Our Digital Lives Are Only Secure if Our APIs Are Secure

Application Programming Interfaces (APIs) have been around for a while, but their popularity has skyrocketed in recent years. When I started in the industry way back in the 1990’s, businesses built monolithic applications that did everything and developers were responsible for maintaining and updating these applications, while security teams were responsible for providing secure networks to launch and run those applications. This approach was safe, but very cumbersome and made it difficult to scale or innovate quickly.

With the advent of the cloud, businesses started breaking their applications into smaller, more manageable pieces - modular services or microservices - allowing them to innovate faster, eliminate bottlenecks, scale more efficiently, and provide better customer experiences. APIs play a critical role in these new architectures by facilitating communication and data exchange between different microservices.

APIs are also designed to expose data, sometimes whole datasets, which means that a single API call can provide access to an enormous amount of sensitive data. As APIs become more prevalent, they represent an increasingly attractive target and 2023 is set to be a record year with API breaches accelerating at a rate of 227% [1].

APIs are the unsung heroes of modern technology, enabling seamless communication and data exchange between different applications and systems. APIs provide engineers and enterprises alike with an easy way to achieve ecosystem effects and to enable external value creation. Take a simple online food order:

• The user sends an order, including home address and other personally identifiable information (PII), payment information and potentially additional data shared from a social media profile and/or social login.
• An ordering app in the cloud transmits the payment information to a payment processor before submitting the order to the restaurant. This is a multi-step process, involving transmission, confirmation, and call-back to the ordering app, with each step being at least one API call. A record is stored on the app upon the completion of the payment, together with transaction ID.
• The ordering app then transmits the order to the restaurant and awaits confirmation. Once confirmed, the order is noted and recorded in the app, and the customer may be  notified of order confirmation.
• A delivery notice is sent out to a fleet of potential logistics partners. Time, location, transportation mode, availability, other jobs in the queue and other factors may be consulted. This delivery request is also an API connection, and includes the customer’s PII. Delivery is eventually confirmed, and the customer is notified.

With this single, everyday transaction, it’s likely that 10 to 20 different API calls are triggered. It’s no surprise that 83% of all online traffic now comes from API calls according to a report [2] by Akamai. And that figure looks set to rise and rise alongside the proliferation of cloud-native and microservice-driven architectures. APIs are also quickly becoming a leading threat vector and an attractive attack surface for bad actors. At the 2023 RSA Conference in San Francisco, there was a lot of talk about API security, particularly from network security vendors.

On the one hand, as a major advocate for breach prevention, I love to see more people bringing awareness to the problem. The more people are talking about the importance of effective API security, the better. Right? On the other hand, it makes decision-making and understanding much harder for those customers trying to secure their APIs. What are all the network security controls around APIs? Is a network security solution sufficient?

Spoiler alert: It's not.

API Security is fundamentally an application security, or AppSec, problem. Yes, there are benefits to network-layer controls, but most breaches look like normal API calls. Rate limiting, pagination, discovery and visibility are excellent things to do, and can limit the scale of a breach. Your cloud provider can help you do them easily today. But to really begin solving the problem, you need to look at the layer above the network.

Effective API security requires protections at the application layer. Traditional cybersecurity approaches focus on securing the perimeter and detecting external threats, but APIs are designed to be exposed, making it challenging to detect malicious activity. To secure APIs properly, a purpose-built approach is required that focuses on securing the data itself and the business logic that processes it. A comprehensive approach to API security combines cloud, application, and code to address authentication, authorization, and data handling flaws at the business logic and application layers.

To secure APIs, it's essential to have a solution that includes all of the following considerations:

1. Authentication: Ensure that only authorized users and applications can access the API. Use industry-standard authentication protocols such as OAuth 2.0 to secure API access.
2. Authorization: Ensure that each API is authorized server-side. This authorization should take into account the user making the request, the data being requested, and the action that the user is calling. If there is not a clear path to authorization for each of these three elements, the authorization is denied.
3. Encryption: Protect sensitive data in transit and at rest using encryption protocols such as TLS/SSL
4. Rate limiting: Prevent attackers from overloading APIs with requests by setting rate limits. As I said, there are benefits to network security controls.
5. Input validation: Validate all input to the API to prevent injection attacks and other types of attacks.
6. Monitoring and analytics: Monitor APIs for suspicious activity and use analytics to detect anomalies and potential attacks.
7. Inventory and audit: get full visibility across all of your APIs and create a centralized audit trail.

APIs are everywhere, and they are quickly becoming a leading threat vector. As APIs become more prevalent, the threat will increase, and the need for comprehensive API security will become even more pronounced. Traditional cybersecurity approaches are ineffective in securing APIs, and a purpose-built approach is required that focuses on securing the data itself and the business logic that processes it. Securing APIs at the application layer with inline protections that provide context is the most effective way to protect your APIs and to bridge the gap between application developers and security teams.

Our digital lives are only secure if our APIs are secure, and breaches from the past 10 years show us a clear problem set that needs to be addressed.

Sources:

[1] www.firetail.io/api-security-report-2023

[2] www.akamai.com/newsroom/press-release/state-of-the-internet-security-retail-attacks-and-api-traffic