3 steps to better security in the API economy
As far as security goes, the mistake was a bad one. The mobile application that allowed customers to order individualized greeting cards from online service Moonpig had barely any security built in to the way it communicated with the merchant's servers. The web API, or application programming interface, contained an easily retrieved, hard-coded username and password to connect to the server, making it easy to access information on all three million Moonpig customers, according to a detailed analysis by Paul Price, the self-styled "information-security enthusiast" who reported the issue in January.
"Given that customer IDs are sequential an attacker would find it very easy to build up a database of Moonpig customers along with their addresses and card details in a few hours—very scary indeed," he writes.
The rise of the API economy
Welcome to the insecurities of an increasingly connected world. With more applications accessing information and more devices exchanging data, APIs have risen up as a simple way to ease the development of software that can utilize information from elsewhere on the Internet. Mobile apps use APIs to connect to servers holding customer and service data. Web applications use APIs to fetch information from third-party sites. And e-commerce servers use APIs to access up-to-the-minute information about product availability.
Over the past five years, offering abstracted data services through APIs has quickly become the preferred way to allow outside developers to access information and foster innovative uses. Some companies have started using the layer of abstraction afforded by APIs to simplify interactions between business groups and offer mobile employees easier access to data. By simplifying access to information and web functionality, APIs allow for faster development cycles through agile processes and DevOps, speeding innovation.
"From a technology perspective, an API is just an instruction for an existing system," says Neeraj Khandelwal, senior product manager at Barracuda Networks. "From a business perspective, it is a way of delivering value."
Where the data goes, attackers will follow
Nearly 95 percent of companies consider APIs to be important to the growth of their businesses, and about 60 percent of companies have already implemented some API access to their data, according to a survey of 1,200 companies conducted by API security firm Akana and released at the Black Hat Security Conference in August.
Not surprisingly, the popularity of APIs has attracted attackers' interest as well. In December 2013, after a group of researchers outed security vulnerabilities in the API of social media mobile platform Snapchat, hackers downloaded usernames and phone numbers from as many as 4.6 million account holders. In another breach revealed in June 2015, a compromise of the Internal Revenue Service's Get Transcript application led to information on approximately 100,000 taxpayers being stolen, according to the IRS. The hack used an API to automate the process, according to API services firm Apigee.
"As APIs become pervasive and more developers adopt APIs, we will witness more incidents related to API security weakness," says Subra Kumaraswamy, head of product security and chief security architect at Apigee.
IT professionals are most worried about a trio of attacks that abuse weaknesses in APIs, according to Akana's survey. In one case, attackers can create specially crafted code designed to overwhelm a vulnerable XML parser, causing the web server processing the request to slow down or even crash. Known as an XML bomb, the attack abuses the software processing API requests. A second danger—denial-of-service attacks—overwhelms the web server's bandwidth, rather than attacking its ability to process API calls. The third attack, SQL injection, attempts to sneak in database commands in API calls.
More than 53 percent of IT professionals are worried about these three attacks, according to the survey. Yet other, more subtle API risks are a problem, too. Six out of 10 companies were doing little to secure the consumer of API information, usually a mobile application.
"The API producer is taking all the right steps, but the devices and applications consuming the API data, these consumers have no proper governance behind what they do with that data or how they secure it," says Sachin Agarwal, vice president of product marketing and strategy at Akana.
But solutions do exist. Here are three ways to better secure APIs.
1. Implement strong authentication
The most frequent security issues encountered with API implementations involve weak authorization, which allows attackers to harvest data from the API server. In the Akana survey, almost half used API keys, the accepted way of passing a security token to the server, but about one in five companies couldn't describe how they limit access to their APIs, suggesting that the security measure didn't receive the proper attention.
"Weak authentication, when combined with weak or no rate limits, is [a] dream come true for hackers," says Apigee's Kumaraswamy.
Companies need to make sure they're restricting access to their APIs, even if the data they're exposing is considered non-critical. Attackers may be able to imagine uses for data that businesses didn't initially consider a viable threat. In addition, companies can't cease worrying about their data when it reaches the application. Mobile app developers should secure the data on the device.
2. Limit the rate
While more companies understand the importance of implementing strong authentication as part of their API, many developers aren't taking the next step, limiting the rate at which the consumer application can make requests for data. Some 45 percent of companies didn't enforce rate limits, according to the Akana survey.
"You have to worry that someone could abuse the API," says Barracuda's Khandelwal. "Because of the way that APIs work, high-frequency traffic to your website could bring it down or violate your SLAs (service level agreements) with your partners."
3. Adopt simpler architectures
Part of the solution is to make sure that any APIs use the Representational State Transfer (REST) principles of interface design, choosing a simplified set of commands that are communicated over a web interface. A decade ago, companies such as Microsoft created more complex protocols, such as the simple object access protocol, or SOAP, for exchanging information via web protocols, such as hypertext transfer protocol (HTTP) and the extensible markup language (XML).
Increasingly, companies are using REST, which uses four commands to access data via web services. If an API is correctly implemented in a RESTful way, it will have predictable outcomes, which will simplify the security, says Khandelwal.
"The whole breadth and depth of the application makes it really hard to secure this new attack surface," he says. "The benefit of an API is that it delivers a single interface into a complex system."
As the usage of APIs quickly grows with the proliferation of devices and the Internet of Things (IoT), securing the web APIs that connect these devices will become increasingly important.