API’s – new attack sweet spot
The threat landscape is in continuous turmoil, with new attack surfaces rapidly gaining popularity. If you’re into cloud security, security architecture, governance, secure application development or into cyber security in general as a CISO or other, you should check out this cyber talk on the new popular ‘kid on the block’: API security attacks.
Cyber criminals don’t neglect to study today’s innovations in our app driven world. So it’s little wonder that a company as Gartner predicts that by “2022, API abuse will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” In the Cyber Talk “API Security”, Roey Eliyahu, ceo and co-founder of Salt Security, explains about the dangers and possible mitigations.
API’s as a security risk
Application Programming Interfaces (API’s) allow applications to talk to each other, exchanging any type of data over any protocol. As a result, there is a danger for “data exfiltration, data modification and account take over,” dixit Roey Eliyahu. Today, information environments contain many more API’s (often 1.000 or more rather than a few), with many of those continuously in flux (rather than static) and carrying lots more sensitive data. Furthermore, API attacks are much more business logic oriented, and extended in time (‘low and slow’).
As a result, companies are confronted with tough questions: do you know all active API’s (read: no, as there is no/insufficient/outdated documentation) and what sensitive data do they expose?
Also, there is a wide variety of API attacks, to the extent that OWASP already lists an API Security Top 10. This talk covers two of them: ‘A1 Broken object level authorization’ and ‘A3 Excessive data exposure’, illustrating how seemingly correct usage can yet be a form of abuse, as well as pointing out discovery issues.
What to do?
Clearly, discovery of all active API’s is indicated, preferably in an automated way as manual discovery won’t keep up with changes, and attacks are often very API specific. The ‘low and slow’-nature op API attacks also requires an extended scrutiny of the API’s in actual everyday use, as “you have to see the whole movie, not frame by frame.” According to Roey Eliyahu, web application firewalls and API gateways do not cover all the security needs of API’s ‘(see comparative table in the talk), with Gartner as a result creating a new specific API security related product category. These products must connect to all kinds of API-connected elements in your stack; monitor API changes; check behavioural attributes (what is ‘normal’) and stop attacks. Furthermore, these products must be complementary to other security investments, for integration in a multi-layer defence.
As is often the case, this is an ‘if you need it, you need it badly’-type of talk, even as an introduction as this is probably still a less known problem. Because not staying abreast with emerging but fast growing threats is not an option.
More on the OWASP API Security Project
(including API Security Top 10:2019 list)