Application Programming Interfaces (API) have always provided the backbone of data sharing between apps, but in the last decade they have exploded in popularity. However, their peripheral spot in the software supply chain has led some developers to grossly overlook the security implications. API security best practices are more important than ever before, and this can be simply split into two major themes: authentication and authorization.
Why API Security is a Big Deal
An API is a software intermediary that allows one application to share data, inputs and functions with another. They are accessible tools that provide incredible flexibility for developers to build applications, enabling the fluid and real-time flow of data between software. APIs began as the quiet underdog of application development. Powering huge online pioneers such as eBay and Amazon, ecommerce paved the way for APIs to thrive. From 2006, social media sites sought to change the way users interact with and share information. Facebook’s platform and API facilitated developer access to Facebook users’ friends, photos, events, and profile information. In turn, users made the leap to social media in droves.
Nowadays, the focus has shifted away from monolithic application development. Instead, microservice architecture is revolutionizing tech stacks. Following this architecture, applications are not single documents chock-full of self-written code. Instead, each app is modularized, and divided up into smaller standalone services. Each independent service can be built, deployed and scaled independently from the rest, allowing for more efficient resource usage. Each of these individual microservices must be able to communicate with one another; with their databases the real-time info is drawn from; and the web sites they power. From allowing applications to talk to one another, to becoming the very glue holding them together, APIs have come a long way.
The Victims Of Poor API Security Are Your Users
Last year saw a number of high-profile data breaches that stemmed directly from API vulnerabilities. With both political and financial motivations, attackers are keenly aware that APIs represent some of the most glaring issues in today’s applications.
Parler is a social networking platform that rose in popularity during Donald Trump’s presidential leadership. Fiercely defended by its right-wing userbase, Parler presented itself as a place for free speech. However, in 2021, some major security flaws in Parler’s API came to light. A single unprotected API had been built and shipped with no limits placed upon it. This meant that the attackers could build an automated function that simply crawled through every single user’s profile, collating all data it found and relaying it back to an attacker-controlled server. Parler had no way to flag that this bot was making hundreds of requests per second, thanks to the lack of API limit. This allowed security hacktivists to scrape and collect over 60 terabytes of data, surrounding the platform’s almost 10 million users. It’s not exactly like Parler had been built with security in mind, however: what made this piece of hacktivism even easier was the fact that post was sequentially ordered, making it that much easier to download millions of them in order.
Although Parler’s user data was used for legal means – that is, to establish the actions of users just before the infamous Capitol riot – other API-caused breaches cause far more damage. LinkedIn’s 2021 data scraping incident saw cybercriminal Tom Liner strip the personally identifiable information (PII) off the vast majority of user accounts. A single API had been granted too much access to the data within each user account – by leveraging a number of interconnected APIs, Liner was able to create a ‘super-list’ with the details of 90% of LinkedIn’s user base. He went on to use a similar technique to form a database of 533 Facebook users. In an interview with the BBC, Liner stated that user data from the LinkedIn fiasco was being sold for around $5000 a pop. This price is so high, thanks to the fact that personal contact details of C-suite executives pave the way for high-ROI spear phishing attacks. Insecure APIs have a tendency to damage the end-users the most; part of responsible data management is to guarantee security, at every stage of the data pipeline.
The Two Key Elements of API Security
Authentication and authorization are two very different – yet equally vital – processes. Authentication describes the process of determining the identity of the end user. Authorization, on the other hand, determines what data each user has access to.
Authentication is a process that users go through when they first log into an application. This authentication must be verified by an API, otherwise there is the risk that a user could perform an operation that is not permitted. Note that client authentication is separate from user authentication, too: clients can continuously be requested for authentication, as the response is automated. Users, on the other hand, would find it incredibly frustrating to be asked for their login details at every different API call. To solve this, authentication typically occurs at the start of every session – for any requests thereafter, it’s simply propagated. This process must guarantee security: the best process for public-facing apps is transport layer security (TLS). As data is transferred between systems, TLS safely encrypts it. It also verifies the server that the client connects to during this process. By operating off private/public key pairs, TLS secures the shared authentication data, while preventing it from falling in the wrong hands.
Once a user has been authenticated, APIs need to maintain a zero-trust approach, and adhere to the rule of least access. Authorization is a major stumbling block for many applications. The Open Web Application Security Project (OWASP) is a nonprofit organization with a focus on software security. In 2019, they analyzed hundreds of real-world exploits and released a list of the top 10 API risks facing businesses. Top of the list: Broken Object-level Authorization. This occurs when an API can be tricked into returning information outside of the end-user’s scope of permissions. All an attacker needs to do is manually change the object ID within an API request. If no authorization checks are made at the API gateway, the attacker is free to access any data they please.
Protecting end-users from ill-meaning actors can often be as simple as enforcing API checks. Though the microservices economy promotes endless, rapid development, this risks worsening the industries’ division between developers and security.