API security, are you prepared?
Matthieu Millot, Network & security expert
The use of APIs has evolved in recent years, especially with the advent of smartphone applications and the automation of processes involving multiple applications. The new uses bring new vulnerabilities that are listed in the OWASP top 10 dedicated to APIs.
With this in mind, Gartner predicts that by 2022, application programming interface (API) attacks will become the most common attack vector.
APIs are a critical part of digital transformation and enterprise activities
According to Akamai, API traffic accounts for more than 80% of web transactions on the Internet. All modern enterprise pipelines rely on APIs to connect and talk to each other (REST API, gRPC and more recently GraphQL).
The context of digital transformation with DevOps organisations and microservices generally leads to a phenomenon of shadow applications. They are put online without the approval of the CISO and the IT department, for legitimate but dangerous business use. APIs are no exception to this phenomenon and it is difficult to know all the APIs in your company.
We can define 3 types of API usage:
- Open APIs: these are interfaces that are publicly distributed on the web. They allow interaction with the public application.
- Semi-Open APIs: these are open to a limited number of partners.
- Closed APIs: these are intended for internal use by the company. These uses entail very different security constraints.
API gateways and API management solutions are essential for structuring an API-first approach
The business processes in place in organisations generally use a set of different applications to function. The digital transformation of a company requires the automation of its business processes to improve their reliability and efficiency. This automation requires the interconnection of different tools and therefore the use of APIs.
For API security, we distinguish 2 types of solutions:
- API Gateways: The gateways are installed at the end of the upstream flow of the APIs to be secured. Their function is to control access to the APIs (notably authentication) and to control traffic (limit bandwidth, filter IP addresses).
- API management: they allow the management and monitoring of operations related to APIs. These platforms generally include a service portal for developers and application managers. They will not interact directly with the traffic destined for the API but with the API itself. These platforms will allow APIs to be versioned and published in production. They will analyse the definitions and schemas to check that they comply with the best practice and the company's policy (for example, the exposure of users of a database). They will also enable comprehensive documentation of the API.
APIs are linked to specific security issues
When we carry out an inventory of existing APIs in companies, the results are most of the time very different from the inventory that we have in place. The ability to identify all the APIs present in the environments is quite low without the use of a specific tool that will also find the "shadow" or "zombie" APIs.
Development teams are under increased pressure to deliver new versions faster and meet business needs. They are thus tempted to free themselves from certain security-related processes.
Indeed, APIs are deployed in multiple environments, in public clouds or datacenters, and silos exist between the teams responsible for them.
As part of its engagements and platform deployment, Noname Security typically identifies 30% of "unknown" APIs. Those that are implemented outside of standard processes, not routed through the organisation's API gateways, or obsolete but not decommissioned.
Traditional security solutions, such as API gateways and WAFs, provide security features, as discussed above, but are limited in their analysis by their lack of understanding of the context and logic of transactions. WAFs typically analyse packets in a single way and do not necessarily make the link between a request and a response. In addition, these solutions obviously cannot cover APIs as they do not route them.
Organisations need to address the API security issue in a comprehensive way
According to Noname Security, there are three strategic elements that need to be considered in this context:
1. API security posture assessment
Complete inventory of the organisation's APIs and tracing, identification and tracking of exposed data, routing and exposure analysis, and identification of misconfigurations at the chain component level.
2. Detection and response
Building and using behavioural models to perform run-time threat analysis, alerting and remediation capabilities.
3. Continuous active testing
APIs need to be part of a shift-left approach to DevOps where companies proactively test new APIs and releases in an automated way before they are released to production.
API security for your organisation
It is important to understand the singular issues associated with securing APIs and to have a strategy and the right tools to address them, including process automation and continuous active testing.
Nomios provides comprehensive API security solutions which include API management, high-performance API gateways, and advanced security controls, which creates operational efficiencies. Regardless of your architecture, we have the right solution to deliver the speed and security that your applications require.