API Security – common threats and how an API platform might help

In the past, securing your data was as simple as locking your punch cards in a safe. But today, with the rise of API economies, protecting your data is becoming increasingly complex. Hackers are growing more sophisticated, and the number of attempted attacks on APIs is on the rise. To combat this, we need to take API security seriously and implement effective measures to protect our data.

One solution is to use an API platform that has been developed and refined by a team of security experts over many years. This can save you time and effort in building your own security measures, and may provide better results in protecting your APIs from hacking attempts. In addition, an API platform can help with administrative tasks such as setting clear rules and tests for newly published APIs, as well as with introspection, analysis, and transformation of APIs. By taking these steps, we can improve our API security and safeguard our data in today’s increasingly connected world.

Broken Object-level Authorization

Object-level authorization is usually implemented at the code level to validate if a user has access to API functionality and at what level. Every API endpoint that receives an ID of an object and manipulates the said object should implement object-level authorization checks. Attacks using non-existing authorization can lead to massive data loss, data manipulations, or stolen data.

For instance, a website sends requests to return user data based on the user’s ID. A hacker can manipulate their user ID from 1111 to 1112 and display other users’ information. With this information, the hacker can create a simple script that goes in a loop and downloads all the user’s personal information. Examples of this approach can be found all over, such as the Latvia tax office hack, where a hacker managed to download sensitive documents by changing document ID numbers in the request.

API platforms can help from both a processual and technical perspective. They provide common agreements, standards, naming conventions, publishing rules, and documentation, as well as automatic validity checks to agreed ways of working and API standards, automated security tests with new version deployment, blocking after too many requests or invalid answers. The main advantage is that all APIs are concentrated in one gateway and developer portal, allowing targeted security audits, automatic tests, or putting safeguards in place. When there are direct connections between systems (point-to-point) and APIs scattered throughout the IT landscape without any rules, the chances of implementing a security policy are low. What’s worse is that some APIs tend to get replaced with newer versions, but the old ones are forgotten and keep functioning. A hacker can leverage poor API lifecycle management to get data from unprotected old APIs instead of breaking the new security library.

Additionally, Broken Object-level Authorization can also lead to privilege escalation, where a user gains access to higher levels of permissions than they should have. For example, if an API endpoint allows a user to modify their own profile information, but due to a lack of proper authorization checks, the user is able to modify another user’s profile information, then they have escalated their privileges. This can be especially dangerous in systems with sensitive data or critical functionality, as an attacker with escalated privileges could cause significant damage to the system or steal sensitive information. Therefore, implementing proper object-level authorization checks is crucial in ensuring the security and integrity of an API.

In order to prevent Broken Object-level Authorization attacks, API developers should implement proper authentication and authorization mechanisms. This includes implementing access control lists (ACLs) and role-based access control (RBAC) systems to ensure that only authorized users have access to specific API endpoints and objects. Additionally, API developers should implement rate limiting to prevent attackers from flooding the API with requests, as well as input validation to prevent injection attacks. Finally, it is important to regularly monitor the API logs for suspicious activity and perform security audits to identify and fix vulnerabilities before they can be exploited by attackers. By taking these steps, API developers can significantly reduce the risk of Broken Object-level Authorization attacks and protect sensitive user data from being compromised.

It’s difficult to estimate the exact cost of developing these measures manually, as it would depend on a number of factors, such as the size and complexity of the API system, the level of security required, and the expertise of the development team.

However, it’s safe to say that developing these measures manually would likely be a time-consuming and expensive process. The development team would need to spend a significant amount of time researching and implementing best practices for API security, such as implementing authentication and authorization, encryption, and threat detection measures. They would also need to regularly update and maintain the system to keep up with new security threats and vulnerabilities.

There would be costs associated with testing and validating the security measures to ensure they are effective and meet compliance requirements. This may require hiring external security consultants or investing in specialized security testing tools.

In contrast, using an API platform that includes built-in security features can help reduce the costs and time required for developing and maintaining secure APIs. The platform provider would be responsible for implementing and maintaining the necessary security measures, and would likely have a team of security experts dedicated to keeping the system up to date with the latest threats and vulnerabilities.

