The role of the application programmable interface (API) keeps rising in prominence within the enterprise. And as that happens, so does the risk of APIs as an enterprise attack surface. According to security experts, API security will be a top concern for many cybersecurity organizations in the coming year.
API security is no longer a problem of the future—widespread API proliferation is already here, after all. According to a report earlier this year from Akamai, a full 83% of web traffic today is now API traffic. There are a number of factors that are increasing the prevalence—and the importance-- of APIs within organizations both large and small.
Digital transformation increases the business importance of both internal and external application integrations. Trends like open banking and cultivation of mobile app ecosystems rely on APIs to keep services running and data flowing. More fundamentally, the world of DevOps pushes the enterprise to move more aggressively toward loosely coupled microservices versus monolithic legacy applications, which means that all of these components need APIs to help glue everything together.
"Microservices architectures, as well as the general trend to cloud computing, mobile- and rich web applications, IoT, led to proliferation of APIs," says Dmitry Sotnikov, vice president of cloud platform at 42Crunch. "What used to be an internal call between application components in the world of monolithic applications of the past, is now an API call often made over public network and susceptible to attacks."
Further exacerbating the problem is the continuous nature of software improvements through DevOps—which means that without automated security controls and guiderails it becomes nearly impossible to manage the safety of API code and configurations.
"Rapid agile iterations of hundreds if not thousands of APIs within a single company makes it impossible for the security team to manually control and enforce security policies and best practices across all of them," Sotnikov says
As a result, analysts and security pundits believe that 2020 will kick off a growing API security problem that will snowball throughout the next decade.
"In the year ahead, API abuses will become an even more prominent vector for data breaches within enterprise applications," says Erez Yalon, head of security research for Checkmarx. "Today, there’s almost no way to develop a modern application without some sort of API integration, and adversaries are taking note, now setting their sights on this emerging attack frontier."
Already in 2019, just under one in five organizations today report that attackers daily target APIs with access violations and denial of service attacks. Approximately 16% of organizations say their APIs are subject to daily injection attacks, and 15% experience data leakages at that rate. The last day of 2019 also served as harbinger for the problems in API security that are likely to surface in 2020. Bleeping Computer reported on an exposure by developers at Starbucks that " left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users."
The key was discovered in a public GitHub repository and gave anyone who stumbled upon it the power to access Starbucks' JumpCloud API. The researcher who discovered the key demonstrated that it made it possible for adversaries to take control of Starbucks AWS accounts, execute commands on systems, and add or remove users with access to internal systems.
Gartner estimates that within a year some 90% of web-enabled applications will be more exposed to attack by API weaknesses than via the user interface—that'll be up from 40% of apps in 2019. And within two years Gartner predicts that APIs will be the most commonly targeted attack vector in the enterprise.
Yalon believes that it is incumbent upon enterprises to start training developers and DevOps teams in the next year about how to reduce risk of API exposures and breaches.
"API security education will be paramount in 2020 and beyond in order to reduce these related risks and the vulnerabilities that cause them," Yalon says. "Developers should leverage resources available to them, such as the OWASP API Security Top 10 list, which tracks the risks that organizations face concerning their usage of APIs."
The OWASP API Security Top 10 list is a labor of love for Yalon, who is the lead for the project, working alongside Inon Shkedy of Traceable.ai. The project is still a release candidate, so the list may change, but it stands as follows:
The OWASP API Security Top 10
- Broken object level authorization
- Broken authentication
- Excessive data exposure
- Lack of resources and rate limiting
- Broken function level authorization
- Mass assignment
- Security misconfiguration
- Improper assets management
- Insufficient logging and monitoring
In comments Yalon made earlier this year to The Daily Swig on the impetus for the project, explained that APIs are no longer "just protocols to move data, as they are the main component of modern applications." As he explains, the differentiated list is necessary because the more risky threats to APIs are different than in traditional applications.
"Traditional vulnerabilities like SQLi, CSRF, and XSS are becoming less common in APIs,” he said. “At the same time, there’s been an increase in vulnerabilities that are either specific to APIs or present a bigger risk, which many developers are unaware of.”