The growing importance of establishing effective API security
Cybercriminals have tended to focus on acquiring user credentials to maximise their ability to traverse targeted IT infrastructures. They use them to gain access to mount their planned attack and cause as much disruption as possible.
However, this focus is changing as increasing numbers of criminals turn their attention to the credentials held by application programming interfaces (APIs). Indeed, according to research by content delivery network Akamai, almost 75% of attacks directly target such API credentials.
When you consider the role played by APIs within a security infrastructure, it's unsurprising that they have become such popular targets. They are a critical element in most cloud-based services, which are rapidly taking over the functions of on-premises assets at most organisations.
It's now effectively impossible to run any business or process these days without the cloud. This means that APIs have become the glue that binds many different services together.
For a business, API usage delivers some significant benefits. They are primarily small and unobtrusive in terms of network resource allocation. They are also very flexible, which means security teams can task them to perform almost any job.
Essentially, APIs are individual pieces of software tailored to control or manage a particular program or process. As a result, security teams can use them to perform very specific functions, such as accessing data from a host operating system, application, or service.
The risk of being overlooked
Unfortunately, APIs' flexibility and the fact that they are often small and overlooked by security teams make them attractive targets for cybercriminals. Most APIs have also tended to be designed with flexibility rather than security in mind.
There are also very few standards that are followed during API development. If they are coded by developers who aren't very security-aware, the APIs likely will have any number of vulnerabilities that attackers can find and exploit.
This is a problem that is quickly getting out of hand. According to research firm Gartner, in 2022, vulnerabilities involving APIs will become the most frequent attack vector across all cybersecurity categories.
Attackers have a specific goal when it comes to targeting APIs. They don't particularly want to take over whatever specific function the API performs but rather want to steal the credentials associated with it.
In many cases, APIs are often way over permissioned for their core functionality. Indeed, many have near administrator-level access on a network. For this reason, if an attacker gains control of one, they can often use its permissions to launch deeper and more substantial incursions into the wider infrastructure.
Also, because APIs have permission to perform whatever tasks an attacker redirects it toward, their actions can often bypass traditional cybersecurity monitoring because the API does not break any rules and trigger an alert.
Improving API protection
While the security situation around APIs has become very concerning, it's far from a lost cause. On the contrary, big efforts are being made to ensure developers are more aware of the risks and encourage them to adopt security best practices in all aspects of software creation, testing, and deployment.
The range of best practices that organisations can introduce to improve their level of API security include:
- Improve API identity controls: It's important to treat APIs similarly to users when assigning permissions. If an API has been designed to do a specific function, consider what could happen if an attacker compromised it. Think about using role-based access control and apply zero-trust principles. It can also be worthwhile to include APIs as part of the organisation's wider identity management program.
- Put limits on API calls: Limiting those calls to very context-centred requests makes it much more difficult for an attacker to modify them for nefarious purposes.
- Make use of a layered operational approach: A powerful way to improve security is to begin by having an initial API make a highly contextual call to another API that knows exactly what to look for and what to ignore. This approach effectively limits the functionality available to a cybercriminal who may have gained control of the API and is attempting to use it as part of an attack.
The security weaknesses within APIs can seem daunting and appear to be a significant threat to infrastructure security. However, by ensuring developers are aware of the importance of including effective measures in their code designs and by limiting API permissions, the sought-after business benefits can be achieved without increasing levels of risk.