API Security: A Tutorial

Application programming interfaces, or APIs, are commonly used in today’s applications, enabling seamless interaction between various products and paving the way for countless integration possibilities. 

However, APIs have certain disadvantages that can escalate into significant issues and security threats. In this article, we will discuss the advantages of APIs, the challenges associated with their security and how to minimize these risks.

More from Alex VakulovHow Deception Technology Can Thwart Cyberattacks

What Is an API?

API represents a collection of methods and standardized protocols facilitating data exchange between multiple systems. The graphical user interface (GUI) of applications makes it easier for a human to interact with a computer, allowing users not to go into the technical details of performing tasks. 

In a similar way, API makes it possible to hide all the logic and mechanics of data processing under the hood and focus solely on performing business tasks using the services provided.

For effective machine-level communication between applications or their components, it is crucial to establish clear interaction guidelines. These requirements form a specification or, in other words, an API contract that outlines the services provided by specific interfaces, who can access them and what data is received and transmitted using them. The parts of the interfaces directly involved in receiving and/or sending data are referred to as endpoints.

An aggregator app for searching and booking airline tickets is a good example of systems built on the foundation of interacting with numerous APIs. Such a product must engage with an extensive array of data sources from different companies. Accomplishing this task without the use of APIs would be exceedingly challenging.

API Benefits

Developing information systems using APIs provides valuable benefits, including:

• A faster development process due to accelerated by concurrently writing code for various services.
• Developers’ tasks are simplified because programming the interaction of services (instead of writing a separate component of a monolithic system) often makes the code simpler and cleaner. 
• Making changes and introducing new features becomes quicker, as it is typically easier to develop a new service rather than incorporating additional options into monolithic code.
• The area of interaction between the original system and other products is expanded through the reuse of services, opening up opportunities for integrating and implementing complex business ideas.

API Types

There are three main types of application programming interfaces. Each type has a distinct impact on the security of both applications and the infrastructure.

• Public. These are available to developers and external users with minimal restrictions. They may require registration and usage of an API key or be completely open. Examples of public APIs include mapping services and directory services.
• Partner. APIs that are exclusively accessible to partner companies cater to specific business requirements. The data shared through these APIs, such as customers’ sensitive information needed for collaborative tasks, often holds significant commercial value.
• Internal. These are designed to be hidden from external users and are used within a company to share resources. They allow different teams or sections of a business to consume each other’s tools and data, such as accounting services or HR platforms.

API Security Issues

Let’s take a moment to consider the extensive usage of services (each resembling a small application), their diverse nature (with unique functionality and security requirements), and the various technologies (or architectural styles) employed to construct them. 

This complexity gives rise to challenging issues: How can we determine which data needs protection? How do we safeguard crucial information transmitted between services? How do we address the information security concerns of the services themselves? What other factors should be taken into account? There are no concrete answers to these questions yet. Experts continue to look for optimal solutions.

When considering the statistics, the problem becomes quite critical. Ninety-five percent of the organizations participating in the 2022 Salt Security survey experienced API security incidents, 85 percent said that the protection tools they use are not very effective in repelling API attacks, and 34 percent of organizations reported that they do not have any API security strategy at all.

Today, many companies have started transitioning to web platforms that integrate APIs because of their perceived security benefits over traditional software. However, despite this shift, many still maintain a conservative approach toward API protection, which can be attributed to their experience developing and securing monolithic systems. 

Organizations are employing outdated methods in today’s distributed cloud systems, where the number of services far exceeds that of classic applications and the complexity of their business logic often confounds even the most cutting-edge security tools.

API Security Risks

Some of the most significant risks specific to API security include object authorization violations, where an attacker gains access to API data; authentication system breaches, which can expose the accounts of systems and users interacting with the API to the attacker; excessive data disclosure, which exposes users to risk if services provide more data than needed to complete a business task; and no restrictions on the number of requests, which means attackers can overwhelm the API with many requests and potentially degrade or halt the system operation. 

This list could go on much further. For additional risks, familiarize yourself with the OWASP API Security Top 10 document.

API Protection

Today, having cross-platform interaction interfaces is an essential requirement for modern applications. However, many companies that have implemented APIs still lag behind in terms of technology. They lack the tools and expertise needed to manage and protect interfaces effectively. Considering the rapid growth of the segment and the increasing number of API-related attacks, it is crucial for companies to actively address these shortcomings now. Here is what you can do:

• Enhance API management by investing in discovery, cataloging and automated validation while adopting a flexible approach to handle various API types and usage scenarios.
• Develop a security strategy that encompasses specific API attack scenarios.
• Carry out a comprehensive API inventory to better understand all the interfaces your company utilizes.
• Incorporate security testing practices, such as DAST, SAST, fuzzing and others into API development.
• Create a list of third-party APIs that your organization’s systems interact with and use this list to monitor external interface failures and assess potential consequences.
• Manage external APIs similarly to how SaaS applications should be managed, addressing aspects like licenses, SLAs, compliance, etc.

Nowadays, APIs are incorporated into nearly every application and even in many physical devices. APIs offer additional possibilities for developers and enthusiasts alike, particularly those looking to automate their systems. That is why it is critically important to pay close attention to API security.