Utilizing public cloud APIs can be a boon for developers and businesses alike. Integrating with a strong API ecosystem can boost the value of a particular service or application by enhancing it with additional features and giving it access to even more. Cloud computing increases the collective benefit of APIs exponentially by providing unmatched connectivity, collaboration, and customization.
That very connectedness could prove fatal, however, if exploited for malicious aims. Here are a few of the security ‘worst practices’ that can put an API at risk and endanger the whole ecosystem.
1. Exposing the inner workings of an API
Much of how an API functions is available in the public documentation. However, much isn’t. What is deliberately kept back is the specific inner workings of how the API retrieves information on the back end, what it uses to authenticate, the API syntax and endpoints, and business logic. In the wrong hands, that information could prove the foundation for an attack.
Unwarranted exposure also includes visibility into the coding of an API machine, which itself could be costly and inform a threat actor’s next exploit. One way this can occur is error messages that are programmed unwisely; many can inadvertently share information about an APIs architecture.
2. Weak access controls
API applications serve as the gateways to protected information. That is why APIs must properly validate all users requesting access. If they don’t, a malicious actor could obtain data that should have been protected.
This comes into play in linear requests and when the API call is routed through an integrated service, like a payment app. While the payment app should ideally maintain all user credentials within itself, shoddy access controls can lead to some of that app-sensitive consumer data leaking out to the integrated service.
3. Too much OS software use
Open-source software is a major lift to developers looking to save time and resources coding. A component-based approach to software development has become a major way in which services are created today, allowing organizations to leverage well-made, easily available software snippets into their code without having to start from scratch or have the same expertise. However, pulling OS components directly from public repositories (like Docker or GitHub) only means they’re available – it doesn’t mean they’re safe.
These OS parts could be laden with malicious scripts, malware, or the ever-popular cryptomining code, making them a vehicle for supply chain attacks. Using open-source components is worth the cost-savings only if they are vetted first for vulnerabilities and brought up to the same security standards as the rest of the organization.
4. Weak encryption
There are two ways in which an improperly secured API can expose sensitive data. APIs are connected directly to databases, which house data at rest. If that data is not secured with AES 256 or Triple DES, it will be susceptible to attacks that can breach weaker forms of encryption – or no encryption at all.
The same goes for data in transit. When an HTTP request is made, the API will retrieve the information from the database and send it to the destination service. If not protected with proper encryption protocols, that data can be at risk while travelling; not all pathways are secure, and some APIs don’t even adhere to industry security standards such as HIPAA, PCI DSS, and SOX. Man-in-the-middle attacks and malware can reach data during that time; SSL and the and the latest version of TLS (version 1.3) are needed to lock down external malicious access.
5. Rushing time-to-market
In the fast-paced world of tech releases, speed and security often play competing roles. APIs, like any other technology, can be rushed out the door to meet release deadlines before security features have been fully developed, vetted, and hardened. This can cause problems down the road both for users and the company rolling out the API.
In the long term, highly secure APIs gain a reputation of their own and can be more commercially viable. However, in the rush to be the ‘first to market’ in a particular area, organizations will often rush developers to push out massive amounts of coding at a pace not conducive to full security scrutiny. As a result, APIs hit the market that are insecure and expose both parties to an unnecessary amount of risk. Both the API creator and the business integrating with the API should do their due diligence when it comes to making sure the API passes industry and organizational standards for security; proper configuration and access controls, OS code scrutiny, and up-to-date encryption.
The Importance of Securing APIs in Cloud Computing
API security cannot be understated, especially when the risks are understood. According to research by API security firm Salt, “The end of last year saw a major spike, with 4,845 attackers operating in December alone — a 400% increase from just a few months prior.” The research indicated that nearly half of all surveyed organizations are talking about API security at an executive level, and that at this point, most API security strategies still remain immature.
As Forrester analyst Sandy Carielli states, "As organizations are securing their web applications, they can't forget about their APIs. Security pros must specifically build in API security and not assume that it's rolled into their existing web application protections."
Top comments (0)