Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists.

Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII). This makes APIs juicy targets for database security attackers.

Meanwhile, due to market pressures and customer demand, omnichannel e-commerce has ramped up considerably. And so has API security risk along with it.

APIs and Omnichannel Grow Together

The number of Postman Collections (API folders for developers to group API requests together) skyrocketed from less than half a million to nearly 35 million between 2016 and 2020. There’s no doubt that API use will continue to increase in the future.

Three major shifts generated this massive growth in API use:

  • Multi-device use: As people connect from many devices at once, APIs are needed to power these connections.
  • Microservices: The move away from a monolithic architecture to more flexible microservice-based development requires APIs.
  • Move to the cloud: Driven by the advantage of rapid provisioning, the shift from on-premise to the cloud means APIs are built and deployed faster than ever.

Meanwhile, all of this API activity benefited (and was driven by) the rise of omnichannel e-commerce.

Omnichannel retail is a multichannel approach to sales that creates a seamless customer experience. This means whether the customer shops from a mobile device, PC or brick-and-mortar store, the experience is unified across all channels. And omnichannel development would be impossible without APIs.

API-led connectivity overcomes obstacles that retailers face gathering data from disparate systems to then consolidate the data into monolithic data warehouses. Since each individual system updates separately, information may be out-of-date by the time it hits the database.

APIs enable retailers to build an application network that serves as a connectivity layer for data stores and assets in the cloud, on-premises or in hybrid environments. As a result, mobile applications, websites, IoT devices, CRM and ERP systems (order management, point of sale, inventory management and warehouse management) can all work as one coherent system that connects and shares data in real-time.

Increase in API Security Breaches

The downside to this rapid growth and development in e-commerce has been a concerning rise in API security attacks. Here, threat actors have executed numerous high-profile breaches against public-facing applications. For example, developers use APIs to connect resources like web registration forms to various backend systems. This tasking flexibility, however, also creates an entrance for automated attacks.

Some investigations reveal the average web application or API has nearly 27 serious vulnerabilities. Organizations can have hundreds or even tens of thousands of applications. It’s no wonder then that some of the biggest brand names have been subject to API-related security breaches.

The real-world damage includes exfiltration of personal data of high profile personalities, food supply chain vulnerabilities and the theft of tens of millions of individual private records.

OWASP API Security Project

The growing API and application vulnerabilities risk prompted OWASP to establish their top 10 hit list for API-related attacks. Here’s a high-level summary:

  • API 1 – Broken Object Level Authorization: APIs can expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue.
  • API 2 – Broken User Authentication: Incorrectly implemented authentication allows attacks to compromise authentication tokens or steal user IDs.
  • API 3 – Excessive Data Exposure: With generic implementations, developers may expose all object properties without considering individual sensitivity.
  • API 4 – Lack of Resources & Rate Limiting: APIs frequently do not place restrictions on the size or number of resources that can be requested by the client/user. This may facilitate DDoS or brute force attacks.
  • API 5 – Broken Function Level Authorization: Complex access and administration control policies can lead to authorization flaws. This exposes user resources and/or other administrative functions.
  • API 6 – Mass Assignment: Attaching client-provided data (e.g., JSON) to data models, without proper allow-lists allows attackers to modify object properties.
  • API 7 – Security Misconfiguration: Arises from unsecured default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS) and verbose error messages containing sensitive information.
  • API 8 – Injection: Injection flaws (SQL, NoSQL, Command Injection, etc.) occur when untrusted data is sent to an interpreter as part of a command or query. Malicious data can trick the interpreter into executing unauthorized commands.
  • API 9 – Improper Assets Management: APIs can expose many endpoints making proper and updated documentation even more critical. Proper hosts and deployed API versions inventory play an important role to mitigate threats.
  • API 10 – Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, enter other systems and extract or destroy data.

API Vulnerability Assessment & Mitigation

Given the risk and high stakes involved, how can you strengthen your API threat management strategy? Here are some best practices:

Keep an API Inventory

It is important to know where your APIs are, including APIs from older versions and different environments. API security is improved when you document which endpoints each API host exposes, which endpoints are public (don’t require authentication) and which ones can be accessed from the internet.

Practice Secure Coding

Encourage your developers to use secure coding practices since most API vulnerabilities start from within the code. Focus on secure coding in the production phase.

Implement OAuth

Access control for authentication and authorization is critical for API security. OAuth is a token-based authorization framework that allows user information to be accessed by third-party services without exposing user credentials. This is how websites leverage Google and Facebook to authorize access.

Rate Limiting & Throttling

To defend against DDoS attacks, API spikes and other performance issues, you can place rate limits on how often APIs can be called. Rate throttling smooths out traffic by balancing access with availability.

Use an API Gateway

An API gateway is a central point of enforcement for API traffic. A solid API gateway allows you to authenticate traffic, control API use and analyze API activity.

Use a Service Mesh

Service mesh technology enables API management and control by routing requests from one service to the next. A service mesh ensures that proper authentication, access control and other security measures work together for improved API security.

A service mesh is especially critical as the use of microservices increases. As the number of services increases, the number of potential ways to communicate grows exponentially. A service mesh provides a unified way to configure communication paths by creating a policy for the communication.

A service mesh instruments the services and orchestrates communications traffic according to a predetermined configuration. Instead of configuring a running container, or writing code to do so, an administrator can provide configuration to the service mesh and have it complete that work.

Adopt Zero Trust

As a wider security philosophy, zero trust assumes you’re an attacker until proven otherwise. Zero trust requires verification and authorization for every device, every application and every user gaining access to every resource.

E-commerce Needs Secure APIs

For competitive brands, the omnichannel experience will continue to grow in diversity and scope. APIs will scale likewise. It’s important to adopt a pro-active API security stance now to keep your customers, business and assets safe.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…