API Vulnerabilities 3 API Security Risks Every Developer Needs to Know About
More and more companies are relying on cloud computing and it is becoming apparent that this trend will intensify even more in the near future. At the same time, however, extended security precautions must also be taken in companies, as this development also offers new gateways for criminals – for example with APIs.
APIs play a major role in the native cloud architecture now and in the future. However, the number of API vulnerabilities in companies has already increased noticeably in the past year. In this context, it is predicted that the volume of cyber attacks on APIs will already double by 2024. This makes it all the more important that companies are aware of this increasing danger and are already eliminating possible vulnerabilities. In many cases, however, the responsibility for the security of the entrepreneurial development and production environments lies not only with the cybersecurity team, but also with the developers themselves. Therefore, they must also be sensitized to possible API vulnerabilities.
In particular, the following three API gateways for cybercriminals should be kept in mind:
1. Shadow APIs
On average, there are up to 620 different APIs in companies. However, the research of the Aite Group showed that many companies do not even know the exact number – because in fast-moving DevOps environments, the creation of unknown APIs, so-called shadow APIs, can easily happen.
When APIs are published without security checks or controls, they usually remain invisible to the security team and the API gateway. Even those that have been published outside a defined process or whose structure has been changed when updating an application can become shadow APIs. The developer may also not be fully aware of the publishing process and assume that he can publish an API independently. In addition, if a developer uses the BFF (Backends for Frontends) pattern in his application design, this can lead to the fact that backend services – which should normally only be accessed internally – are exposed to direct access from external client API calls.
The problem with shadow APIs is that they have access to the same sensitive information as published, secured APIs, but no one knows where they exist or what they are connected to. Among other things, this can lead to violations of compliance – and in the worst case, it allows attackers to access the sensitive data of the company and those of customers.
2. Automated Bot Attacks
Automated bot traffic is a common problem that affects any business that has a website, mobile app, or publicly accessible API. Web applications are a worthwhile target for botnets because they provide a direct route to sensitive data that can be tapped and shared or sold on the Dark Web.
These types of attacks are more difficult to stop because the bots can mimic human behavior and thus evade detection. Unlike other types of attacks, botnets work around the clock and are deliberately designed to perform repetitive tasks that are difficult for people to cope with. If APIs are attacked in this way, this can lead to the loss of personal data, data leaks and more. Nevertheless, many companies fail to properly manage the security of their APIs and instead rely solely on simple authentication tokens or IP rate limits. However, unlike the identification of human users through multi-factor authentication, these API tokens are often only a single-factor authentication that verifies a call. So for a developer who does not have proper cybersecurity training, it is difficult to stop this threat.
3. Outdated APIs (also “zombie APIs”)
Phasing out APIs is part of the natural API lifecycle. However, if an API has not been disabled properly, it becomes a dormant breeding ground for cybercriminal activity – usually out of the field of view of developers and cybersecurity officials.
These unmonitored APIs are comparable to an unlocked window: cyber criminals can “sneak in” through them and thus access data or launch sophisticated attacks – without the developer or the security team noticing anything about it. The problem: Outdated APIs are often overlooked or ignored and are no longer part of regular software updates. Thus, these “zombie APIs” can be exploited for account takeover, fraudulent transactions or data extraction.
The complexity of the attacks will continue to increase
Although most companies today use an API gateway solution, this technology is not a panacea for the growing API security risks. While gateways are great for deployment and access management, they are not mature enough to fend off complex attacks. In addition, approaches such as gRPC, MQTT and GraphQL are becoming increasingly popular as companies demand more and more diverse technical models. However, this opens the company to more sophisticated attacks on APIs. The introduction of governance standards and advanced security tools is therefore essential when using API protocols with even more flexible structures than RESTful APIs.
Companies need to look for security tools that not only provide runtime protection, but also fit seamlessly into the application development process. Developers and cybersecurity officers should therefore first make a clear assessment of the biggest API risks. This starts with the automatic recognition and the regular updating of an API catalog. As attacks become more and more complex, the solution should also include bot detection, which can distinguish a good bot from a bad bot, as well as, in general, a bot from a real human user. Finally, in order to address the problem of outdated APIs, a solution must also monitor the lifecycle of the API tokens as well as the different versions of the APIs. With this approach, developers can adequately address the biggest API security risks without having to slow down their innovation agenda.