As use of Application Programming Interfaces (APIs) within organisations of all sizes continues to increase, the approach taken to ensuring their security has changed.
When it comes to code development, there has been a trend towards a so-called โshift leftโ strategy. This results in security testing, quality, and performance being prioritised solely in the development process. This, in turn, results in the false assumption that APIs that go live are bullet-proof.
However, while a shift-left strategy can deliver benefits, it is not enough to stop persistent automated attacks. Even perfectly coded APIs that adhere to API specifications and have been tested against the industry standard OWASP Top Ten API threats are still vulnerable to attack.
An evolving problem
Industry research undertaken during the first half of 2022 revealed numerous ways that APIs were subjected to automated business logic abuse. This includes the use of highly volumetric and geographically distributed fuzzing payloads, enumeration-based fuzzing of numeric patterns on APIs that support payment and checkout microservices, and comment spam requests against customer relationship management workflows.
Unfortunately, even perfectly coded and inventoried APIs may still be vulnerable to attacks using multiple methods from the OWASP Top Ten. ย For example, attackers may use API2 (Brokenย Authentication), API3 (Broken Object Property Level Authorisation), and API9 (Improper Inventory Management) to perform detailed reconnaissance and analysis of each APIโs functions, interactions, and expected outcomes, which they can then use for malicious purposes.
A recent example of an API attack was against a US-based beauty company. There, attackers executed a large-scale enumeration attack against a third-party inventory API.
The attackers targeted the inventory API directly, without hitting any other app or web function, rotating through 153,000 unique product and SKU combinations while scraping 61,000 postal codes and 33,000 products. This attack was stopped by policies that effectively blocked 85.9 million requests.
Businesses can face difficulties in detecting such attacks against APIs, which they consider to be secure. Traditional web security tools, such as Web Application Firewalls (WAFs) or bot prevention tools, are ineffective at preventing such specific attacks.
WAFs use signatures to detect known vulnerabilities, making it challenging to block attacks that appear legitimate. Bot tools rely on JavaScript instrumentation to collect the telemetry required to understand and block the attack. As APIs are clientless, they cannot be instrumented in this manner.
Boosting protection
To protect APIs against persistent automated attacks, the first step should always be a runtime inventory. This logs all known and unknown endpoints, assesses the risks they represent, and applies sensitive data exposure protection and business logic abuse protection.
The second step is to use Machine Learning to determine the intent of transactions (whether performed by bots or individuals) and then quickly block them or send them down another path.
Businesses should also use API-specific testing solutions to complement and strengthen their shift-left efforts.
Another approach to the challenge is to make use of API gateways. These gateways act as intermediaries between the API client and the API itself, providing a layer of security and control.
They can be used to enforce policies around access, throttling, and authentication, as well as providing additional security measures such as encryption and tokenisation.
API gateways can also provide a centralised point of control for API security. This can help to simplify the process of managing multiple APIs and ensure that security policies are consistently applied across all APIs.
In addition to API gateways, there are other emerging technologies that can help to improve API security. For example, there is increasing interest in the use of blockchain technology to secure APIs. By using a blockchain-based system, APIs can be secured through the use of cryptographic signatures and distributed ledger technology which can help to prevent attacks and ensure the integrity of data.
The shift-left trend in API development has resulted in a false sense of security. Persistent automated attacks can compromise APIs, even if they are coded perfectly and adhere to API specifications.
Businesses therefore need to increase their focus on API security and take additional steps to ensure measures are as effective as they can possibly by. Any failure to do this is likely to result in successful attacks that can cause significant disruption and business losses.
Source:
https://finance.yahoo.com/news/more-30-malicious-attacks-target-130000898.html?guccounter=1