Excessive data exposure

Excessive data exposure is a common problem in many APIs and can lead to significant security vulnerabilities. Addressing this issue manually can be a time-consuming and challenging task, especially for large and complex systems. In addition, the cost of manual development can be high, as it requires significant effort from the development team to ensure that only the minimal set of targeted data is returned.

Developing these measures manually can also be costly in terms of time and resources. Developers must spend a significant amount of time understanding the data and patterns to ensure that only the necessary information is being returned. This can be challenging, especially for larger datasets, as it requires a deep understanding of the underlying data and how it is used. Moreover, developers need to follow strict internal development guidelines to handle the data properly, which can increase the complexity and cost of the development process.

From a technical standpoint, excessive data exposure is often caused by lack of proper data modeling and schema validation in the API design phase. Developers should aim to define clear data models for each endpoint and implement schema validation to ensure that only valid data is accepted and returned by the API. This can help to prevent the leakage of sensitive data through the API. Additionally, implementing rate limiting and throttling mechanisms can help to prevent excessive requests and data retrieval by malicious actors. Regular security testing and vulnerability assessments can also help to identify and mitigate potential data exposure risks.

For any API there should be clear answers to questions like:

• Which environment is the API running in (e.g., production, staging, test, development)?
• Who should have network access to the API (e.g., public, internal, partners)?
• Which API version is running?
• What data is gathered and processed by the API (e.g., PII)?
• What’s the data flow?
• Is there documentation? Is the documentation updated?
• Is there a retirement plan for each API version?
• Are the host’s and integrated services inventories updated?
• Is the API (and its previous versions) patched and maintained according to security standards?

API Gateway approach to addressing excessive data exposure is to use the concept of building blocks. This involves using the microservice with small, manageable APIs (components) that can be used to configure new products quickly. For instance, instead of serving every request using “the big API,” developers could create smaller building blocks that return only limited data. This approach can force developers to limit the data sets returned, as the data returned by the building blocks is restricted. Moreover, schema-based validation for the data and errors should be implemented on the APIs, which should be done on the API level, not the gateway. An API platform should provide:

• Common rules and agreements on procedures, naming conventions, quality control, API lifecycle, and other administrative rules to maintain the same process and approach to all landscape
• API inventory: all API hosts, documentation on exceptions, important notes, environments (development, test, production), authentication rules, who has access and who should never have, access groups (public, private, partners, users, etc.), API version, other important notes, API severity/criticality, API alternative/backup
• Integrated services list and details
• Documentation
  • Authentication
  • Parameters, requests, and responses
  • Error matrix
  • Redirects
    • Limits and throttling
  • Cross-origin resource sharing (CORS) policy and endpoints (including parameters, requests, and responses)
  • Availability limitation to API users
• Definition of exchanged data, data sensitivity description
• Integration with CI/CD pipeline (e.g., documentation updates, configs)
• Environment data
• Traffic information
• Internal audits
• Notifications and reminders

Overall, the cost of manual development for excessive data exposure can be significant, and there is no guarantee that the solution will be foolproof. Therefore, using API platforms that provide automatic measures for identifying and addressing excessive data exposure is a more cost-effective and efficient solution. API platforms provide a comprehensive solution to manage and secure APIs, including processual and technical measures that address excessive data exposure, object-level authorization, and other security concerns. In addition, API platforms enable targeted security audits, automated tests, and safeguards to be put in place, ensuring the security and integrity of the APIs.

Insufficient Logging and Monitoring

An increasing number of companies are investing time and resources in advanced monitoring systems that utilize AI/ML tools, in-depth data analysis, and policies. However, there are still many companies that rely on the security method of “putting their head in the sand and hoping that nothing happens.” The lack of logging and monitoring makes it extremely difficult to detect attacks and misuse of data and software. IBM’s 2020 Data Security Report states that businesses took up to nine months to detect and contain a breach in 2020. This highlights the correlation between good levels of monitoring and the time it takes to detect a breach. Attackers take advantage of this vulnerability, and they can freely use an exposed old API for nine months to obtain sensitive user information.

