Despite tight economic situations worldwide, the API economy continues to grow. For most industries, APIs facilitate instantaneous transactions across almost any application or service, expediting the flow of goods and services. A recent report from F5 described the proliferation of APIs in this way: “If data is the new oil, then APIs will become the new plastic.”
Open APIs (or public APIs) provide many opportunities and competitive advantages. Companies can leverage open APIs to reshape their supply and delivery chains. Businesses can tap into a wide pool of developer talent and an ever-growing repository of software resources. Furthermore, companies can release their commercially developed APIs as open APIs later. By doing so, they can attract new customers, increase brand loyalty, and enhance their marketplace profile.
However, open APIs also come with inherent risks and challenges, and enterprises need to address these concerns before embarking on this journey.
This article will provide a snapshot of 10 threats to the open API ecosystem for IT engineers, leadership team members, and cybersecurity professionals. We’ll also introduce Gravitee, a modern API management platform that comes with the necessary tools and technologies to address the challenges of API development, deployment, and maintenance.
Open APIs present many opportunities, among which are improved connectivity and collaboration with suppliers, service providers, and customers. Ultimately, this contributes to better customer experiences. Microservices connected via API endpoints add to productivity by enabling businesses to take advantage of fit-for-purpose technologies, freeing them from using cumbersome, monolithic systems. All this leads to dramatically reduced costs in application development, deployment, and maintenance.
However, by nature, open APIs also attract attention from both individual and organized cybercriminals. Since APIs are transactional, they are also vulnerable to accidental or malicious disclosure of personal, financial, and other sensitive information. Unprotected endpoints or unvalidated client requests can expose an API to attacks like DDoS, SQL injection, or ransomware. These can seriously impact both developers and consumers of open APIs.
Participation in the open API ecosystem needs careful preparation, and that preparation begins with threat identification.
The cybersecurity industry has invested substantial resources to identify, classify, and grade API attack vectors. Based on that research, we’ve compiled a list of the 10 noteworthy threats to open APIs.
APIs rely on endpoints that often deal with object IDs. Such objects can be any resource, such as a file, a database table, or a port. Poor application design can exploit an object’s ID sent with a client request.
To prevent this, an API’s code must perform object-level authorization checks every time it fetches the object’s data or conducts any operation on it. Such checks ensure that the user or application making the request has the bare minimum permissions to perform such functions. The conventional implementation with best practices uses the principle of least privilege and role-based access controls for these checks.
Malicious actors exploit APIs with broken user authentication to spoof valid users, gain unauthorized access to different parts of the system, and launch further attacks.
Securing API endpoints with a robust authentication mechanism is vital for guarding against this threat. User authentication secures an API by requiring the client to provide valid credentials like a username/password combination or API access keys.
Bad coding practices often expose object properties, data, or other sensitive information in the code. Client applications have to filter out this information before returning results to the user. However, such data (for example, keys to other APIs, credentials, or personal information) might remain in the code and inadvertently become widely available when the API code is hosted on public repositories.
Without a restriction on request access rate, an API endpoint is vulnerable to Distributed Denial of Service (DDoS) attacks. Such attacks involve malicious players launching numerous requests against the API endpoint from multiple sources (often compromised systems), overwhelming the endpoint, and taking it offline. Popular open APIs can be common targets of such attacks.
Rate limiting caps the number of client requests to a specific maximum value within a given time. Any additional client requests received within that period will be rejected. Typically, API gateways perform this rate-limiting task.
Complex object and function access control policies can sometimes have multiple hierarchies, groups, roles, and privileges. Such complex security mechanisms are unwieldy and difficult to maintain. Developers or administrators may sometimes assign higher privileges to users or applications to circumvent the issue. This can often lead to intruders taking advantage of the higher privileges by targeting individual accounts or bypassing a flaw in the access control altogether.
This threat is also known as auto binding or object injection vulnerability. Modern application frameworks encourage developers to employ functions that automatically link client request input values to code variables and other internal objects to simplify and speed up development. Taking advantage of this framework side effect, attackers can alter or overwrite attributes of critical objects that developers are never meant to expose.
Examples of security misconfigurations include insecure default settings, inadequate or untracked configuration changes, insecure storage, misconfigured HTTP headers, permissive Cross-Origin Resource Sharing (CORS), and verbose error messages containing sensitive information. Deploying and configuring the infrastructure resources that support the running of open APIs requires careful attention to security.
Code injection involves malicious players taking advantage of poor input validation to embed SQL or other commands in an API request. When run by API code that doesn’t guard well against such attacks, these commands can expose sensitive data, perform data modification or deletion, or facilitate further infiltration.
As APIs expose more endpoints than traditional web applications, poorly maintained documentation, interface descriptions, versioning, or asset lists can lead to overlooking important attack surfaces and remaining insecure.
Inadequate logging and monitoring results in critical security events not being reported and proactive warnings not being sent. Additionally, missing or defective incident response processes allow attackers to gain traction in their efforts, continuing their activities without getting noticed. Many breach studies show that poor monitoring can lead to breaches going unnoticed for over 200 days.
To address the threats and vulnerabilities discussed above, it’s necessary to adopt security best practices during the design and development phase of APIs. Here are some essential security controls to consider:
- Monitoring the software supply chain and analyzing software composition can identify vulnerable components such as insecure third-party libraries.
- Static application security testing (SAST) reviews application code and can identify vulnerabilities.
- Dynamic application security testing (DAST) simulates attacks against the application code when it’s running and thus finds possible weaknesses.
- Security Incidents and Events Management (SIEM) solutions can scan application logs to find possible breaches, suspicious activities, trends, or anomalies.
- Security Orchestration, Automation, and Response (SOAR) solutions go further by performing remediation steps from runbooks when security anomalies or threats are detected.
- A robust authentication mechanism allows for validating API users. Similarly, a strong authorization mechanism enables users to perform only specific actions that are allowed to perform.
- Encrypting data with symmetric keys and securing API endpoints with SSL/TLS certificates ensure data is protected at rest and in transit.
- A robust disaster recovery plan that has been tested ensures the API is repaired and back online quickly, even if it has been compromised.
In addition, an API gateway can also greatly enhance API security and stability by providing service discovery, routing, load balancing, high availability, and observability services to the APIs hosted behind it. It allows you to easily secure all communication channels with SSL/TLS, implement rate-limiting to prevent DDoS attacks, and limit client request payloads and API response sizes. API gateways can also be used with a web application firewall (WAF) for an additional layer of security.
As we’ve seen, companies can participate in the API economy by building powerful applications with open APIs. However, open APIs are not without threats. We’ve briefly covered the 10 security threats along with the measures to address them. API gateways can facilitate some of these measures and offer advanced management functionalities.
The Gravitee platform offers a set of powerful applications for full API lifecycle management—including API design, deployment, access management, gateway service, observability, and publishing. Tools from Gravitee can generate documented APIs with policies and access plans, create automated alert methods, handle access management requirements, and provide dynamic modeling for authentication flows. Best of all, the Gravitee Cockpit can centrally manage all API environments, from sandbox to production.
To learn more about Gravitee, book a demo.