Editor's note: The article was written by Zscaler VP, Product Management Sanjay Kalra
It’s an unfortunate reality that APIs are easy to expose but difficult to defend. By acting as translators between applications, they have become the favored tools for ensuring apps of varied origins understand one another and play nicely together.
Most accounts agree that API calls make up the majority of internet traffic, though there is some disagreement over how large a percentage of total traffic they represent. Less disputed is the fact that API use continues to grow among enterprise developers.
Unfortunately, their popularity presents security challenges.
“API sprawl,” as it’s known, refers to an over-abundance of API deployments for communication between a company and web apps, enterprise apps, partner apps, mobile devices, OT/IoT devices, and a host of other destinations. Lacking centralized visibility into all in-use APIs, DevOps teams face the challenge of applying a uniform security approach and can’t easily monitor for misconfigurations.
API keys are particularly attractive targets for the access they can provide and lateral movement they can enable. This is exactly how hackers were able to access source code belonging to a prominent workplace messaging application. API keys are difficult to inventory, and can therefore be exploited for long after their particular use case has expired.
Other examples of high-profile breaches stemming from exploited APIs over the past year include:
- Hackers were able to access data, including birth dates and billing addresses, for about 37 million customers of a large cellular network provider
- Personal information belonging to 35 thousand customers was exposed by an online payment site
- Attackers released the account details and email addresses belonging to 235 million users of popular social media platform for free
The issue with APIs
Many of the issues plaguing API security will be familiar to those developing applications for the cloud. There is significant crossover, often having to deal with limited visibility and incomplete inventory knowledge.
Some of the most significant of these issues include:
- Neglected lifecycle management. Within many organizations, similarly to cloud instances, the provisioning and de-provisioning of APIs tends to be a decentralized process. “Shadow APIs” and “zombie APIs” are major contributors to API sprawl and undermine IT teams’ efforts to keep them secure through patch management and maintenance.
- Misconfigured access and policy control. Fundamental aspects of zero trust such as access control and policy enforcement are often ignored or misconfigured for APIs. This is often a corollary to the first challenge – security teams can’t lock down what they don’t know exists – but APIs are also often not secure by default and, in the absence of adequate lifecycle management practices, these policies are not implemented. Sound practices like rate-limiting are sometimes ignored.
- Overlooked API security. Poor API security, due to it being a shadow API instance or simple ineptitude, can have disastrous implications for organizations. By taking advantage of a single OAuth misconfiguration, security researchers were able to execute a complete account takeover, executing changes to user accounts and stealing data. Data exfiltration alone represents a significant threat to businesses and cybercriminals often take advantage of poor API security to execute it.
APIs are difficult to secure in part because traditional controls tend to leave them vulnerable. The absence of rate-limiting exposes them to DDoS attacks. Web application firewalls (WAFs) can’t address business logic vulnerabilities, which weaponize legitimate application functions in a way that benefits the adversary. Runtime application self-protection (RASP) can not detect sophisticated attacks spread across multiple apps. In many cases it is difficult to retain visibility over data shared via APIs.
Extending zero trust to APIs
An elegant feature of the zero trust framework is how uniformly applied it is to users, IoT/devices, and workloads. To secure APIs, IT teams need to know the who, what, where, and why of all API traffic. This includes company-built APIs, partner APIs, and commercially available APIs. With zero trust, no connection is ever established between a requestor and a resource without first knowing who (or what) is making the request, context surrounding the request such as location and device posture, and where the connection is ultimately headed.
This addresses a fundamental security weakness common to APIs, the lack of access controls and enforcement of security policies. Organizations committed to zero trust security must x the same process of:
- Verifying the identity and context involved in the request, including who (or what) is making the request, are its permissions appropriate, and what is the ultimate destination.
- Controlling the content and access to ensure threats are not hidden in encrypted traffic and data is not exfiltrated illicitly.
- Enforcing the policies set by the organization to determine whether a connection is ultimately safe to establish between a requestor and a resource.
Regardless of the solutions in place to secure its APIs, organizations must take a more collaborative approach to the process. Developers, security teams, CISOs, and partners must hone their focus when it comes to ensuring these useful, widely-used tools don't become an even more significant avenue of compromise. In addition to an expanded toolkit, this also requires more formalized API management, monitoring, reporting, and communication.
What to read next