What in the world is an API?
If you use a travel app (e.g., Expedia) to find what different airlines are flying to your destination, or if you’ve seen Google Maps embedded on a site, then you’ve interacted with an API.
An Application Programming Interface (API) is a set of operations that allows applications to access data and interact with external software components.
An API delivers the user’s action to a system, then sends the system’s reply to that user. When someone clicks “Add to Cart,” the API tells the site that a product was added, the site puts the product in the cart, and the cart gets updated.
We use APIs all the time but most of us never think about them at all. They greatly expand the services that a site or app can render. This service expansion is made possible by developers of both the APIs and the sites that use them. Many site developers don’t need to create APIs – they just need to use the APIs that are made available by whatever product or service is being used.
Why are APIs so prevalent?
They work! By the end of 2020, it was estimated that 80% of internet traffic was from APIs. In the first half of 2021, API traffic increased 141%.
APIs provide a common platform for businesses to network together to provide a product or service to their own customers. Most apps today use an API to provide a better experience for the user. For example, Twilio’s API allows an SMS (text message) to be sent from within the app without the user having to use a separate interface. Or Spotify’s API can be used in a non-Spotify app to return information about music artists and their works.
Developers have a plethora of API protocols to choose from, some of the most widely used are REST, SOAP, XML-RPC, JSON-RPC and Thrift. Lots of service providers, such as retailers, banks, and other org s publish their APIs so adjacent service companies can provide integrated services to joint customers.
The Need for Reasonable Security
Why should organizations secure their APIs? Salt Security has an excellent API security checklist with technical security aspects, so I’ll cover some of the “Why?” reasons here.
In the first half of 2021, while API traffic increased 141%, attack traffic on APIs increased 348%. Attackers read the same articles (and documentation) that defenders read – they all know that APIs can be hard to protect, documentation is often insufficient, many companies don't follow a secure Software Development Life Cycle (SDLC), and they've seen the stats that security often takes a backseat to pushing out products. Companies need to test their APIs because the bad guys will.
Roey Eliyahu, CEO and co-founder of Salt Security, states: "As APIs have become a growing target for attacks, we’re seeing more attackers target login mechanisms with credential stuffing attacks as well as denial of service attacks that look to overwhelm and knock a service offline."
Regulatory fines - such as GDPR, CPRA, HIPAA, PCI/DSS - will investigate for, among other things, the presence (or lack) of proper physical and technical security measures, mature policies, responsible communication, and relevant remediations. Coverages such as that provided by FDIC, cyber insurance, and credit card fraud reimbursement by merchants can create a false sense of “It doesn’t matter if I get compromised because I’ll get repaid,” but companies need to take this to heart: individuals highly prize their private information, especially identity and financial.
Here are some ideas for organizations to consider when figuring out how much to allocate for their security programs:
- Reputational risk: loss of sales due to lack of trust
- Lost revenue: Current customers "greener pastures"
- Litigation costs: Whenever there's a crime, everyone involved will be involved in litigation, even if they're innocent. Companies who are breached will be investigated to the fullest extent possible because the law needs to cover all bases. There will always be litigation costs; proper security will reduce costs by demonstrating good measures such as proper security, an established risk program, and managed paper trail.
- A line from a recent HALOCK post caught my eye: "Demonstrating duty of care establishes the absence of negligence, and it is negligence that results in lawsuits."
When virtual machines and "the cloud" started years ago, one aspect that was taken for granted was securing those resources (something many learned the hard way). While current infrastructure maintenance for many rarely includes activities such as cabling and locking server rooms, VMs still need to be diligently secured. Controls such as proper contractual obligations and vendor management have become of paramount importance in dealing with hosted infrastructure. The physical and infrastructure security dwindled on the customer’s part, and the need for configuring the digital and network attack surface dramatically increased.
A second potential drawback of cloud-based systems is VM sprawl. Spinning up a resource is easy; what isn’t so easy is keeping track of which replaced resources need to be destroyed and when.
APIs are much the same. They are ubiquitous, enormously useful, and make application extensibility as a competitive strategy feasible. But they also need to be monitored, maintained, and secured 24/7/365. Who has access to them? Is that access logged/monitored/alerted? Is the provider of the API observed for breaches? How is each API updated, by whom, and how often? How many are there in use or need to be removed?
About the Author: Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.