Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services.
For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average of 25,592 APIs in place. That’s a massive attack surface, and threat actors know it.
It’s no wonder that the Salt Labs State of API Security Q1 2023 report revealed a 400% increase in unique attackers compared to the prior six-month period. Meanwhile, 54% of survey respondents named outdated/zombie APIs as their top concern.
The Zombie API Plague
A zombie API is an API (or API endpoint) that has been abandoned, forgotten or become outdated. These APIs no longer serve any purpose, or they have been replaced by newer versions. Organizations may fail to properly control the versioning, deprecation and removal of old APIs. And these zombie APIs can linger indefinitely.
Since zombie APIs are no longer maintained or updated in any way, they pose a significant security threat. They receive no patching, maintenance or security updates, making them highly vulnerable to exploitation.
As per the Salt Labs report, 94% of respondents experienced security problems in production APIs from Q1 2022 to Q1 2023. Another worrisome finding is that API-related incidents have seen a four-fold increase in unique attackers over the same time period six months ago.
According to the report, organizations previously relied on proper authentication to interact with an API. This was considered sufficient to deter attackers. However, 78% of attacks in the report came from seemingly legitimate users. In these cases, threat actors maliciously achieved the proper authentication.
Types of API Breach Events
In March 2022, a Hubspot API breach exposed the sensitive data of 1.6 million users. And in 2021, API security events included companies such as Peloton, John Deere and Experian.
Attackers use an API endpoint to access and exploit data. In some cases, attacks take advantage of poor coding. However, more sophisticated actors target business logic vulnerabilities. Either way, a legitimate API ends up opening doors to an enterprise’s sensitive data assets.
An API breach that involves poor coding can be exploited by hackers to gain unauthorized access to a system or steal sensitive information. Examples of poor coding practices include failing to validate user input and not properly sanitizing data.
A business logic weakness occurs when there is a flaw in the design or implementation of the system’s business rules or logic. This can occur when a programmer fails to consider certain scenarios or inputs that could lead to unintended consequences. For example, a system might allow a user to transfer funds without verifying that they have sufficient funds in their account.
In the Experian event, a researcher encountered a student loan lender site that checked loan eligibility for anyone who gave their name, address and date of birth. By examining the code behind the page, the hacker could see it invoked an API that allows lenders to automate queries for FICO credit scores. It turns out the Experian API could be accessed directly without any authentication. Entering all zeros in the “date of birth” field lets anyone pull a person’s credit score and other sensitive data.
In general, poor API coding practices are easy to identify and fix. API business logic weakness can be more difficult to detect and resolve because it involves more complex interactions between different parts of a system.
API Security Risks are a C-Level Concern
While the risk of a breach is a real concern, API security leads to other tangible impacts on businesses. For example, the Salt Labs survey revealed that 59% of companies have experienced application rollout delays resulting from security issues identified in APIs. The report authors point out that this high percentage illustrates the fact that even testing and security-minded code development cannot address all API security challenges.
Developers cannot anticipate every possible API-related business logic gap. And pre-production API testing tools cannot identify these gaps either. The impact of API-based risk on business has not gone unnoticed. In fact, 48% of survey respondents state that API security has become a C-level discussion.
Tighten Up API Security
API-specific security measures can include measures such as:
- Token-Based Authorization: This allows third-party websites or applications to access user data without requiring the user to share personal information.
- Transport Layer Security (TLS): Secures data transmission over a network to protect sensitive information against man-in-the-middle attacks like eavesdropping and data tampering.
- User Registry Authentication: Enables authentication of users and securing APIs, including Lightweight Directory Access Protocol (LDAP) and authentication URLs.
Also, to thwart zombie APIs, you might try compiling and updating your API inventory. Given the thousands of APIs per enterprise, however, the task is daunting. As an aid, utilities exist that help find deprecated and removed API versions in your Kubernetes clusters. That way, any out-of-date APIs can be retired promptly.
Embrace Comprehensive Security
From a wider lens, a zero trust approach works by assuming that every connection and endpoint is a threat, including API calls. Zero trust protects against these threats, whether external or internal, even for those connections already inside.
In a nutshell, a zero trust network:
- Logs and inspects all corporate network traffic
- Limits and controls access to the network
- Verifies and secures network resources.
Therefore, the zero trust security model ensures data and resources are inaccessible by default. Users can only access them on a limited basis under the right circumstances (least-privilege access).
A zero trust security model verifies and authorizes every connection, including when a user connects to an application. It also includes when software connects to a data set via an API. With zero trust, you can help ensure your organization stays safe from the scourge of API risks.