Managing APIs in a smart way ensures improved security and quality. For instance, developers can define minimum, medium, and full logging levels for each API, such as debugging, attack prevention, and monitoring. Additionally, logging rules and regulations can be enforced to log certain aspects of the API, and developers can provide any required functionality. The API infrastructure is constantly monitored, and logs are constantly monitored as well. Moreover, “weird traffic” alarms can be set, and external monitoring and logging applications can be connected. All of these features can be developed in-house or combined from many out-of-the-box vendors. However, this can be costly or not tightly integrated. With an API platform, businesses can save time and resources by skipping redundant tasks and simply connecting required functionality to their APIs. This leaves more time to start innovating better ways of working.

The lack of an API management platform can lead to a significant increase in costs due to redundant tasks and inefficiencies in the development process. For example, without an integration platform, developers must spend hundreds of hours developing already-existing infrastructure and possibilities instead of investing their time in smarter systems, better security, and improved monitoring. Additionally, businesses may have to purchase and integrate several different tools and solutions to create a comprehensive API management system, leading to higher costs and possible compatibility issues. To avoid these issues and save time and money, businesses should invest in an API management platform to streamline their development processes and improve their overall security and quality.

In the end

API security is becoming increasingly complex with the rise of API economies. Hackers are growing more sophisticated, and the number of attempted attacks on APIs is on the rise. It is important to take API security seriously and implement effective measures to protect our data. One solution is to use an API platform that has been developed and refined by a team of security experts over many years. Broken Object-level Authorization is a common problem in many APIs that can lead to significant security vulnerabilities. API platforms can help from both a processual and technical perspective by providing common agreements, standards, naming conventions, publishing rules, and documentation, as well as automatic validity checks to agreed ways of working and API standards, automated security tests with new version deployment, and blocking after too many requests or invalid answers. Additionally, Excessive data exposure is another problem that can lead to significant security vulnerabilities. Addressing this issue manually can be a time-consuming and challenging task, especially for large and complex systems. Developing these measures manually can also be costly in terms of time and resources. The cost of manual development can be high, as it requires significant effort from the development team to ensure that only the minimal set of targeted data is returned. Using an API platform that includes built-in security features can help reduce the costs and time required for developing and maintaining secure APIs.

To further expand on the technical details of securing APIs against excessive data exposure, one effective strategy is to use tokenization or data masking techniques. Tokenization involves replacing sensitive data elements with randomly generated values or tokens, which can be used in place of the original data. For example, a credit card number might be tokenized into a string of characters that is not recognizable as a credit card number, but can still be used by authorized parties for processing transactions.

Data masking involves substituting sensitive data with fictitious data that looks and behaves like real data, but does not contain any actual sensitive information. This can be especially useful in test environments, where developers may need access to realistic data for testing purposes, but do not want to expose sensitive data to unauthorized parties.

Another technique for reducing data exposure is to use data segmentation or partitioning. This involves breaking up large datasets into smaller, more manageable subsets, and then restricting access to only the necessary segments for each user or application. This can help to limit the exposure of sensitive data and reduce the risk of unauthorized access or disclosure.

In addition to these techniques, it is also important to implement access controls and authentication mechanisms to ensure that only authorized users or applications have access to sensitive data. This may involve implementing user roles and permissions, as well as using strong authentication protocols such as OAuth or OpenID Connect to verify the identity of users and applications.

Finally, it is important to regularly monitor API logs and audit trails to detect any unauthorized access or unusual activity. This can help to identify potential security threats and vulnerabilities before they can be exploited by attackers.

By implementing these strategies and techniques, developers can significantly reduce the risk of excessive data exposure in their APIs, and ensure that sensitive data is protected against unauthorized access or disclosure.

Is your API solution able to support these needs out-of-the-box or you want to build all of this from scratch?

API Management paltform

API security is a critical aspect of developing and maintaining an API, and there are various measures that can be taken to mitigate security risks. Implementing agreed ways of working and API standards, automated security tests with new version deployment, blocking after too many requests or invalid answers, and using an API gateway can help to reduce security risks and enable targeted security audits and automatic tests. Broken Object-level Authorization attacks can be prevented by implementing proper authentication and authorization mechanisms, rate limiting, input validation, and regular monitoring of API logs. Excessive data exposure can be addressed through the implementation of data modeling, schema validation, rate limiting and throttling mechanisms, and regular security testing and vulnerability assessments. While developing these measures manually can be costly and time-consuming, using an API platform with built-in security features can help reduce development costs and ensure the necessary security measures are implemented and maintained.