API Security - A risk based approach for CISOs

     APIs or Application Programming Interfaces are the building blocks of modern applications. As the usage of APIs  and API traffic increases it is likely to be the major attack vector for hackers. APIs are utilised for a variety of purposes such as - share data with partners, customers, and other third parties. As per Akamai, 83 % of internet traffic is driven by APis.

While APIs are a powerful enabler of digital transformation, they also present new security challenges. In fact, Gartner predicts that in 2023, API abuses will be the most frequent attack vector. To substantiate that prediction, OWASP has come out with a separate OWASP Top 10 for APIs in 2019. Also multiple organisations such as Coinbase and IRCTC have been affected by API security vulnerabilities in their applications. 

To tackle this emerging attack vector, CISOs should understand the key risks associated with APIs. These include:

  1. Data Breaches or Data Leakages -  Risk of data leakage or a large data breach exists when APIs can be manipulated to extract data. For Eg Injection attacks can allow an attacker to  inject malicious code into an API to gain access to sensitive data. 

  2. L7 Denial of Service - Appropriate rate limiting and data validation is not present. An attacker can launch a Layer-7 volumetric denial of service attack and make the API unavailable for access.

  3. Financial Loss  - Attackers can manipulate APIs for monetary gain by misusing and misappropriating financial instruments including wallet balance, gift cards and  loyalty points.  

  4. Fines and Penalties due to Regulatory Non Compliance -  If an organisation has not secured its APIs and sensitive personal data is leaked it can lead to regulatory non compliance. This can result in huge fines and penalties as regulators are harsh in dealing with cases exposing personal data.  

Now that we understand the risks associated with APIs,  we will look at various measures to security leaders can take secure their API ecosystem.  

API Security has to be tackled in a systematic manner based on the organisational context and maturity. Small organisations may do thi by documenting their APIs and embed security practices within their developer coding methodology. Large organisations should set up a proper API governance structure with mechanisms for building and API documentation, testing and discovery with an API Management platform and an API gateway.  CISOs should also understand the regulatory compliance requirements that apply to their organisation's use of APIs. For example, in the case of organisations handling personal data, they need to comply with the General Data Protection Regulation (GDPR) and similar laws.

The following measures should be taken to ensure effective API Security 

  • API Inventory and Discovery - It is essential that the security team works with Engineering teams and QA to document all APIs and their parameters. This can be done by creating Swagger files and using an API Gateway for all public APIs. Having an API discovery tool to detect any API exposed inadvertently will also help in ensuring maintaining inventory and quantifying risks. Special attention should be paid to discover Shadow APIs ( not known or released without knowledge) and Zombie APIs ( deprecated APIs) to be aware of the entire API attack surface. 

  • Security in API Design -  It is essential to have a standard methodology for developing APIs. Security leaders should encourage and mandate use of Open API specification (OAS). The OAS provides a standard way of documenting APIs, making it easier for developers to understand how to use them. Security can be ensured as OAS provides a comprehensive framework for integrating security into API development, from defining authentication and authorization schemes to specifying security requirements for each endpoint in the API. Additionally threat modelling can help in identifying security issues early in the API development cycle. 

  • Secure API Development - Developers need to be trained on secure coding practices and also specifically on how to address security issues in APIs. Proper authentication and authorisation coupled with encryption at rest and in transit are key aspects to be kept in mind while developing and implementing APIs.  It is essential that a proper mechanism is implemented for  authentication and access control to ensure only authorised users can access the API. This can be done by laying down effective guidelines for developers as well as security testing for all APIs

  • Security testing of APIs -  Effective security testing of APIs is essential to ensure that APIs are implemented securely. The aim should be to enable security test cases in the CI/ CD pipeline to avoid manual effort. Security testing should include tests for authentication and authorisation bypass, excessive data exposure and proper input validation. If automation is not fully possible the effective manual penetration testing should be carried out to ensure no security issues exist. 

  • Protection of APIs via monitoring and auditing - Regularly monitoring and auditing the API for suspicious activity should be carried out and the logs be integrated with a SIEM or a monitoring tool.  This is essential to detect any suspicious activity and anomalous behaviour especially if third parties are utilising APIs without authentication or hard coded credentials. Real time protection of APIs via Web Applications Firewalls or dedicated API protection suites will help ensure APIs are not exploited and if compromised proper detection and effective incident response will limit the damage.

  • Specialised training on API Security  With the increased attacks on API it is essential that security leaders focus on training their teams on API security. OWASP API Security Project is a good starting point to understand API security. Their OWASP API Security Top 10 is an excellent starting point for both security teams and developers to understand the core aspects of API security. 

Security teams should also work closely with the Engineering team to ensure that security is built into the API from the start, rather than trying to retrofit it later. This includes incorporating security testing into the development process and ensuring that developers are trained on best practices for API security.

Finally, CISOs should have an API governance mechanism to include an effective strategy and roadmap for API security based on their organisations requirements and context. This should cover the key aspects of API design, inventory, security testing.

API security is a complex and evolving field, and CISOs need to stay informed about new threats and best practices in order to effectively protect their organisation's data and systems. By understanding the risks, implementing security controls, and working closely with development teams, CISOs can help ensure that their organisation's APIs are secure and compliant.


References 

  1. https://www.wallarm.com/what/api-security-tutorial

  2. https://brightsec.com/blog/api-security/

  3. https://www.traceable.ai/blog-post/how-to-test-api-security-a-guide-and-checklist

  4. https://www.twilio.com/blog/basic-api-security-guide

Comments

Post a Comment

Popular posts from this blog

2024 Year Review and thoughts

  My review of 2024.  The year was a mixed bag with a overall positive outlook and a few hiccups. My ratings on key parameters  Health - Average  Family - Good  Professional - Good  Career - Good  Finances - Average  Health -  My health has been a mixed bag with several notable improvements and some setbacks. Exercise - I was able to regularly attend Gym and do strength training.  Due to improved leg strength I was able to run a 10 k run in Dec in a time of 67 mins . I was 40th out of 120 runners in the Veteran category which I am satisfied with keeping in mind the several issues I had been having at the start of the year.  Gut Health : My stomach and gut issues continued which led me to a take a nutritionist led meal plan. This has helped but I still continue to have gas and loose motions intermittently  and outside food does not suit me at all. The worry is that my weight has reduced from 68 Kg to 63 Kg in las...
Read more

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection

Key Steps for Building an Effective Data Protection Program: From Analysing Business Needs to Ongoing Protection In today's world, data is often referred to as the new oil, given its immense value to organisations. Companies have access to vast amounts of data, from customer information to intellectual property and strategic plans.  Over the last decade cyber criminals have targeted organisations repeatedly related to multiple breaches. Some organisations like Uber have faced multiple breaches and even government organisations are not spared as we observed in the Snowden case where confidential data of US  govt was leaked online. Protecting this data has become essential, and having an effective data protection program is crucial to achieving this requirement.  In my role as a CISO for the last five years I have found data protection as the most complex initiative yet most closely related to business enablement. This can be related to protecting customer data to prevent c...
Read more