Why API Security Is Special and What We’re Doing Wrong
Modern applications’ building pieces, application programming interfaces (APIs), are being used more and more frequently. However, there is a risk associated with increased use. The content lead for International Cyber Expo, Philip Ingram MBE, a former senior British military intelligence officer, explains how traditional security measures fall short in protecting APIs and why devoted API security is a necessity for businesses.
Application programming interfaces (APIs) are an essential part of our online and mobile lives since they connect all of the vital data required to run today’s new digitalized services. Additionally, the utilisation of APIs is expanding at a startling rate. According to the Q3 2022 State of API Security study from Salt Security, overall API traffic surged by 168% in the previous year. However, there is a risk associated with increased use. The same analysis discovered that 2.1% of all API traffic is now malicious API activity.
Why Can’t APIs Use Traditional Security?
Because of the size and hazards involved, API security must be approached differently from other types of cybersecurity. For a variety of reasons, traditional security techniques fall short in their capacity to safeguard APIs, including:
Rapid API development and change:
The API environment is continually evolving. Nearly tough to keep up with constantly changing and new APIs. The comprehensive inventory of an organization’s APIs might be difficult to obtain, and as the saying goes, you can’t safeguard what you don’t know is there. Traditional tools like WAFs and API gateways don’t offer any visibility to help API discovery, which is a must for API security, which must begin with an accurate inventory.
Attacks on APIs are slow and low-tech:
On APIs, conventional attack methods like SQL injections and cross-site scripting are used, although they frequently fail. These “one and done” attacks make use of known vulnerabilities, which is a method that doesn’t work with APIs. Each API is distinct and has an own set of business logic. To find business logic holes they can exploit, cybercriminals must repeatedly probe APIs, which explains why an API attack is low-impact and slow-moving.
Shift-left flaws:
While the shift-left movement is generally useful, these strategies may not be effective for APIs. Pre-production testing is vital, but not all security can be achieved by coding. Shift-left exclusively identifies security flaws in developing technologies. To secure what is already running in your environment, runtime monitoring and protection mechanisms must be in place. The most beneficial behavioural analysis for quick assault detection and reaction is always runtime analysis.
API Security in an Unsecure World
We may examine what the world would be like without APIs now that we are more aware of the reasons why they require a unique security strategy.
Consider yourself doing your shopping, waiting for everything to be scanned at the register before paying. When you insert your card and enter your PIN, the message “insufficient funds” appears on the screen. The cashier gives you an awkward look, and you can feel the impatience of the customers behind you.
You consider it strange that money was in the account this morning. Your world implodes as soon as you check in to your online banking application. Not simply your pay check is missing; the account is empty. You are truly broke since your funds have been depleted and your pension has been depleted.
Everyone’s worst nightmare, to be honest. Without dedicated API protection, it would likewise happen at a startlingly high rate.
Let’s take a deeper look. Cybercriminals find FinTech platforms to be an appealing target. These platforms have astronomically high potential rewards in addition to incredibly extensive and intricate API landscapes.
Recall the drawbacks of shift-left? That is relevant in this case. recent danger analysis discovered that a security flaw and server-side request forgery (SSRF) discovered in a significant US-based FinTech platform could have permitted:
- Attackers to acquire control of the banking system on an administrative level
- Attackers will release users’ personal information
- Attackers to gain access to users’ financial information and banking institutions
- The attackers’ use of their own accounts to carry out unauthorised fund transfers
This is a frightening, real-world illustration of the significance of API-specific security. We wouldn’t be reading about this FinTech platform in danger reports if it had solely depended on shift-left platform techniques; instead, it would have made headlines around the world as a significant cyber-disaster.
API Security Breach in Coinbase
However, traditional banking lines are not the only ones that have API security problems. This year’s February saw the discovery of a potentially disastrous API vulnerability.
was discovered on the bitcoin trading website Coinbase. If the flaw had been exploited, it would have allowed an attacker to exchange any amount of cryptocurrency across accounts. Because of how important its discovery was to Coinbase, Twitter user “Tree Of Alpha” received a bug bounty of $250,000.
Therefore, neither your FIAT nor DeFi money is secure in a world without APIs.
Let’s examine that Coinbase flaw more closely, though. based on his tweet, “Tree_Of_Alpha” was inspecting Coinbase’s new “Advanced Trading” feature, which allowed users to place orders for selling one type of cryptocurrency and use the funds to buy another.
To fulfil a request of this kind, a typical RESTful API is employed. It includes a lot of important parameters, such as:
- The traded good, in this case Ethereum to Euro
- The funds from the source account should be sold.
- The account where the converted money should be deposited
Although these parameters are present in every request, there is a problem in that they weren’t properly validated. Furthermore, these are simple requests for correct validation. This could have caused Coinbase serious embarrassment if it hadn’t been reported.
In more detail, “Tree Of Alpha” was able to manually change the “product” parameter, but Coinbase’s back-end systems did not successfully verify that the user is the owner of the wallets specified in the product. This implied that your crypto wallet didn’t actually belong to you because anyone could transfer money from a wallet that didn’t exist.
The same request was issued by “Tree Of Alpha” but with the “BTC-USD” product instead of “ETH-EURO,” which was done to confirm his findings. He could confirm his findings while minimising the significant danger to Coinbase consumers and the ecosystem as a whole. The real deal? Even worse, he had no Bitcoin wallet. To everyone’s astonishment, including Coinbase’s, the platform handled the request perfectly. The money was put into a legitimate USD wallet from a mystery, fake, “unknown” Bitcoin account.
Although surprising, this susceptibility is not unusual. Security experts and API threat researchers encounter situations like this on a daily basis.
This incident is another another illustration of the significance of API-specific cybersecurity. The development of APIs is moving really quickly. current Salt research
even discovered that during the previous year, the average number of APIs per customer climbed by 82%, going from 89 in July 2021 to 162 in July 2022. It’s simple for security to fall by the wayside in this never-ending push for innovation. Coinbase’s close call should serve as a stark reminder to other firms about the risks involved in forgoing API security in order to foster innovation. These grave threats are not minor inconveniences.
What Are Our Mistakes in API Security?
Despite the industry’s quest for shift left, the Salt Security poll indicated that only 22% of industry professionals view shift-left capabilities as a key necessity, while 41% viewed the capacity to thwart attacks in real time as the most important quality. According to the same poll, 53% of participants tried to resolve API security issues during development, and 59% did so during testing. Even though these precautions are necessary, shift-left strategies are obviously inadequate given that 94% of individuals polled reported recent API security problems.
The widespread disregard for runtime protection is more worrisome. Since the majority of successful API attacks aim for logic flow flaws that cannot be found during pre-production testing, why are so few applications (31%) addressing security flaws during runtime or production?
Dedicated API security is essential for business.
The vital data that businesses need to provide their digital products and services is interconnected thanks to APIs. APIs are essential to every cloud-based business. For many businesses, API security has become an imperative necessity to safeguard their vital services and client information.
The industry must realise the need of API-specific security. APIs include subtleties and technical quirks, therefore conventional cybersecurity techniques are useless. It’s time to take a different approach to API security given the rise in both the volume and complexity of API attacks.