Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists.

Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII). This makes APIs juicy targets for database security attackers.

Meanwhile, due to market pressures and customer demand, omnichannel e-commerce has ramped up considerably. And so has API security risk along with it.

APIs and Omnichannel Grow Together

The number of Postman Collections (API folders for developers to group API requests together) skyrocketed from less than half a million to nearly 35 million between 2016 and 2020. There’s no doubt that API use will continue to increase in the future.

Three major shifts generated this massive growth in API use:

  • Multi-device use: As people connect from many devices at once, APIs are needed to power these connections.
  • Microservices: The move away from a monolithic architecture to more flexible microservice-based development requires APIs.
  • Move to the cloud: Driven by the advantage of rapid provisioning, the shift from on-premise to the cloud means APIs are built and deployed faster than ever.

Meanwhile, all of this API activity benefited (and was driven by) the rise of omnichannel e-commerce.

Omnichannel retail is a multichannel approach to sales that creates a seamless customer experience. This means whether the customer shops from a mobile device, PC or brick-and-mortar store, the experience is unified across all channels. And omnichannel development would be impossible without APIs.

API-led connectivity overcomes obstacles that retailers face gathering data from disparate systems to then consolidate the data into monolithic data warehouses. Since each individual system updates separately, information may be out-of-date by the time it hits the database.

APIs enable retailers to build an application network that serves as a connectivity layer for data stores and assets in the cloud, on-premises or in hybrid environments. As a result, mobile applications, websites, IoT devices, CRM and ERP systems (order management, point of sale, inventory management and warehouse management) can all work as one coherent system that connects and shares data in real-time.

Increase in API Security Breaches

The downside to this rapid growth and development in e-commerce has been a concerning rise in API security attacks. Here, threat actors have executed numerous high-profile breaches against public-facing applications. For example, developers use APIs to connect resources like web registration forms to various backend systems. This tasking flexibility, however, also creates an entrance for automated attacks.

Some investigations reveal the average web application or API has nearly 27 serious vulnerabilities. Organizations can have hundreds or even tens of thousands of applications. It’s no wonder then that some of the biggest brand names have been subject to API-related security breaches.

The real-world damage includes exfiltration of personal data of high profile personalities, food supply chain vulnerabilities and the theft of tens of millions of individual private records.

OWASP API Security Project

The growing API and application vulnerabilities risk prompted OWASP to establish their top 10 hit list for API-related attacks. Here’s a high-level summary:

  • API 1 – Broken Object Level Authorization: APIs can expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue.
  • API 2 – Broken User Authentication: Incorrectly implemented authentication allows attacks to compromise authentication tokens or steal user IDs.
  • API 3 – Excessive Data Exposure: With generic implementations, developers may expose all object properties without considering individual sensitivity.
  • API 4 – Lack of Resources & Rate Limiting: APIs frequently do not place restrictions on the size or number of resources that can be requested by the client/user. This may facilitate DDoS or brute force attacks.
  • API 5 – Broken Function Level Authorization: Complex access and administration control policies can lead to authorization flaws. This exposes user resources and/or other administrative functions.
  • API 6 – Mass Assignment: Attaching client-provided data (e.g., JSON) to data models, without proper allow-lists allows attackers to modify object properties.
  • API 7 – Security Misconfiguration: Arises from unsecured default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS) and verbose error messages containing sensitive information.
  • API 8 – Injection: Injection flaws (SQL, NoSQL, Command Injection, etc.) occur when untrusted data is sent to an interpreter as part of a command or query. Malicious data can trick the interpreter into executing unauthorized commands.
  • API 9 – Improper Assets Management: APIs can expose many endpoints making proper and updated documentation even more critical. Proper hosts and deployed API versions inventory play an important role to mitigate threats.
  • API 10 – Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, enter other systems and extract or destroy data.

API Vulnerability Assessment & Mitigation

Given the risk and high stakes involved, how can you strengthen your API threat management strategy? Here are some best practices:

Keep an API Inventory

It is important to know where your APIs are, including APIs from older versions and different environments. API security is improved when you document which endpoints each API host exposes, which endpoints are public (don’t require authentication) and which ones can be accessed from the internet.

Practice Secure Coding

Encourage your developers to use secure coding practices since most API vulnerabilities start from within the code. Focus on secure coding in the production phase.

Implement OAuth

Access control for authentication and authorization is critical for API security. OAuth is a token-based authorization framework that allows user information to be accessed by third-party services without exposing user credentials. This is how websites leverage Google and Facebook to authorize access.

Rate Limiting & Throttling

To defend against DDoS attacks, API spikes and other performance issues, you can place rate limits on how often APIs can be called. Rate throttling smooths out traffic by balancing access with availability.

Use an API Gateway

An API gateway is a central point of enforcement for API traffic. A solid API gateway allows you to authenticate traffic, control API use and analyze API activity.

Use a Service Mesh

Service mesh technology enables API management and control by routing requests from one service to the next. A service mesh ensures that proper authentication, access control and other security measures work together for improved API security.

A service mesh is especially critical as the use of microservices increases. As the number of services increases, the number of potential ways to communicate grows exponentially. A service mesh provides a unified way to configure communication paths by creating a policy for the communication.

A service mesh instruments the services and orchestrates communications traffic according to a predetermined configuration. Instead of configuring a running container, or writing code to do so, an administrator can provide configuration to the service mesh and have it complete that work.

Adopt Zero Trust

As a wider security philosophy, zero trust assumes you’re an attacker until proven otherwise. Zero trust requires verification and authorization for every device, every application and every user gaining access to every resource.

E-commerce Needs Secure APIs

For competitive brands, the omnichannel experience will continue to grow in diversity and scope. APIs will scale likewise. It’s important to adopt a pro-active API security stance now to keep your customers, business and assets safe.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read