Last year the OWASP Top 10 committee was prophetic in at least one of its inclusions in the update to its industry benchmark list. For the first time, the group included insecure APIs as one of the most common attack vectors that developers need to avoid adding to their code when creating software. Looking back on 2018, you can see why they sounded the warning.
This year has provided a long list of very public breaches that have gone down as a result of insecure APIs, including the most recent breach of the United Postal Service which exposed account details for more than 60 million users.
Here’s the rundown of the highest profile damage wrought by poorly secured APIs:
Fitness app Strava showed the world how even seemingly innocuous APIs can have damaging consequences when not securely designed. Popular among military personnel to track their fitness routes, the app managed to expose an amazing global heatmap of military bases around the world through an open API that shares users’ movements online.
Over 37 million records that included the customer names, email addresses, physical addresses, birthdays, and last four digits of credit cards were exposed in plain text via a completely unauthenticated and searchable API run by Panera Bread. When the breach was discovered in April, security experts called the breach an “inexcusable oversight that took too long to fix.”
This summer it was found that the PayPal-owned Venmo payment app had been leaking hundreds of millions of transaction details since 2016. A security researcher explained how she used Venmo’s public API to download over 207M transactions made in 2017 and was able to learn an “alarming amount” about the users and their financial dealings.
CRM vendor Salesforce told customers in August that a flaw in an API within its Marketing Cloud service potentially exposed their information. The company said the bug may have been used to trigger API calls that could retrieve or write data from one customer account to another.
Just before Thanksgiving KrebsonSecurity blew the lid off an API leak that a security researcher informed the USPS about over a year ago to no response from the agency. According to Krebs, “The flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.”
Worst yet, the flaw allowed for wildcard search parameters, so users didn’t need to search for specific terms to hit paydirt. This breach is not only the most recent but probably the most egregious of the 2018 crop.
“This is not even Information Security 101, this is Information Security 1, which is to implement access control,” security researcher Nicolas Weaver told Krebs. “It seems like the only access control they had in place was that you were logged in at all.
These are just the highlights of attacks occurring in the last 11 months. The likes of T-Mobile, Instagram, and McDonalds have all suffered similar API breaches and exposures in recent years.
According to research released in the last couple of weeks, we can expect plenty more where all this has come from as we look forward to 2019. The data shows that enterprises are on track for more of these stumbles because they’re simply not taking control of API security just yet.
According to a survey of approximately 100 IT and security pros, Ping Identity found that 45 percent of them aren’t confident in their security organization’s ability to detect whether bad actors are accessing their APIs. What’s more, over half of them say they’re not even sure if the security team knows about all of the APIs that exist in their organization.
That’s a troubling thought given the trajectory of growth that APIs are on within the greater enterprise software portfolio. Ping’s study shows that 60% of organizations have at least 400 APIs in their environment, and one in five organizations have over 1,000 APIs.
These numbers are likely to mushroom as organizations increasingly depend on interconnected applications to run their internal and external software portfolios.
API growth is pegged directly with the growth of microservices, which attempts to break down monolithic software development into bite-sized components that are easier to maintain and deliver continuously . These microservices components can be reused and recombined in endless combinations to help developers stop reinventing the wheel when creating common functions across different applications. But all of these components need to be brought together, and APIs are commonly used as the glue to hold everything together.
That’s of course just one small piece of the puzzle—organizations also lean heavily on APIs to make users lives through better integration of disparate applications, including external applications sourced and/or used by partners and customers. Needless to say, APIs play a huge role in organizations seeking to digitally transform their organizations
“I’ve been watching the technology, business, and politics of APIs in a full time capacity since 2010, and the biggest trend I’m seeing in 2018 is that it’s no longer a conversation about whether or not businesses should be doing APIs,” writes Kin Lane, who's known as the API Evangelist. As he explains, using APIs profusely is simply table stakes for today’s application-driven economy. “It is expected that you need APIs to do business in this digital age."
If organizations don’t build security into the API development process, it’s only a matter of time before the cybercriminals start seeking it out as low-hanging fruit. Gartner says within three years’ time, API abuses will be the most cited cause for data breaches within enterprise applications.
“Now is not the time to ignore cyber security threats targeting APIs,“ said Jason Bonds, vice president, Intelligence at Ping Identity. “We’re quickly moving from a world where the average enterprise manages a handful of APIs and web services to one where they are contending with thousands of APIs and microservices. And, these are spanning multiple infrastructure providers and regions around the globe.”