By Brad LaPorte, Chief Evangelist, Kasada
The pandemic has forever changed how we work, shop, learn, entertain, and see our doctors. Most of us have likely started using a new app or feature that didn’t exist in February, whether that be new conferencing and collaborating apps to food or shopping apps to new apps just to entertain ourselves.
Most of today’s apps leverage easy-to-build and easy-to-consume APIs to speed development. When the APIs are secured, they offer a smart way to deliver critical features and functionality and pass data between systems. But, when left unprotected, they make it easy for attackers to commit fraud with speed and at scale. Our growing dependence on APIs within applications and the significant rise in malicious machine-driven traffic are giving opportunistic cybercriminals ripe opportunities to wreak havoc online, everywhere.
Web-enabled applications already have 40% of their attack surface in the form of APIs instead of user interfaces, according to a recent Gartner report. By 2021, APIs will account for 90% of the attack surface. By 2022, according to Gartner, API abuses will become the most-frequent attack vector.
Assess the Risk
The first place to start is by assessing your current environment and understanding the level of risk your business faces today. This will help inform the development of a strategy and associated policies for securing APIs.
Remarkably, many security teams can’t assess the risk to their companies for their APIs because they don’t have visibility into all of the APIs in use. Often, APIs and API security are in the hands of developers and DevOps teams. Each team may have its own set of APIs that it uses. In that situation, no one has visibility into all of the APIs being developed and used across the company.
That’s why any security strategy for protecting APIs must begin with a complete understanding of all the APIs developed by the company. Make sure you understand:
- How many APIs are deployed?
- Who manages/owns the APIs?
- Who is using the APIs?
- Which APIs are exposed to partners?
- Which ones are exposed publicly?
- Which APIs are driving traffic?
- How is that traffic being monitored?
Once you have an inventory of APIs, you can begin evaluating your risk by looking for common API security weaknesses, such as authorization flaws, excessive data exposure, lack of rate-limiting, security misconfigurations, insufficient logging, and others. A great place to start is the OWASP API Security Project and its API Security Top Ten report.
Best Practices to Protect APIs
Once you have an understanding of the APIs in your company, common API weaknesses, and the types of threats that can be used against them, make sure you are using recommended best practices to help protect your APIs. Start with the APIs that represent the greatest risk for your business.
Lock Down Access to the API
The ability to control API access is a cornerstone of effective API security. Make sure you’re authenticating both end-users and applications, and make sure that access policies and authentication mechanisms are set up correctly.
The authentication mechanism is a popular target for attack and as such, should be a top priority for extra layers of protection. OWASP’s Top Ten report says that authentication mechanisms “are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other users’ identities temporarily or permanently.” It’s critical to understand the authentication mechanisms your organization has in place and then apply authentication best practices to these endpoints.
Monitor and Log Everything
You can’t protect your APIs if you don’t have visibility into what is happening, and you can’t mitigate damage from an attack if you don’t know what was impacted. Continuous logging and monitoring give you that visibility so that you can track and respond to suspicious activity in a timely way.
Logging and monitoring are especially relevant to authentications and preventing an API endpoint from being a gateway to other endpoints. Log all authentication attempts, denied access, validation errors, and response codes so you can track ratios to detect when something suspicious, such as a credential stuffing attack is occurring.
Implement Rate Limiting
Rate limiting or throttling helps protect against brute-force attacks, but often the API doesn’t impose or enforce any restrictions on the size or number of resources that can be requested by the user. For example, a bad actor might use automated software to generate a large number of consecutive login attempts by systematically guessing passwords.
If the API is not protected by rate limits, it may allow this attack to continue indefinitely or until it succeeds—even if that means accessing the API a million times per second, which could make the API unresponsive or lead to denial of service (DoS), both of which impact legitimate users. This is why it’s important to impose rate limits such as the number of requests per user and number of requests per user within a defined timeframe, number of records per page return, request payload size, memory, and CPU usage.
Layers of Protection Against Automated Attack
Best practices around authentication, logging, and rate-limiting are worthwhile and effective as the first layer of protection. However, they aren’t enough to secure your APIs and protect them from more sophisticated forms of automated attacks. For greater protection, you need additional layers of security that can identify suspicious activity and block it.
For your most sensitive API endpoints that are at greatest risk from automated attacks, you need to fight bad automation with good automation to detect and stop attacks in real time. It’s important to be able to:
- Visualize all your traffic including good bots, bad bots, and humans
- Detect bad bots attempting to attack your APIs
- Make it economically infeasible for bots to be successful
Whether it’s fraud, DDoS, or some other form of attack, under-protected APIs are a favorite target of cybercriminals. You can stop these attacks from being successful by:
- Making API security a top priority for your company and your IT and security teams
- Applying the best practices described here and in the OWASP Top Ten for API Security
- By layering an automated solution able to detect malicious automation on top of these best practices to protect your most sensitive and valuable APIs.
About the Author
Brad LaPorte is Chief Evangelist at Kasada and Gartner Veteran. He has more than 15 years of combined cyber security, product management, and business experience. Brad has been on the frontlines fighting cybercriminals and advising top CISOs, CIOs, CxOs, and other thought leaders on how to be as efficient and effective as possible. He has served in various advisory roles at the highest levels of top intelligence agencies, as a senior product leader at both Dell and IBM, at a late-stage startup, and as a Gartner analyst where he conducted over 1,000 conversations with leading corporations about the rapidly expanding threat landscape.