This article is based on a talk I gave at Black Hat MEA in November, 2023. It examines the state of API Security as the year ends. This is primarily for two reasons. The first is; same as they have been for the last few years; APIs have grown in use. They dominate the majority of HTTP traffic. Second, and perhaps more importantly, this growth is also parallel to the growth of attacks on said APIs. Despite the release of an updated OWASP Top Ten API list, the persistent rise in API attacks should perhaps be a bigger cause for concern. Let’s examine the subject, root causes, and consider the solutions crucial for fortifying API ecosystems.
In the last few years, APIs have become ever more powerful tools for building on top of existing technology to create more integrated and dynamic applications. They have become enablers for dynamic software applications and business alike. They can also be used in ways that improve lives. For example, a local council in the United Kingdom might want to use data provided by the Environment Agency Rainfall API to see trends in their area and prepare accordingly. A civic engagement group might want to build an application that could integrate with civic APIs to provide residents with information about upcoming elections, polling locations, and candidates. There are also regulatory reasons like open banking where in a growing number of countries, banks must allow other banks and third-party providers API access to their customer financial data. This improves competition which ultimately is good for the consumer.
As APIs have grown in number so have attacks on them as well. Back in 2021, Gartner predicted that by 2022, API abuse will move from infrequent to the most frequent attack vector, resulting in data breaches for enterprise web applications. Despite numerous warnings, API attacks are still largely successful. In the years prior to this, a number of well known organizations fell victim. OWASP, an organization focused on enhancing web application security, initially released an API specific version of their Top Ten risks in 2019. The list was updated this year. Unfortunately, the list of large businesses being exploited has also been updated. Some of them twice this year. If large organizations are falling prey, imagine what’s happening to businesses that don’t make the news. It is quite possible that this year ends up becoming a record year for API breaches. (I’ve avoided calling out specific organizations as this isn’t a finger pointing exercise.)
In fact, this impacts us all. Ignoring the fact that $4.45M is the average global cost of a data breach, more and more of our personal data is in the hands of bodies that might potentially not have enough safeguards in place even though they think they do. Data exposure or account takeovers leading to identity theft are pains that people go through more often than they should. The surge in API attacks underscores the need for a deeper understanding and a more sophisticated defense posture.
Throughout the last year, the key challenges security faced fall into these 5 areas:
Authentication / Authorization conundrum: The breach landscape often traces back to weaknesses in auth/auth mechanisms. Whether it’s due to compromised credentials, weak authentication methods or insufficient processes/protocols around this, the centrality of identity is a point that’s not evolving with the threat landscape. Broken Object Level Authorisation (BOLA) is the number one API security risk on both OWASP lists, years apart.
Proliferation of APIs: Both internal and public facing, the growth of APIs has been staggering. The diversity of APIs as well as the context in which they are being used makes this a steadily growing challenge.
Your WAF: Typically doesn’t mean anything for API specific traffic and cannot solve point 1 above. Most attacks appear as legitimate traffic and many WAFs (including those with elements of machine learning) will let them through. Disbelieving your WAF is a missing early step. A pertinent slide from my talk:
Stuck in the middle: The inability to shift-left despite the widespread recognition of its importance seriously weakens the implementation of robust end-to-end protections. Designing and building with security in mind is still an unfamiliar idea to many teams. As is the fact that it should be a continuous, adaptive process to others.
API configuration: Misconfigurations, the Achilles' heel of API security, remain a pain in API security management. This covers various things that can go wrong with implementing an API, such as leaving unused methods enabled, leaving default endpoints that are not in use, and excessive logging. There is a reliance on static configurations rather than continuous, adaptive adjustments that align with evolving threat intelligence.
Progress in this sector is hampered by three root causes:
Knowledge / Expertise: Ignorance. Individuals/teams with no knowledge, understanding, or awareness of API specific security. It can stem from a lack of exposure, education, or curiosity.
Funds: Budget. Teams are asked to do more on limited resources. Knowledgeable engineers may come with higher salaries. API specific security tools or gateways typically don’t come free. Training is also seen as costly. Organizations do not keep in mind the cost of an attack when allocating funds.
Priorities: Deadlines. Often, the launch of a new product/API is more important than the security hoops needed for sign-off. When security and development are not functioning like an orchestra, headlines are in the organization’s future.
It’s important to note that these are not mutually exclusive.
Visibility: If you can’t see it, you can’t protect it. Whether called discovery or inventory, what matters is that your team knows what and where always. Shadow, Zombie, Beta, Invisible APIs are a quick way for attackers to pivot into your infrastructure.
Zero Trust architecture: Every access request is treated as potentially malicious until proven otherwise, shifting the paradigm of trust. Be prepared for when your identity/SSO provider does get hacked.
AI-driven anomaly detection: The integration of artificial intelligence for real-time anomaly detection. Organizations should use machine learning algorithms to analyze patterns, behaviors, and deviations – enabling proactive identification and mitigation of potential threats.
Deeper integration of DevSecOps: Embedding security seamlessly into the development process is no longer a suggestion but a mandate. DevSecOps, with a focus on continuous integration and security, emerges as a pivotal strategy for resilient API ecosystems.
Defense in depth: Your security strategy should be layered. Does your system prevent volumetric attacks? If yes, then does it have solid authorisation/authentication checks? If yes, does it have a robust encryption flow? If yes …
These and other suggested, popular solutions e.g. threat modeling, decentralized IAM, real-time intel feeds, automated responses, enhanced network security, runtime validation, etc. all fall under three primary categories to keep in mind:
Governance - Think of your processes, policies, and practices
Tools - Invest in your technologies
People - Training, testing, culture
Individuals, teams, and organizations must remember that there isn’t a one-size-fits-all fix to this. You must account for your risk acceptance levels, business needs, your regulatory requirements, etc. You must also learn from all the attacks that have gone before you. If you do fall victim, it also does help to be transparent (not just for regulatory reasons), but also to allow others to benefit from your experience.
As 2023 ends, it’s clear that figuring out the complex challenge of API security requires a multifaceted approach that addresses root causes with precision and embraces modern solutions. Organizations willing to invest in a proactive, dynamic defense will find themselves better positioned to navigate the menacing threat landscape. Organizations should make sure there are rule definitions which are enforced from concept through to deprecation.
Stay vigilant! And a Happy New Year ahead to you!
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Learn more about how to protect APIs as they drive business in the Guide to API Security white paper.
Damiete King-Harry — @damiete
Solutions Architect, Cloudflare
After reading this article you will be able to understand:
Why API attacks are perhaps more dangerous than ever
The value of the OWASP API top ten
How to protect your organization with modern, sophisticated solutions