Though Application Programming Interfaces (APIs) are not new, over the last few years the architecture of applications has significantly changed. In traditional web applications, data processing is done on the server side, and the resulting web page is then sent to client browsers for rendering. As client devices have become more varied and powerful, modern API-based applications use APIs to send and receive the data from the backend servers to provide the functions of the application. APIs play a very important role in serverless architectures, containers, microservices, Single Page Applications (SPAs), mobile apps and IoT devices.
Detailed documentation is usually available for APIs to provide transparency to developers, but it also provides the blueprint for hackers to utilize for their attacks. APIs define a backdoor into adjacent systems and apps for those who are intent on gaining access, both legitimately and otherwise. This, in turn, widens the attack surface exponentially and threat actors are taking advantage of API weaknesses in their attacks.
As documented in Micro Focus’ 2019 Application Security Risk Report, analysis of over 11,000 Web applications showed that API abuse issues have roughly doubled over the past several years. Last November, analyst firm Forrester Research warned about organizations failing to address API vulnerabilities in the same manner they did with application vulnerabilities – and their growing exposure to API-related breaches as a result. This February report from Salt Security on API Security Concerns Inhibiting Business Innovation showed that 91% of organizations in their survey suffered an API-related problem last year. More than half (54%) reported finding vulnerabilities in their APIs, 46% pointed to authentication issues, and 20% described problems caused by bots and data scraping tools. As APIs are increasingly important and hidden from view, they can represent a bigger business risk than other assets.
Most organizations have limited or no awareness as to which APIs are exposed by their applications, much less what are the correct applied controls to secure them. However, there are some organizations that are starting to proactively layer in API security controls and leverage API tools to gain visibility. API Gateways like the NetIQ Secure API Manager can create, manage, secure and measure the APIs in use. Use of tools like Google’s APiGee and API collaboration software like Swaggerhub or Postman are on the rise and can provide a fuller picture of an API and all its interactions.
API collaboration tools can be used to provide input into Fortify WebInspect for fuller analysis of exposed APIs. In fact, by working together with these API tools, vulnerability scanning of APIs can be better achieved and much easier than a scan of a traditional Web applications.
Another consideration is how to cope with authenticated APIs, which can get quite complex for modern applications. WebInspect capabilities have evolved and can now handle authenticated APIs well.
There are many ways for threat actors to target a modern application. Don’t let APIs become a blind spot as they are windows into applications and—as with any window—an API can easily be misused. It’s time to get visibility into potential API attack vectors to mitigate these risks before a breach occurs. Check out this What is API Security page to learn more.
Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. We’d love to hear your thoughts on this blog. Log in or register to comment below.