this year. That means more great, feature-rich applications, but it also means more security risk. According to Gartner, by 2021, 90 percent of web-enabled applications will have more attack surface area in the form of exposed APIs rather than user interfaces, up from 40 percent in 2019. By 2022, API abuses will become the most-frequent attack vector, the analysts predict.
It’s already started.
McDonald’s, for example, had an API that exposed personal data of its mobile-delivery app users. Other companies that ended up in the news thanks to API breaches include Facebook, Twitter, Panera Bread, T-Mobile, Instagram, Salesforce, and Snapchat. Even the US Internal Revenue Service has seen the danger of an API breach first hand.
"APIs have become a bigger and bigger problem over the past five or six years," said Israel Barak, chief information security officer at Cybereason, a Boston-based security firm. "The increase in interconnectivity between businesses, systems, and applications has accelerated the adoption of public-facing APIs. Then there's the use of microservices, containers, et cetera."
Take for example a web app for flight booking. If it was a traditional monolithic application, the user would select a flight, get a price quote, pay the money, and book. They would go through all these steps in order. "The transactional process makes sure that step one happened before step two," said Barak.
Now, the same application on the web might be a collection of independent functions, each one calling a separate API. One might send a request to a payment system. Another might send a request to the airline to book a flight. Exploiting an exposed API, a hacker could skip payment and go straight to the booking step. Another attacker could hijack the API that confirms all users' information and get names, addresses, and payment details for other customers.
Sometimes, even a completely innocuous API can do damage, Barak said. For example, it’s common for a web form to offer a list of cities after a user selects the country where they're located. If the city list is provided via an API, an attacker can send a bunch of bogus requests, enough to shut down that particular service – and bring the entire web form to a halt. "And you can't use a Captcha, because there's no human on the other side."
Another common API abuse happens when merchants use APIs to validate credit cards, and their access isn't properly locked down, said Ido Safruti, co-founder and CTO at PerimeterX, a San Mateo-based cybersecurity company. "I can contact the API directly and try to validate stolen credit cards," he said. "Or gift cards, which is even easier, because I don't need your name or zip code."
This kind of third-party API use is extremely hard to lock down, he added. "As a data center, if my application is calling APIs outside my data center, I'm completely blind to that."
From the Back Office to the Front of the Store
In the olden days, when we were all young and so, so naive, our applications communicated with one another within the bounds of our networks, safely hidden away behind firewalls. That meant questions of access and authentication were, shall we say, not as pressing for developers as they could have been. Implementing a lot of security checks would have been cumbersome, slow down development, and interfere with functionality. Today, with hybrid data centers and cloud everything, APIs are out from behind the firewall – but developers often forget this fact and accidentally expose them to the public.
"It's not difficult to secure an API," said Humberto Gauna, consultant at BTB Security. "But it requires resources, and that increases costs to the company." When building a new API, he suggested, a company should get security professionals involved in the early stages.
More often than not, data center security managers have little influence over how developers write their APIs. But they can work to ensure that on-premises databases and servers are properly secured and that cloud-based services are properly configured. They can also set up API gateways, both for on-prem environments and cloud deployments.
The Pros and Cons of API Gateways
Not all experts think API gateways are a good idea.
When companies funnel all their API traffic through one or more API gateways, they can ensure basic security policies, such as encryption, authentication, and access control, are fully enforced. The gateways can also do other things like load balancing and DDoS protection.
API gateways can be set up for on-prem data centers, and most major cloud providers offer them as services for systems hosted on their infrastructure. The process starts with creating a directory of all the APIs exposed by the data center, said Cybereason's Barak. "This is a core building block of a good security platform, and a lot of people don't have it." Keeping the directory up to date is hard, especially when new microservices are developed and rolled out in days, or sometimes hours.
Next, each API has to be identified with its own token, such as an API key or an OpenID identifier, and control access to data and services based on these tokens. "Your developers should not be able to expose a new API without authorization tokens and have to register the API," said Barak.
Finally, a data center can set up a gateway for API traffic. By enforcing a secure channel, one that includes encryption and signatures, data centers can have a dramatic impact on API security, he said.
But some experts say it can be difficult if not impossible to get all of a company's developers on board.
"It would be ideal," said Adam Kujawa, director of Malwarebytes Labs, a San Jose-based security vendor. "But a data center can't force their customers to do this." What it can do, however, is offer an API gateway as a service to its customers or enterprise users. "Then, if they don't use the service, make sure they're isolated, so they can't infect the rest of the data center.”
Another challenge is that API gateways can't always be deployed to all platforms and are different from provider to provider, which creates management challenges.
Additionally, an API gateway can be a single point of failure and add complexity and management overhead. "Our customers are building microservices where one application has incredible scale and is deployed all over the planet in dozens of data centers," said Doug Dooley, COO at Data Theorem, a Palo Alto-based application security vendor. "There are discrete forms of code all communicating horizontally through APIs, with hundreds of thousands of APIs in one enterprise."
Trying to force everything through API gateways makes no sense in such cases, he said. It’s not scalable or cost effective, "and it's trivial to bypass this arbitrary choke point," he added.
Tim Woods, VP for technology alliances at FireMon, suggests a distributed approach to API security. That approach could be more dynamic and flexible. It’s also faster for edge computing applications. "Any time you have to go to a central clearing warehouse or central gateway, you have to worry about latency," he said.
Nitzan Miron, VP of product management for application security at Barracuda Networks, said companies also have problems finding all the active APIs in their infrastructure. That's especially true when infrastructure includes public clouds. "A traditional network inventory (scanning an IP range) is worthless when IPs are all dynamically allocated by a public cloud provider or even multiple providers," he said.
But API gateway tools are maturing, he added, and have recently begun adding capabilities to properly audit and control API access. "As these tools mature and become easier to use, it will be less of a challenge to find the right tool and install on all company APIs and applications without causing business disruption," he said.