An API (application programming interface) is the software intermediary that lets two applications talk to one another. For instance, if you have ever seen a website displaying a Google Maps object, the website will be using the Google Maps API for embedding that map object. If an API such as this didn’t exist, any developer wanting a map on their website would have to build their own interactive maps using their own mapping data. The same is true with mobile apps that, for example, use the camera of your smartphone for taking images or videos. If the right APIs were not made available to developers, this process would be significantly more complex and non-user friendly.
Because APIs are used for transferring data and connecting services, they are also crucial from a security perspective. An API that is hacked or otherwise exploited can result in massive critical data breaches of personal, financial, and other information. Securing an API is therefore absolutely critical. Unfortunately, proper cyber security is not always something that’s taken as seriously as it should be when it comes to APIs.
As with many of the features targeted by cyber attackers, everything that makes APIs useful also makes them good targets for hackers. They are publicly available, standardized and ubiquitous, efficient, easy to use, flexible, and very well documented.
From web applications to web APIs
In the past, web apps were a common target for cybercriminals. In its simplest terms, a web app (or web application) is a website you see in the browser, while a web API is a service that you use in a web application. The web application is the graphical, end-to-end solution for users to interact with on their browser screen. A web API, on the other hand, returns non-graphical data instead of views. It’s a system intended for interacting with another system.
Web apps are the most visible part of an organization’s web presence. For that reason, most organizations have historically focused heavily on web application security. But as organizations have invested in tools like the latest firewall protection to safeguard against intrusion, cybercriminals are increasingly shifting their focus to web APIs as a new avenue they can exploit.
There have been multiple examples of this in recent years. For example, in 2018 an unsecured API endpoint allowed anyone to view plain text customer information including usernames, emails, phone numbers, credit card information, and more on the website of bakery-cafe chain Panera Bread. In all, up to 37 million customers had data leaked over the span of many months. Another example of poorly secured APIs exposing private information involved the mobile payments app Venmo, which accidentally placed at risk details concerning millions of transactions using the service.
Types of API attack
The design of APIs makes them easily usable for bulk data transfer and automated attacks. One such attack could be a Man-in-the-Middle cyberattack, in which hackers eavesdrop on unencrypted connections between API client and server in order to access potentially sensitive data. This data could be used for credential stuffing attacks, whereby credentials gained from a data breach are used to try and illicitly access other services with which the lawful owner of those credentials might have an account.
Hackers could additionally carry out malicious content manipulation by injecting content such as poisoned JSON Web tokens that can be executed unknowingly by the user while an API is running. API-based automated attacks could also lead to Distributed Denial of Service (DDoS) attacks, whereby badly written code is used to overload computer resources to interfere with API-augmented web applications.
Protecting yourself against API attacks
There are multiple steps that organizations can take to crack down on potential cyberattacks targeting APIs. The most fundamental is to ensure that public-facing APIs are properly secured during the development process of any system. Ensuring that proper authentication and authorization principles are followed can help avoid misuse of APIs by ensuring that you are surely protected. Related to this is making sure that developers, administrators, and any other decision-makers are up to date with the latest and most common vulnerabilities that can affect APIs — from authentication issues to SQL/script injections. It’s also essential to monitor API gateways to try and mitigate risks such as DDoS attacks.
Fortunately, as smart as cyberattacks may be getting, security tools are even smarter. Picking the right security professionals will give you access to tools such as bespoke security models that make sure that only the traffic that you want to have access to your API is enforced, and that each and every API endpoint is protected the moment it is published.
Calling on capabilities such as Cloud CDN, WAF, Layer 3/4 DDoS protection, and Attack Analytics, full-stack application security solutions will protect your APIs in the best way possible. And all without having to compromise the benefits APIs provide when it comes to agile development and the expanded functionality of online services.