API Design: From inexplicably drained car batteries to personal information accessed through a phone number lookup. Even seemingly harmless irregular API design (API, Application Programming Interface) interactions can pose a threat. This was the case when a coffee chain rolled out an online ordering app. This API was developed and secured according to generally applicable security standards, and the API calls for coffee orders followed typically established security procedures and protocols. However, there was a noticeable increase in the number of orders paid for but not picked up in one country. Upon closer inspection, the company found that almost every store received these calls, always more than two.
After ruling out all other technical reasons, the company concluded that automated requests for fake orders were sent to the API to get the confirmation response, which included a sequential order number. This sequential variable unintentionally contained important information, as the sales figures in each branch could be extracted from it – lucrative information for the possible competition, as it was able to recognize at which locations a new opening was worthwhile. Despite compliance with all applicable security standards, the API had unintentionally disclosed internal company information.
API Design: Usage Has Exploded In Recent Years
API usage has exploded in recent years. Today there are more than 22,000 APIs searchable on the Programmable Web. APIs, the glue that holds the connected world together, have grown rapidly in number and capabilities. In contrast to conventional web forms, they are faster, more powerful, but unfortunately also more difficult to protect. Gartner predicts that API abuses will be the most common target by 2022. Typically well documented, APIs connect people, places, and things to create seamless integrations, richer experiences, and new revenue models. When an API is abused, the burden can be significant.
But even if one breach after another is exposed, most organizations are still not doing enough to limit API abuse. Companies go to great lengths to protect their applications and websites but leave the back door wide open with unprotected API access. Just because an API doesn’t appear to be directly exposed doesn’t mean it’s not vulnerable to breach. An API call is not the same as a web page call, and application security controls do not protect the API design. In general, API abuse is difficult to prevent, especially when nobody’s looking.
API Design: Fixing Vulnerabilities
When vulnerabilities are discovered in API design, they are not always easy to fix. While a third of calls come from web browsers, making it easier to monitor and remediate vulnerabilities, the remaining two-thirds are direct communication between machines, such as IoT devices, and background communication from apps in-game consoles, smartphones, or tablets.
The software in many connected devices is not easy to update and maintain. Even today, IoT devices tend to be shipped without software update logs, and if vulnerabilities are found, the likelihood that they will be patched is extremely low. How often do users update the firmware of a connected baby monitor or coffee maker?
API Design: Unchanged Attack Behavior
There is good news and bad news about the API attack. The good news is that the type of attack behavior has remained almost unchanged over the past few years. Widespread tactics include Distributed Denial of Service (DDoS) attacks that disrupt availability or overload resources, more direct attacks on the web infrastructure in an attempt to exploit vulnerabilities to gather intelligence, and insider threats that target the Introduce intruders into the data flow or introduce malware, spyware or ransomware into systems.
Unfortunately, these attacks have increased in intensity over time, but the quality of execution has also improved, making detection and control more difficult. With rampant data theft, the exploitation of weak or stolen access data is now also the order of the day. And finally, there is the abusive use of APIs, as the application example of ordering coffee shows.
API Design: Machine To Machine Communication
Another bad news is that APIs are easier to attack than traditional web forms, but these attacks spread faster because APIs make machine-to-machine communication easier. Attackers also benefit from the spread of the APIs. Even when organizations apply security controls to APIs, they often cannot keep up with the speed that development teams are adopting APIs or IT when a department adopts a new third-party service.
Developing Secure APIs
APIs were developed to enable fast and structured machine-to-machine communication in the network. In enterprises, APIs accelerate innovation by adapting faster to user needs and improving the stability of application services. APIs make everyday life easier and help improve customer satisfaction and thus business results. To develop a more secure API design that is less likely to be a gateway for the attack, developers should consider each API’s usage model, user, and operational role.
For the API usage model, developers should identify and prioritize the respective users and use cases to more easily identify suspicious activity in the future. For example, a partner company that orders should not have the same access as a working student. The following questions should therefore be answered:
- What are the use cases for the API?
