Just about every app uses an application programming interface (API). From a security standpoint, though, APIs also come with some common problems. Gartner predicted that API abuse will be the most common type of attack seen in 2022. So, what problems exactly do APIs face? And what can data security defenders do about it?
Prevalent API Risks
In 2019, OWASP named 10 web app data security risks to watch out for. These include:
- Data exposure: This type of threat arises when developers expose all the properties of their objects without considering how private those items might be. Therefore, it’s up to clients to perform data filtering before displaying anything to a user.
- Security misconfigurations: These data security weaknesses take on various forms, including misconfigured HTTP headers, error messages containing sensitive info and exposed cloud storage. Oftentimes, they’re a product of insecure default configurations.
- Injection: In this case, a command or query sends untrusted data to an interpreter. Attackers can use those types of flaws to fool an interpreter into running malicious code or commands involving sensitive data.
- Insufficient logging and monitoring: Both of these data security risks can provide attackers with chances to hide within their network unnoticed. From there, threat actors can scope out the network, move to business-critical assets and exfiltrate data.
The Effects of Data Security Risks on Business
Issues involving APIs didn’t hold businesses back just in terms of their plans to roll out new apps. They also cost time and resources if an attack does happen.
This happened for a lot in 2020. As noted by Salt Security, 91% of respondents’ employers suffered at least one API problem over the course of the year. Of those respondents, more than half (56%) had upwards of 55 API-related data security incidents a month during that period. Meanwhile, 22% dealt with as many as 200 monthly attacks.
The onset of a new year didn’t put an end to these API troubles, either. Here are several API incidents that made headlines in the first six months of 2021:
- In February, researchers found that all of the 30 health care apps they studied were at risk to API attacks. They also learned that the apps exposed 23 million users to potential threats.
- An API tool used by one of the major credit bureaus exposed the credit scores of almost every American. The tool enabled someone to perform a credit check through the credit bureau using only public information.
- Another API problem involved a popular stationary bike manufacturer. A researcher found that they could make unauthenticated requests to the company’s API for user account data. That weakness enabled the researcher to access other bike owners’ information.
How to Improve API Data Security
The cases discussed above highlight the need for businesses and agencies to secure their APIs going forward. One of the ways they can do that is by always using SSL and TLS certificates. Using valid certificates with APIs can help protect data exchanges with encryption. This will empower defenders to protect apps against man-in-the-middle attacks aimed at exposing users’ information.
Following that, optimize firewalls. These are essential for helping control the flow of information enabled by APIs. Revoke whatever data security rules are too permissive for the apps’ needs. This will likely require first reviewing firewall rules and network objects to learn about the specific business or agency’s API usage.
Finally, businesses and agencies need to implement proper authentication and authorization of their clients. They can consider using protocols to limit the access that third-party apps can gain to an API. Doing this can help prevent too many parties from accessing and sharing too much.
Don’t Forget About Your APIs
Security models for APIs have not kept up with modern networks that are, more and more, borderless. These frameworks have failed to uncover vulnerabilities involving their APIs. As such, API breaches, like those discussed above, are becoming more common.
By keeping an eye on APIs, businesses and agencies can begin to formalize their API data security efforts. By doing so, they can stay current with a threat landscape that’s moving towards more and more API attacks.