Application programming interfaces (APIs) have had their status upgraded from the domain of programming tool to the proverbial icing on the cake to top a digitisation business plan. APIs allow business leaders to enable workflows across organisational boundaries, connecting siloed business systems and providing a controlled way for external business partners to access data and services.
The API, and the code accessed via the API, must be secure. Any vulnerabilities need to be fixed as soon as they are discovered; otherwise, any application accessing the API will inherit this security weakness.
In the open source world, GitHub recently introduced an automated alert mechanism to enable developers to address vulnerabilities in the open source components their code uses. Such mechanisms enable consumers of these components to receive an alert if the component has a security risk and needs patching or a workaround. This is essential if organisations require end-to-end auditability covering a software bill of materials for all the software components used in a finished product.
Tackling API security is a subset of software development that is secure by design, where there are strong processes in place to minimise coding errors that lead to vulnerabilities, and a defined pipeline to resolve security issues quickly. But the pace of software development – and that includes developing and modifying code that is accessed via published APIs – can lead to insecure code slipping into production systems.
In April 2022, Dynatrace commissioned Coleman Parkes to run a global survey of 1,300 CISOs in large organisations with more than 1,000 employees, which highlighted the risks organisations face in code development and deployment. The survey found that two-thirds (67%) of CISOs say developers do not always have time to scan for vulnerabilities in their code and apply a fix before it moves into production. Only 27% of the CISOs surveyed say they are fully confident that applications have been fully tested for vulnerabilities before going live in production.
Discussing the findings, Bernd Greifeneder, chief technology officer at Dynatrace, says: “There are always opportunities for vulnerabilities to slip past security teams, regardless of how robust their defences might be. Both new applications and stable legacy software are prone to vulnerabilities that are more reliably detected in production.”
Vulnerabilities need to be fixed quickly, but developers also need to keep their code up to date to take advantage of the latest and greatest technology or to support new requirements from the business. Among the difficulties is that as functionality accessed via the API changes, the actual API may require changing because the data it requires (ie, the parameters a programmer needs to provide to the API) and the data it returns back to the application accessing it, may need to be adapted in line with the new functionality.
The challenge for the API developer is that any changes can potentially break any application that uses the API.
Software development teams may often not take care to support the backward compatibility of APIs, warns Stephen Feloney, vice-president of products, continuous testing at Perforce. “An API that previously worked may not work as it should in an updated or completely new version,” he says.
With each new version of an API, additional parameters may be required, results may be delivered in different formats, and even when developers maintain backward compatibility, old APIs may continue to work, but only for a limited time, says Feloney, adding: “Teams consuming APIs may be unaware of the new changes to the APIs until a sudden failure occurs.”
If this happens, says Feloney, software development teams need to track the failure to its source to find the root cause of the problem and verify that documentation is up to date, which can be a time-consuming and costly process. The same applies when a component that the API relies upon is updated. Teams avoid unexpected API failures if they track code dependencies and API changes, says Feloney.
API security implications
When it ran a survey of 350 of its customers, Salt Security found that the average number of APIs per customer had grown by 82% over past year, up from 89 in July 2021 to 162 in July 2022. During the same period, overall API traffic per customer grew by 168%, indicating that API usage is also exploding.
Worryingly, attack activity has continued to keep pace with this dramatic API usage growth and now accounts for 2.1% of overall API traffic for Salt Security customers. Its survey also found that malicious API attack traffic surged by 117% over the past year, from an average of 12.22 million malicious calls per month to an average of 26.46 million calls.
More than half (54%) of respondents admitted they have had to slow the roll-out of a new application because of an API security concern. Also, the increasing regulatory focus on sensitive data leaks is impacting profitability, and the public is taking notice. In fact, nearly one-third of respondents admit they have experienced sensitive data exposure or a privacy incident within their production APIs over the past year – a sharp increase from last year’s 19%.
Commenting on the findings, Nick Rago, field CTO at Salt Security, says: “Many API attacks today are done by authenticated entities that have authority to use the API they are attacking and are doing it in a low and slow manner that evades any rate limit traffic controls.”
According to Rago, existing security measures employed by API gateways, web application firewalls and identity providers fail to offer adequate protection against this growing attack surface. “To stop attacks, organisations need a security strategy specifically designed for APIs,” he says.
Key capabilities of such a security strategy should include continuous visibility into the attack surface, as well as the ability to discover new and changed APIs, contextually understand API behaviours to accurately detect and stop API attacks and abuse in runtime, and remediate vulnerabilities in the build phase.
Most organisations have now caught the wave of using APIs to provide flexible connectivity between systems, making it easy for developers to get started and build digital products. But securing and monitoring APIs is a crucial step to operationalising APIs.
Brian Otten, vice-president of the digital transformation catalysts division at Axway, also believes that businesses need to manage the lifecycle of their APIs. “API delivery has a distinct lifecycle that includes, but is not limited to, unified monitoring of APIs from a security, availability and performance perspective,” he says. “Also, capabilities focused on cataloguing and managing APIs on a day-to-day basis alongside controls related to standards, governance and testing.”