- Who are the intended users?
- Who are the current users?
- Which user groups should be given preferential treatment?
Once the target audience and applications are defined, developers need to create additional data points within the API to distinguish users. With better user identification, it is much easier to track abnormal behavior. Sometimes legitimate API users can also cause unpredictable loads, knowingly or unknowingly. In an example of excessive API usage, an Asian company received unusually high traffic to one of its web addresses. It hit 875,000 requests per second at one point.
An initial assessment showed all of a large DDoS attack’s characteristics, but the incident was not an attack. There was a problem with a tool in use that reacted incorrectly due to a change. When the security department started filtering traffic to protect the backend, this fact was not yet known. The tool continued to try to achieve the goal but now failed because of the setup rules. A prompt check of the data traffic could then rule out maliciousness. The company and toolmaker confirmed the misconfiguration conclusion, and within a few hours, a fix was sent to the affected systems.
API Design: Cover Important Risks
But how can APIs be protected? Which processes should be followed? First and foremost, organizations must recognize and accept that APIs pose significant risks if not adequately secured and want to do something about it. Once that has happened, this plan could be followed:
- The first week: Assess the API ecosystem and identify potential security risks (see box)
- Within three months: Understand who is accessing APIs and define appropriate security measures.
- Within six months: Choose a security solution that enables proactive API protection that is tailored to the company’s needs. Push the project forward to protect all APIs, both public and private.
With many APIs open like a barn door, they are increasingly becoming a popular target. Akamai collected data on more than eight billion credential stuffing attempts over two months.
Examples Of Security Risks When Using APIs
Developers want to reuse and share both public and private code through GitHub. This is a common practice to speed development and leverage the knowledge of the entire developer community. However, API keys and SSL keys are sometimes uploaded accidentally, and the hackers know it. It is important to keep data clean and only exchange the necessary data.
DevOps teams use APIs to automate the operation of their networks across multiple clouds. This is the only way to scale operations to perform thousands of operations daily. And here is a security risk. Many of these APIs have to use public IP addresses to be accessible to all. But there is no safe way to successfully hide an API connected to the Internet – at best. It only protects against half-hearted attacks from simple scripts. Unfortunately, few tools are required to identify API exposure and potential attack surface.
Some of these tools are available for free download or in parts from Linux repositories. Network Mapper: Network Mapper (Nmap) is an open-source utility for network discovery and security auditing at https://nmap.org/. It is flexible in supporting dozens of mapping networks from port scanning and ping sweeps to the operating system (OS) and version detection. This tool is supported by most operating systems and comes in many flavors, even a version with a graphical user interface (GUI) for the challenged keyboard. It’s easy to use: with a single line of bash code, the tool can quickly scan an entire network to see if there are any vulnerabilities.
As part of a standard administrator toolbox, Nmap was used unobtrusively until recently. While helpful in preventing attacks, Nmap has also been widely misused so that attackers can discover unsafe entry points. The abuse has put this valuable tool at the center of a general debate about the legitimacy of port scanning tools. Given the controversy surrounding port scanning, it is advisable to understand the potential legal implications and obtain prior approval before using Nmap to avoid any unintended consequences.
While Nmap is a useful solution for identifying APIs, it lacks speed and a little bit of intelligence. For further education, Fierce is a more aggressive information-gathering tool. Where Nmap remains passive, Fierce actively tries to exploit Domain Name System (DNS) servers (although no actual exploitation is done with the tool itself) by using a common misconfiguration: unrestricted zone transfer information.
Zone transfer information includes the complete zone configuration, including all registered devices and their names and IP addresses. This intelligence is of great value to attackers. If the DNS is set up correctly, the tool will start looking for typical hostnames like auth., Ape. or developer, which results in a list of names and IP addresses. In a second step, the tool performs a reverse lookup by using IPs in the +/- range of the addresses found, which leads to a list of new hostnames – attractive targets. Aggressors mainly use this tool. By understanding Fiercens insights on the corporate network, organizations can put the appropriate security measures in place.