The widespread adoption of APIs has been accelerated by the growth of cloud computing, mobile applications, and the Internet of Things (IoT). APIs are fundamental components of modern applications, empowering developers to swiftly integrate third-party services, enrich functionality, and drive innovation. Whether in extending healthcare services or powering e-commerce, APIs have seamlessly woven into the fabric of our digital existence. Consequently, malicious actors are exploiting vulnerabilities in APIs as they conduct cyberattacks.
API-based cyberattacks
Here are several instances showcasing the potential risks when APIs are inadequately secured.
Quest Diagnostics: A significant data breach occurred at one of the United States' top clinical laboratory service providers, Quest Diagnostics, due to a vulnerability in a third-party API. Attackers exploited this vulnerability within the third-party's web payment page, which was accessible through an exposed API. This breach led to unauthorized access to the medical records of approximately 11.9 million patients.
Latitude Financial: This Melbourne-based company, offering personal loans and credit cards in Australia, faced a significant breach in March 2023, resulting in the compromise of over 14 million records. Among the compromised data were nearly 8 million driver's licenses, 53,000 passport numbers, and multiple monthly financial statements.
Dropbox: In an incident on November 1, 2022, cybercriminals successfully infiltrated Dropbox's internal code repositories hosted on GitHub. This unauthorized access encompassed 130 internal code repositories, some of which held API keys and user data. The attackers executed a phishing campaign by sending deceptive emails resembling CircleCI, a widely used CI/CD pipeline platform. Recipients were directed to a counterfeit CircleCI webpage, where they were prompted to enter their GitHub credentials. Subsequently, they received a One-Time Password request, adding to the deception.
Peloton: During May 2021, a security researcher discovered a vulnerability wherein unauthenticated requests could be made to Peloton's backend APIs, which were integral to its exercise equipment and subscription services. This allowed for direct access to Peloton API endpoints, potentially exposing substantial volumes of Personally Identifiable Information (PII) and thereby affecting the privacy of Peloton's customers. The Peloton web and mobile applications, designed to complement Peloton exercise equipment, relied on these backend APIs for offering workout statistics and class scheduling. Peloton eventually resolved the API vulnerabilities, though the extent of PII exposure for Peloton customers remains uncertain.
Strengthening API security: Fortify's API security testing
As a result of increasing API-based breaches, organizations are showing a growing commitment to bolster their understanding and control of API-related risks. However, when seeking solutions for API security testing, Fortify may not be considered, with many organizations leaning toward specialized API security vendors instead. However, I believe Fortify can help you identify API weaknesses and vulnerabilities effectively. Here are ten reasons to consider Fortify for your API security testing needs:
- Extensive API Security Assessment: Fortify offers a comprehensive approach to API security testing, encompassing both dynamic analysis (DAST) and static analysis (SAST). This enables the detection of vulnerabilities and security flaws in APIs across various phases of the development lifecycle. Fortify's unique capability to provide this hybrid analysis and ensures a more holistic perspective on API security, distinguishing it from many specialized competitors in the field.
- Authentic Real-World Testing Scenarios: Many APIs require authentication for accessing sensitive data or executing vital operations. Conducting tests on APIs without authentication can lead to a false sense of security. Fortify possesses the capability to manage various API authentication methods (including MFA), facilitating the emulation of authentic real-world situations, thereby enhancing the accuracy and relevance of security testing.
- Evaluation of API Attack Surface: A thorough grasp of the APIs incorporated into an application enables security testers to comprehensively evaluate the application's attack surface. This ensures that no potential vulnerabilities or entry points go unnoticed. Fortify DAST possesses the capability to discover APIs while crawling web applications by leveraging schemas and tools like Postman.
- Scalability Tailored to Enterprises: Fortify's design is optimized for scaling to meet the demands of enterprise-grade applications, making it an ideal choice for organizations with intricate and expansive API environments.
- Data Flow Analysis: APIs hold a pivotal role in governing the movement of data within an application. Fortify SAST’s data flow analyzer finds security issues that involve tainted data that is put to potentially dangerous use. This analysis enables Fortify SAST to precisely identify many different types of security problems.
- Seamless Integrations: Fortify offers seamless integrations with well-known development tools, continuous integration/continuous delivery (CI/CD) pipelines, and issue tracking systems. This simplifies the process for development teams to seamlessly integrate API security testing into their established workflows.
- Evaluation of Third-Party Risks: Many applications depend on third-party APIs and services. The identification of these dependencies holds paramount importance when it comes to evaluating the security risks linked with third-party elements. A vulnerability or security weakness in a third-party API can directly affect the overall security of the application.
- Assessment of Secure Configurations: APIs may require specific configurations to operate securely. Fortify assesses whether these configurations are correctly implemented, reducing the risk of misconfigurations leading to security issues.
- Support for Regulatory and Policy Compliance: Fortify provides functionalities that assist organizations in aligning with compliance requirements pertaining to API security. These include guidance such as the OWASP API Security Top Ten and regulations like GDPR.
- Emphasis on Remediation: Not all APIs in an application carry the same level of risk. Fortify delivers comprehensive reports and actionable guidance for addressing identified security issues within APIs. This enables a targeted approach to remediation efforts, directing resources towards APIs that manage sensitive data or perform critical functions, which typically represent higher risks.
Summary
The rise of API-based cyber threats is a growing concern as APIs continue to play a pivotal role in modern application architectures. The ease of integration and rapid innovation they enable have made them indispensable in various industries, from healthcare to finance. However, this increased reliance on APIs has also made them attractive targets for malicious actors seeking to exploit vulnerabilities.
The few high-profile incidents I cite above serve as stark reminders of the risks associated with inadequately secured APIs. These breaches have resulted in the exposure of sensitive information, emphasizing the need for robust API security measures.
If you are expanding the scope of your AppSec efforts to include API security, Fortify offers a comprehensive solution to address API security testing challenges.
Learn more:
Here are some of the Fortify API Security marketing assets you can leverage:
- Blog: API Security: The Unbreakable Shield for Resilient Software
- Web page: What is API Security?
- Web page: API Security
- Webinar: Fortify your APIs and Get Them Battle Ready
- Webinar: API Security Needs Grow Ever Larger
- Demo Video: API Discovery using Fortify DAST
- White Paper: Developers Guide to the OWASP Top 10 for API Security