The Threat of Insecure Interfaces and APIs
Application programming interfaces (API) that connect enterprise applications and data to the cloud are subject to the same vulnerabilities as regular cloud-based applications and need to be addressed with the same rigor.
What is an API?
An API is a set of programming code that enables data transmission between one software product and another. It also contains the terms of this data exchange.
APIs serve numerous purposes. Generally, they can simplify and speed up software development. Developers can add functionality from other providers to existing solutions or build new applications using services by third-party providers. In all these cases, app developers don’t have to deal with source code, trying to understand how the third-party solution works. They simply connect their software to another one. In other words, APIs serve as an abstraction layer between two systems, hiding the complexity and working details.
APIs are everywhere
An API basically allows applications or components of applications to communicate with each other over the Internet or a private network. Initially, most organizations used them within a secure private network or accessed them through secure communications channels like VPNs. However, organizations have realized the potentials of APIs to enable their digital transformation initiatives and begun using APIs to open up access to their apps and data to partners, suppliers, and customers.
The prevalence of APIs in the enterprise environment is stunning. A recent survey by Forrester found that 77% of organizations both develop and consume APIs. The most common use case for APIs continues to be interoperation between internal tools, teams, and systems to reduce development time and cost. Other popular use cases include partnering with external organization, extending product or service functionality, and absorbing data and features from external products.
Insecure APIs are a growing threat
Despite their increased applicability to streamline cloud computing processes, APIs are often the source of security concerns, especially if left unprotected. Adversaries can exploit insecure APIs to compromise or steal sensitive and private data. By 2022, Gartner estimates that APIs will be the vector used most frequently in attacks involving enterprise application data. The Forrester survey identified some of the major security issues surrounding API use and warned about API breaches becoming increasingly common and the next big attack vector for threat actors.
"As organizations are securing their web applications, they can't forget about their APIs," says Forrester analyst Sandy Carielli. "Security pros must specifically build in API security and not assume that it's rolled into their existing web application protections."
Another survey by security firm Salt Security indicates that that 91% of organizations in the survey suffered an API-related problem in 2020. More than half (54%) reported finding vulnerabilities in their APIs, 46% pointed to authentication issues, and 20% described problems caused by bots and data scraping tools.
Key sources of insecure APIs
Many of the security issues surrounding APIs have to do with the shift away from early SOAP messaging protocol-based APIs to today's REST APIs.
SOAP APIs were typically accessed securely over VPNs or two-way encrypted connections. REST APIs, on the other hand, are designed for access through browsers and mobile apps. For example, when a mobile user makes an airline reservation on his phone, a REST API conveys the user's instructions to the airline’s back-end applications and delivers the response back to the user.
Cyber criminals use the same tools for disrupting web apps to exploit REST APIs. Well-established security best practices such as least-privilege data access and server-side data validation are therefore as critical to APIs as they are to web applications.
Additionally, insecure REST APIs can provide direct access to transaction updates and other important data on back-end systems. The key factor for this threat is that businesses often fail to identify and track all API endpoints within their mobile or web apps or implement adequate controls to authenticate and verify API calls. Such untracked endpoints can expose businesses to increased risk of unauthorized access and data disclosure.
"Remember that APIs serve to make various application data and functionality available to developers outside of the organization," Carielli says. "Because API endpoints can be accessible to anyone externally that calls the API, a rogue endpoint that returns sensitive information is high risk."
Vulnerabilities in production APIs is another common security concern. According to the Salt Security survey, although organizations are applying "shift left" principles and integrating security controls earlier into the application development lifecycle, they are not complementing their security tactics with runtime security.
Despite these threats, Salt Security's survey also shows that many organizations are failing to approach the problem in a robust way: More than one-quarter (27%) admitted to having no strategy at all for dealing with API security, and 54% described their strategy as being basic at best. 83% admitted to being unsure about their API inventory, and 82% lacked confidence in their knowledge about APIs that exposed PII, cardholder data, and other sensitive information.
In addition, more than one in five admitted to having no way to know which of their APIs exposed personally identifiable information, and many said their biggest concern was the prevalence of outdated and zombie APIs on the network.
How certified cloud security professionals can protect APIs
The sheer diversity of technologies, designs, and contexts in which APIs are used makes securing them a challenge. However, a certified cloud security specialist has many security measures and policies in his knowledge arsenal to make use of and bolster API security.
A cloud security professional can encourage developers to practice good "API hygiene." APIs should be designed with authentication, access control, encryption and activity monitoring in mind, and API keys must be protected and not reused.
Organizations need to pay attention in the API design stage to security measures like default deny and verification of any client-supplied data. They should also ensure that all API traffic, just like web application traffic, is encrypted but in a manner so as not to impact performance. Also critical is the need to authenticate API calls at every layer and to stop thinking of APIs merely as an interface layer between applications.
To achieve a greater level of security, software developers should rely on standard API frameworks that are designed with security in mind, like the Open Cloud Computing Interface (OCCI) and the Cloud Infrastructure Management Interface (CIMI).
Finally, the cloud security professionals should deploy solutions that provide complete visibility—like network detection and response—to quickly identify and address API security risks. Having visibility into your APIs is required to complement your security policies for API design to ensure that all risks and blind spots are identified and addressed before criminals exploit them.
How the CCSP Certification Can Help You to Succeed
The (ISC)² Certified Cloud Security Professional (CCSP) is the answer to all your concerns about securing your valuable APIs and protecting your apps and data from exposure. CCSP is the benchmark of cloud security certifications and is repeatedly recognized as the most valued and well-rounded cloud security certification.
CCSP is a vendor-agnostic certification that ensures that certified practitioners have the security knowledge to successfully secure and protect data in any cloud environment. It is CCSP’s unique criteria that has elevated it to a standard that has allowed it to be identified as the premier cloud security certification, providing an advantage in an increasingly competitive corporate landscape.
Attaining CCSP certification shows you have the advanced technical skills and knowledge to design, manage and secure data, applications, and infrastructure in the cloud using best practices, policies, and procedures established by the cybersecurity experts at (ISC)².
To learn more about how the CCSP credential can help you gain expertise and advance your career, download our white paper Cloud Security Skills Can Take Your Career to Infinity (And Beyond).
Insider attacks are a growing risk to cloud security and are hard to detect and respond to, and can act as a gateway to externals threats. Find out more in our latest blog.