APIs: Securing the connective tissue for secure digital experiences
There is a famous quote from Anonymous, the hacking group that goes something like this: “If I were to advise a rogue nation state on how to take down the United States, I’d tell them to start with the APIs first.”
Noname Security’s CISO Karl Mattson echoes this idea with Akamai findings that 83% of all Internet traffic is initiated with an API call. “APIS are that connective tissue that allow two systems to talk to each other, regardless of how those systems were originally developed.”
This focus upon APIs is not new, and usage of APIs goes back well over a decade. Today, its use is prevalent and not surprising.
Karl pointed out, “I think what has happened especially over the last couple of years, is that APIs aren’t used as a utility that is internal to networks.
Rather than using it exclusively for internal communications, we started to point that API out to the world so that we could offer connectivity to our systems and our data, via that API.”
Open Banking is one avenue which offers good examples, one of which is the European Union initiative to boost fintech growth. In essence, open banking is a system usually supported by regulators as a digital agenda, to open up services, provide choice, and foster competition and innovation in the market.
To level the playing field, incumbent banks would open up their APIs for third parties; usually fintechs; to access financial information and develop new apps and services.
Market trends
A report by security researcher Alissa Valentina Knight, “Hacking bank and cryptocurrency APIs” shared trends in the API security market, and highlighted how CISOs rely on web application firewalls to secure their APIs. But WAFs are not designed to detect and protect against logic-based attacks like Broken Object Level Authorisation and Broken Authentication.
And so, Alissa raised the possibility that solutions like WAF are not relevant in a world that has shifted to becoming microservices-driven and API-first.
Yet another trend she wanted to point out is that the number of API endpoints have increased significantly; organisations may run an average of 1600 APIs now and not necessarily have the API threat management solutions required to secure them.
With a growing API attack surface, Gartner predicts that next year, API breaches will be the number one attack vector, and that API threat management solutions can no longer be just an option.
With activities like banking, shopping, and more moving towards online channels, this attack surface shows no signs of reducing.
Vulnerable APIs
This research which was sponsored by Noname Security sought to demonstrate what would happen when vulnerabilities exist in the APIs of the financial system, and for the duration of one year, Alissa tested 55 financial services and fintech mobile apps created by 19 banks, 11 cryptocurrency exchanges, and 21 neobank apps.
She discovered two kinds of vulnerabilities. The first is Broken Object Level Authorisation, whereby hackers are able to change the PIN code for an ATM debit card and transfer money between customer accounts of the same bank.
The second flaw, Broken Authentication, means the absence of OAuth 2 tokens which can lead to attacks without authentication.
Static code analysis of 55 financial services led to discovery of hardcoded API secrets like keys and tokens, in 54 apps. Not to mention, most were prone to WITM vulnerability and lacked obfuscation.
In summary, team collaboration is critical to securing APIs; developers need to write code with security in mind while cloud and platform teams need to ensure APIs are configured properly. Security teams need to detect, investigate and respond to incidents. All of these are especially crucial especially when APIs are deployed to production faster than they can be secured.
Third party-developers add another element of uncertainty to the whole equation, and Alissa opined API security needs to be operationalised across more enterprises to ensure remediation, as well as mitigation, business continuity, and resiliency in the event of a vulnerability being exploited.
Best practice
- API Security Posture: organisations need a complete API inventory (including associated data and metadata). This has to be followed up with exposed vulnerabilities being identified and where possible, mitigated.
- API Runtime Security: organisations need better visibility into the traffic and behavior of their APIs.
- API security testing: organisations need to identify security gaps as part of the software development lifecycle. This means basic security checks before allowing critical APIs being deployed into production.
Conclusion
Karl share not just financial services but that there are other industries that would be very sensitive to the consequences of an API security problem.
“Financial services are very sensitive to the potential compromise of customer financial data So, financial services have a focus on API security because they need their APIs to be secured and have integrity.
“Another industry we are seeing very quickly (being sensitive to consequences of API security) is healthcare, especially in the last two years with remote medicine and telemedicine becoming very common,” he said.
New ways to delivery healthcare services that are technology-based, have exposed customers and patients to brand new channels of communication, where sensitive data is traversing.
Other examples include retail, e-commerce where digital payments is an important component.
“The more they move towards digital online experience, what they are doing is also moving their critical business operations to that digital experience. And when they do so, they recognise that API security is becoming more and more relevant,” Karl concluded.