Written by: Gábor Marosvári, Product marketing lead, Balasys
Major concerns around the security of API-traffic and introduction of a potential solution.
In the era of digital transformation, there is a strong focus on interconnectivity and data exchange between customers, businesses and partners. This has resulted in a boom in public-facing APIs (Application Programming Interface), an HTTP-based application integration protocol which exposes application data to connected parties, devices and services. Today, to enable seamless machine-to-machine communication, APIs connect tens of thousands of web and cloud applications, microservices, mobile and IoT devices. And their number is skyrocketing.
APIs don’t expose just Facebook messages anymore, but an enormous amount of sensitive information: user IDs, financial data and corporate secrets are also transferred via these interfaces. APIs have become direct shortcuts to the heart of your organization. As a result, the proliferation of API infrastructures has brought with it huge security challenges. This post summarizes the major concerns around API-communication security and introduces a potential solution.
The amount of sensitive data exposed via APIs is increasing significantly, making APIs a primary target for attackers. They’ve started to look for vulnerable, broken APIs to find ways to the back-end systems that store sensitive data. And they are becoming increasingly successful. Many recent huge data breaches have leveraged APIs – just think of the Salesforce.com , the US Post , T-Mobile and Strava incidents.
Today’s API attacks are increasingly complex, targeted and easily bypass traditional security solutions. These attacks CANNOT be detected by signature-based web application firewalls (WAFs), authentication or other baseline security tools. Advanced API attacks can only be prevented by targeted solutions. Without this knowledge in mind, businesses may expose their core systems data with a false sense of security.
Security is not a priority for many application development projects: they focus on the functional specification, user experience and deadlines. Often, security requirements are not specified in detail in these projects. Security teams have either no or limited influence on security during these projects. As a result, the developers’ toolset and workflow processes are not security-optimized. They don’t think like attackers. They deal with security just on a best-effort basis. This practice leads to unique vulnerabilities in public-facing APIs, which in turn creates risk for the business and opportunities for the bad guys.
PSD2 requires banks to open their APIs directly to retailers and third-party payment providers (TPP or fintech). GDPR indirectly requires anonymization or pseudo anonymization of personal data in transit. The PCI DSS requires financial providers to encrypt transmission of cardholder data via public networks… All these regulations have one key requirement in common: they require companies to protect customers’ data at rest and also in transit. To meet these criteria, regulated industries like finance or public services must start thinking about how to secure the sensitive data flow via their public-facing APIs.
To sum up, many API applications are vulnerable. And breaches leveraging these vulnerabilities are genuine threats today. API attacks are increasingly complex, targeted and bypass the existing defense lines. This means that organizations operating public API-infrastructures should re-evaluate their risk and compliance posture from an API perspective. Not just end-user companies, but also IT developers should consider deploying/integrating a greater level of API security in their projects. By reducing security gaps in custom-developed applications, they can also increase their credibility and reputation.
The Prodexo API Security is a highly flexible API security gateway which helps enterprises gain control over their API traffic. With Prodexo API Security, you can enforce, transform, encrypt and analyze the API traffic to prevent API breaches. Thanks to the flexible architecture, your organization can implement custom API security policies without compromise. Learn more here: https://www.balasys.eu/en/proxedo-api-security
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
Szilárd Pfeiffer: API security: there is nothing new under the sun
With the incredible amount of data flowing through them, the security of APIs is becoming a growing concern in the IT industry. What are the best practices and proven solutions that organizations can follow in order to ensure the security of their APIs? There is really nothing new under the sun: APIs are secured by exactly the same precautions as anything else you publish on the internet.
Gábor Pék: Trusted Types: A world without XSS
XSS, or cross site scripting, is one of the most widespread security problems today, as confirmed by statistics from bug-hunting companies such as Hackerone. Although our defenses have been significantly strengthened in recent years, this attack vector is still with us. As we move away from server rendered pages towards SPAs (Single Page Applications), we are being forced to deal with a new type of XSS attack: the DOM XSS. Gábor shares the story of the creation of Trusted Types, a new browser-based protection mechanism, and his experience with implementing it into Avatao’s Angular code base. According to a study conducted by Google, the company "has zero DOM XSS among applications migrated to Trusted Types." A great result, to be sure! But is it worth the effort?
Csaba Krasznay: Wars and Cyber Warfare in the Age of APIs
A new chapter in the security of our world opened on 24 February 2022. The term ‘our world’ must also include cyberspace, as the Ukrainian-Russian war has openly demonstrated our dependence on information systems and the vulnerability of this ecosystem. Although the news of the war is still concerned with conventional armed clashes, more and more information is available concerning the activities and tools of the various state and non-state hacker groups. Companies can prepare for the re-emphasis on cyber operations as the battles in physical space subside, with the difference that perhaps less significance will be placed on financial gain and far more on destruction. Most of enterprise IT has already migrated to the cloud and solutions that exchange data through APIs, which have have become widespread. However, the rapid transition has focused on efficiency rather than cybersecurity. It is no coincidence that, according to Gartner, APIs are expected to be the most attacked interfaces in 2022.