As enterprises continue their digital journey, security teams are preparing for the good, the bad, and the worst of APIs. We’ll explain in plain language what APIs do, how they are attacked, and how API security works either as a standalone solution or with Web Application Firewall and DDoS Protection as part of an overall defense-in-depth application security strategy.
Application programming interfaces (APIs) are software intermediaries that allow applications to communicate with each other. Web APIs connect between apps and other services or platforms, such as social networks, games, databases, and devices. Additionally, Internet of Things (IoT) applications and devices use APIs to collect data or even control other devices. For example, a utility company might use an API to adjust the temperature of a thermostat to save energy.
APIs also enable rapid development and innovation in cloud-native environments. APIs simplify low-level software layers and allow developers to focus on the core functionality of their applications. They both lower the barrier to entry for inexperienced developers and increase efficiency for more experienced people. They offer unprecedented flexibility and speed at lower costs than other development approaches. To learn more about the benefits of APIs in web application development, read my article, How To Web applications are attacked via APIs.
How Cybercriminals Attack APIs
APIs often self-document information, such as their implementation and internal structure, that can be used as intelligence for an attack. This makes them tempting targets for cybercriminals. Additional vulnerabilities, such as weak authentication, lack of encryption, business logic flaws, and insecure endpoints make APIs vulnerable to the types of attacks described below.
The Middle Man (MITM)
A man-in-the-middle attack (MITM) involves an attacker secretly relaying, intercepting, or altering communications, including API messages, between two parties to obtain sensitive information.
For example, a malicious actor can act as an intermediary between an API issuing a session token in an HTTP header and a user’s browser. Interception of this session token would provide access to the user’s account, which could include sensitive personal data, such as credit card information and login credentials.
API injections (XSS and SQLi)
For example, an author can inject a malicious script into a vulnerable API (i.e. an API that does not run correctly input filter Where exhaust outlet (FIEO)) to launch an XSS attack targeting end-user browsers, etc. Additionally, malicious commands could be inserted into an API message, such as an SQL command that deletes tables from a database.
Any web API that requires parsers or processors is vulnerable to attacks. For example, a code generator that includes parsing of JSON code and does not properly sanitize input is likely to inject executable code that runs in the development environment.
A DDoS attack on a Web API attempts to overwhelm its memory and capacity by flooding it with concurrent connections or sending/requesting large amounts of information in each request. If you have visibility into the targeted API, you know how it will react to a flood of requests, and good DDoS protection will help mitigate the attack.
DDoS protection is compromised, however, when you don’t know the full schema or the changes that have been made to the schema of an API facing a deluge of requests, so you don’t know how it will react to an attack.
How API security works
Imperva API Security enables full API visibility for security teams – without requiring development to publish APIs via OpenAPI or adding a resource-intensive workflow to their CI/CD processes – by providing comprehensive contextual data and tags and automatically determining the risks associated with sensitive data. Security teams can take advantage of continuous API discovery – whether known edge APIs, unknown shadow APIs, or internal APIs driving transactions on the backend – to embed a security model positive and ensure continuous protection against API-based threats. Additionally, when an API is updated, Imperva API Security enables security teams to understand any new risks and incorporate the changes. All of this leads to faster and more secure software release cycles. Imperva API Security is a tool that enables security to keep pace with innovation without impacting development time.
Join us to learn more on API trends, terms, key use cases, and key features your security and DevSecOps teams need to protect your enterprise data. We’ll have Chris Rodriguez, Research Director of IDC’s Security and Trust practice, kicking off the session with his insights on the industry. Next, Imperva API Security Manager Lebin Cheng will share what customers are saying about API Security.
Join us on March 30 and find out about:
- Trends driving rapid API adoption and the emerging risk surface resulting from outdated API inventory
- Where application security fits into API protection and risk reduction
- Which tools are best to cover each part of the OWASP API Top 10A strategy to discover and classify each API in and out of production
- Hear from two industry experts on API security and how APIs have become the lingua franca of the internet today, and why you need to act fast to prevent data breaches.
Book your place today.
*** This is a syndicated blog from the Security Bloggers Network of Blog written by John Oh. Read the original post at: https://www.imperva.com/blog/api-security-explained/