Application Security July 22, 2021
By David Bisson 3 min read

Just about every app uses an application programming interface (API). From a security standpoint, though, APIs also come with some common problems. Gartner predicted that API abuse will be the most common type of attack seen in 2022. So, what problems exactly do APIs face? And what can data security defenders do about it?

Prevalent API Risks

In 2019, OWASP named 10 web app data security risks to watch out for. These include:

  • Data exposure: This type of threat arises when developers expose all the properties of their objects without considering how private those items might be. Therefore, it’s up to clients to perform data filtering before displaying anything to a user.
  • Security misconfigurations: These data security weaknesses take on various forms, including misconfigured HTTP headers, error messages containing sensitive info and exposed cloud storage. Oftentimes, they’re a product of insecure default configurations.
  • Injection: In this case, a command or query sends untrusted data to an interpreter. Attackers can use those types of flaws to fool an interpreter into running malicious code or commands involving sensitive data.
  • Insufficient logging and monitoring: Both of these data security risks can provide attackers with chances to hide within their network unnoticed. From there, threat actors can scope out the network, move to business-critical assets and exfiltrate data.

The Effects of Data Security Risks on Business

Issues involving APIs didn’t hold businesses back just in terms of their plans to roll out new apps. They also cost time and resources if an attack does happen.

This happened for a lot in 2020. As noted by Salt Security, 91% of respondents’ employers suffered at least one API problem over the course of the year. Of those respondents, more than half (56%) had upwards of 55 API-related data security incidents a month during that period. Meanwhile, 22% dealt with as many as 200 monthly attacks.

The onset of a new year didn’t put an end to these API troubles, either. Here are several API incidents that made headlines in the first six months of 2021:

  • In February, researchers found that all of the 30 health care apps they studied were at risk to API attacks. They also learned that the apps exposed 23 million users to potential threats.
  • An API tool used by one of the major credit bureaus exposed the credit scores of almost every American. The tool enabled someone to perform a credit check through the credit bureau using only public information.
  • Another API problem involved a popular stationary bike manufacturer. A researcher found that they could make unauthenticated requests to the company’s API for user account data. That weakness enabled the researcher to access other bike owners’ information.

How to Improve API Data Security

The cases discussed above highlight the need for businesses and agencies to secure their APIs going forward. One of the ways they can do that is by always using SSL and TLS certificates. Using valid certificates with APIs can help protect data exchanges with encryption. This will empower defenders to protect apps against man-in-the-middle attacks aimed at exposing users’ information.

Following that, optimize firewalls. These are essential for helping control the flow of information enabled by APIs. Revoke whatever data security rules are too permissive for the apps’ needs. This will likely require first reviewing firewall rules and network objects to learn about the specific business or agency’s API usage.

Finally, businesses and agencies need to implement proper authentication and authorization of their clients. They can consider using protocols to limit the access that third-party apps can gain to an API. Doing this can help prevent too many parties from accessing and sharing too much.

Don’t Forget About Your APIs

Security models for APIs have not kept up with modern networks that are, more and more, borderless. These frameworks have failed to uncover vulnerabilities involving their APIs. As such, API breaches, like those discussed above, are becoming more common.

By keeping an eye on APIs, businesses and agencies can begin to formalize their API data security efforts. By doing so, they can stay current with a threat landscape that’s moving towards more and more API attacks.

 |  |  |  |  | 
David Bisson
Contributing Editor

More from Application Security
August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

August 10, 2023

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

August 9, 2023

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

August 8, 2023

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature