Many organisations are working to modernise their existing applications and integrate secure apps across their environments to keep pace with business demands.  Modern application development relies on Application Programming Interfaces (APIs), which enable services and products to communicate with each other and leverage each other’s data and functionality to support business operations.  APIs are business critical – the most popular web applications and innovative services run on APIs.  While APIs help businesses accomplish many strategic and operational goals, simplify software development and improve user experience, they are not without risks.  Because APIs connect services and transfer all types of data, including sensitive data, APIs are vulnerable to attacks that may result in costly data breaches.
An API is technology that is driven by a set of defined rules that allow software applications to communicate with each other.  The API acts as a middleman between machines, applications or services that want to connect with each other for a specified task.  APIs use defined protocols to enable developers to build, connect and integrate applications quickly and at scale.
An API works using a call request-data transfer format.  In a client application-web service scenario, a client application initiates an API call (or request) to retrieve information. This request is processed from an application to the web server via the API’s Uniform Resource Identifier (URI).  After receiving a valid request, the API (the intermediary or middleman) makes a call to the web server.  The server sends the requested information in its response to the API, and the API transfers the data to the application that initiated the API call (or request).

An API works similarly to a waiter or waitress who acts as an intermediary between the chef in the kitchen and a customer in a restaurant.  When a customer places an order with a waiter, the waiter communicates the details of the order to the chef.  The chef responds to the order details by preparing the order and giving it to the waiter.  In this scenario, the customer represents the initial API call, the waiter represents the API and the chef in the kitchen represents the server.  When the chef (i.e., the      server) provides the information to the waiter and the waiter provides the information to the customer, this act represents the transfer of data.  Given the exchange of data, this process must remain secure.
API security involves protection of the APIs that an organisation owns and uses.  Properly secured APIs create an additional layer between the data being transferred and the server.  APIs may be leveraged to quickly authenticate users who log in to websites using their social media profiles, for example.  This login approach decreases the time and energy it takes for the user to join or create a profile on every website that requires a login to view information or participate in their community.  APIs also protect sensitive payment details by allowing users to pay for products online without exposing any sensitive financial data to the eCommerce shop through the use of trusted third-party payment processing.
While APIs offer great benefits, including increased efficiency for businesses and a better web and application user experience for end users, they are also a target for attacks.  Bad actors realise how lucrative it can be to target APIs, since they direct traffic to an organisation’s most valuable data and services. And APIs are challenging to secure since traditional security tooling can’t protect APIs.
Organisations also have a lot of APIs for which they lack visibility, also known as shadow APIs, and older APIs they should have decommissioned, also known as zombie APIs.   Organisations cannot secure or manage what’s invisible to them.  Part of API security is discovering APIs that fall within this category and properly managing them to mitigate risk.
Securing APIs against attacks is critical for businesses as API use increases and the attack surface expands.    Common attacks against web APIs include credential stuffing attacks, account takeover attacks, API call request manipulation, distributed denial-of-service (DDoS) attacks, and Man-in-the Middle attacks. Having APIs hacked or abused may have far-reaching consequences such as data breaches, data exfiltration, or slow and even fully disrupted service.
Organisations must invest in implementing API security best practices such as API testing (before production) to identify issues that may allow a bad actor to exploit a vulnerability.  To mitigate the risks inherent in APIs, an organisation should take six actions to protect their existing APIs:
Organisations that inventory and manage their APIs are on the right track, but it’s not enough.  Every organisation has those unknown or forgotten APIs.  Implementing strong access controls is critical because APIs provide an entry point to enterprise assets, including personal and sensitive data.  Without cryptographical measures to encrypt data in transit, data transferred using an API is at risk for modification and unauthorised use.  Flagging when a given user is making too many API requests will help prevent brute-force attacks or service disruptions.
The reputational harm of an API breach or a leaky API can be costly, and real dollar costs, in the form of privacy violation fines, can also be very painful.   Organisations looking to successfully manage and secure their APIs need that security to be a shared responsibility across many groups, especially developers and security teams.
APIs must be secured using API security best practices.  API management platforms help, with support for authentication and authorisation. But they cannot discover all APIs in an organisation and they cannot detect runtime attacks.   Additional API security tooling that monitors API activity in real-time – by user and by API – is essential to protecting APIs.
About the Author: Ambler Jackson is an attorney with an extensive background in corporate governance, regulatory compliance, and privacy law.  She currently consults on governance, risk and compliance, enterprise data management, and data privacy and security matters in Washington, DC. She also writes with Bora about today’s most important cybersecurity and regulatory compliance issues.
The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY
Follow Us
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
© 2015 – 2019 IT Security Guru – Website Managed by Calm Logic
This site uses functional cookies and external scripts to improve your experience.
Privacy Settings / PENDING
This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.
NOTE: These settings will only apply to the browser and device you are currently using.
GDPR Compliance


You May Also Like

Searchlight Security Announces New Automated Reporting Function

Searchlight Security, the dark web intelligence company, has announced a new automated…

New CoinSpot phishing campaign discovered

A new phishing campaign is targeting CoinSpot cryptocurrency exchange users in order…

Italy tells organisations to brace for DDoS attacks

Italy’s Computer Security Incident Response Team (CSIRT) issued an urgent alert on…

Salt Security brings API security to the channel

Salt Security, the API security company, has announced the global expansion of…