Just about every app uses an application programming interface (API). From a security standpoint, though, APIs also come with some common problems. Gartner predicted that API abuse will be the most common type of attack seen in 2022. So, what problems exactly do APIs face? And what can data security defenders do about it?

Prevalent API Risks

In 2019, OWASP named 10 web app data security risks to watch out for. These include:

  • Data exposure: This type of threat arises when developers expose all the properties of their objects without considering how private those items might be. Therefore, it’s up to clients to perform data filtering before displaying anything to a user.
  • Security misconfigurations: These data security weaknesses take on various forms, including misconfigured HTTP headers, error messages containing sensitive info and exposed cloud storage. Oftentimes, they’re a product of insecure default configurations.
  • Injection: In this case, a command or query sends untrusted data to an interpreter. Attackers can use those types of flaws to fool an interpreter into running malicious code or commands involving sensitive data.
  • Insufficient logging and monitoring: Both of these data security risks can provide attackers with chances to hide within their network unnoticed. From there, threat actors can scope out the network, move to business-critical assets and exfiltrate data.

The Effects of Data Security Risks on Business

Issues involving APIs didn’t hold businesses back just in terms of their plans to roll out new apps. They also cost time and resources if an attack does happen.

This happened for a lot in 2020. As noted by Salt Security, 91% of respondents’ employers suffered at least one API problem over the course of the year. Of those respondents, more than half (56%) had upwards of 55 API-related data security incidents a month during that period. Meanwhile, 22% dealt with as many as 200 monthly attacks.

The onset of a new year didn’t put an end to these API troubles, either. Here are several API incidents that made headlines in the first six months of 2021:

  • In February, researchers found that all of the 30 health care apps they studied were at risk to API attacks. They also learned that the apps exposed 23 million users to potential threats.
  • An API tool used by one of the major credit bureaus exposed the credit scores of almost every American. The tool enabled someone to perform a credit check through the credit bureau using only public information.
  • Another API problem involved a popular stationary bike manufacturer. A researcher found that they could make unauthenticated requests to the company’s API for user account data. That weakness enabled the researcher to access other bike owners’ information.

How to Improve API Data Security

The cases discussed above highlight the need for businesses and agencies to secure their APIs going forward. One of the ways they can do that is by always using SSL and TLS certificates. Using valid certificates with APIs can help protect data exchanges with encryption. This will empower defenders to protect apps against man-in-the-middle attacks aimed at exposing users’ information.

Following that, optimize firewalls. These are essential for helping control the flow of information enabled by APIs. Revoke whatever data security rules are too permissive for the apps’ needs. This will likely require first reviewing firewall rules and network objects to learn about the specific business or agency’s API usage.

Finally, businesses and agencies need to implement proper authentication and authorization of their clients. They can consider using protocols to limit the access that third-party apps can gain to an API. Doing this can help prevent too many parties from accessing and sharing too much.

Don’t Forget About Your APIs

Security models for APIs have not kept up with modern networks that are, more and more, borderless. These frameworks have failed to uncover vulnerabilities involving their APIs. As such, API breaches, like those discussed above, are becoming more common.

By keeping an eye on APIs, businesses and agencies can begin to formalize their API data security efforts. By doing so, they can stay current with a threat landscape that’s moving towards more and more API attacks.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read