Secure APIs against unauthorised access and manipulation

10. October, 2022

APIs—machine application or programming interfaces—simplify interaction and data exchange between different applications. They are a fundamental component of modern application landscapes. Because of the growing use of smartphones and wearables, they are also becoming increasingly important for web applications.

Because APIs often provide access to sensitive data and special software functions, they are highly interesting for attackers. API security refers to the process of protecting these interfaces from unauthorised access and other attacks and is a key component of modern web application security. Possible vulnerabilities in APIs are, for example, faulty authentication and authorisation, insufficient restrictions on queries or too inaccurate checking of input, which allow for possible misuse.

Nearly a quarter of attacks focus on APIs

While “human” access to various services on the internet is typically carried out via a standardised web browser, programmable interfaces have considerably fewer specifications. They can therefore be designed quite freely and in any rudimentary way. This has a detrimental effect on the security of APIs.

Almost a quarter of the detected attacks concern API security, according to the VMWare 2022 Global Incident Response Threat Report. [1] D

The three most common attacks are the unauthorised access to data, the attack via injections (exploitation of insufficient input validation) and the attack via denial of service.

Easily control and improve API security

Application development that is as security-oriented as possible manages input and output options in a controlled manner. Regular tests of existing APIs make sense in order to identify vulnerabilities preventively and as quickly as possible. The Open Web Application Security Project (OWASP) also supports these concerns. [2] [3] [4] The three biggest weaknesses in APIs still concern rudimentary weaknesses:

easy circumvention of access restrictions (e.g. by making the smallest changes in the call),
weak or faulty user authentication,
insufficient data sparseness, providing too much information.

A particular risk is public interfaces to sensitive data that have been activated “briefly” for development and testing purposes and then forgotten about, leaving them open for a long time.

Secure APIs as the basis for automation and innovation

Machine interfaces are indispensable as a basis for building and developing modern applications and apps. More and more solutions are based on the flexible use of mobile devices and highly distributed data and systems. The Internet of Things (IoT) also falls into this category.

The rapidly increasing networking of devices and services in combination with a massive increase in sources and targets as well as constantly evolving methods of app development create new risks. Accordingly, accompanying measures for the technical and organisational safeguarding of APIs and data have now become mandatory for companies.

Learnings and recommendations for optimised API security

Many companies already have tools in place to combat known attacks such as cross-site scripting, command injection and distributed denial of service. Regardless of how many or few APIs a company makes publicly available, deliberate management, secure design and ongoing monitoring are essential.

Transparency: Get an overview of all interfaces used in your organisation (public, private or partner APIs). A vulnerability scan or penetration testing by an IT security service provider can help. It might even detect unknown accesses.
Secure authentication methods: Avoid the often historically static shared passphrases. Ideally, know and manage each endpoint individually, and monitor and log all. Cyclically check existing accounts for their need and deactivate them if necessary.
Input validation and access role models: Prevent potentially harmful input (injection attacks) by server-side validation of requests. Individual accesses should only be executable with the rights really needed and should not be able to read more data than is actually necessary.
Data encryption: Regularly check whether the encryption methods you use are still up-to-date and correspond to the state of the art.
Rate limitation: Precautions against misuse are indispensable, especially with publicly freely available interfaces, to prevent DDoS attacks, for example. For example, limit the number of IP address queries or use other detection methods that detect an unusually high number of accesses and block them preventively.
Logging & Audit Trail: Keep an unalterable log of all accesses and queries in order to make possible problems traceable and to be able to make exact statements in the event of a security breach.

Worth reading:

Beware of Bad USB Attacks
Top 3 security vulnerabilities in Austria
5 tips for secure remote management