The Imperative of API Security in DevOps

By: Shweta Khare

Sep 19, 2024

Consider a modern software application as a constellation of cities that dot the landscape. These cities are components such as databases, authentication services, business logic engines, and more. Requests travel between components carrying data just as citizens travel between cities carrying their belongings. The highways that connect the cities on this map are your APIs.

Cities get the most attention, often receiving the security and protection they need. If attackers want to sneak themselves or contraband goods into a city, where would they launch their attacks? On the highways entering the cities.

Because APIs act as intermediaries between major components of an application, they are prime targets for malicious actors and exploits. As the connectors enabling the integration of disparate and distributed technologies, APIs are central to your organization’s operations. Ensuring their security is a critical concern.

In this post, we'll dive deep into the world of API security, exploring the risks of neglecting it and the most common threats facing modern applications. Then, we’ll consider how DevOps teams should think about and take action on securing your APIs.

The devastating consequences of insecure APIs

When an organization’s APIs are insecure, the consequences can be far-reaching. A compromised API can lead to a cascade of impacts.

  • Data breaches: By exploiting an insecure API, a malicious attacker can access sensitive data, such as user information, payment details, and confidential business records.
  • Denial of Service (DoS) attacks: Overloading a weakly protected API with requests can exhaust system resources, making the service unavailable to legitimate users.
  • Data modification or destruction: Without proper input validation and sanitization, vulnerable APIs can lead to data corruption or the storage of incorrect data.
  • API abuse and misuse: Malicious users can mount other activities, such as data scraping or abusing business logic, by taking advantage of poorly secured APIs.

The abbreviated list above only touches on the immediate technical impact of insecure APIs. However, sensitive data exposure or system downtime is just the beginning of the story. Data breaches and system outages subsequently lead to:

  • Operational disruptions
  • Breach of customer trust
  • Tarnished business reputation
  • Legal consequences
  • Compliance violations
  • Financial losses

Many high-profile organizations have suffered attacks through their APIs. In 2016, Uber paid a large ransom to hackers who stole information about 57 million drive and rider accounts from a third-party server. In 2018, Facebook (now Meta) apologized when nearly 50 million users had sensitive information exposed by a security flaw.

IBM’s Cost of a Data Breach Report 2024 pegs the global average cost of a data breach to organizations at USD $4.88 million, a 10% increase over the year before. Gartner’s Market Guide for API Protection report, released in May 2024, notes that security incidents stemming from API breaches result in at least 10 times more leaked data than those stemming from other causes.

When an organization’s APIs are vulnerable, everyone is affected—customers, stakeholders, and partners.

Identifying and addressing API threats

The first step toward adequately securing your APIs is to gain a strong understanding of the most common threats. The OWASP Top 10 API Security Risks (2023) details the most common vulnerabilities present in APIs today.

Drilling down into each item on the list is outside of the scope of this post, and OWASP already does a good job of detailing each vulnerability, along with its impacts and prevention measures. However, let’s highlight one vulnerability from the list to illustrate the potential consequences of not securing your APIs against it.

An example from the OWASP Top 10: Broken Authentication

API2:2023 - Broken Authentication occurs when certain mechanisms surrounding API authentication are flawed or inadequately secure. For example:

  • Are there protections in place to prevent an attacker from trying to brute force access with an extensive list of common usernames and passwords?
  • Are authentication tokens (such as JSON Web Tokens) properly validated for authenticity?
  • Does the API allow for unsigned or weakly signed JSON Web Tokens?
  • When users change their email address or current password, are they required to provide password confirmation?

When authentication measures for an API are broken, unauthorized users will gain access. Malicious users with access to your APIs can wreak havoc on your systems, accessing sensitive data, disrupting services, and moving laterally through your network to other components in your application.

Prevention measures for broken authentication include enforcing rate limiting and lockout protections, implementing multi-factor authentication, and following industry-accepted standards for common processes like authentication, token generation, and password storage.

Common Attack Vectors for APIs

Familiarity with the most common API vulnerabilities should be coupled with an understanding of how attackers think and operate. What are the most common attack vectors they use to exploit your APIs?

Injection attacks can be mounted whenever user input is submitted (such as in a web form). Under the hood, submitting a web form often initiates an API request with the user’s input data as the request payload. A malicious actor may inject some code or SQL into their form inputs, hoping the underlying API will process the inputs without any validation or sanitization. This could result in the execution of malicious code. 

Denial of Service Attacks (DoS) are attacks that attempt to consume significant resources on the API service, typically to the point of rendering the API unavailable to legitimate users. While system downtime is the common result, data loss is also a possible separate outcome.

Brute force attacks are automated, repeated requests to APIs to cycle through a list of parameters or potential credentials in hopes of stumbling upon a means of gaining unauthorized access (such as guessing a username and password combination).

Data scraping uses authenticated API access to slowly scrape (extract) data from an organization’s systems. When API activity is not monitored for anomalies such as this, malicious attackers can steadily and stealthily siphon off massive amounts of data.

Core principles guiding API security

Turning our focus away from consequences and threats, let’s consider how DevOps teams should approach this critical concern of API security. Naturally, principle should precede practice. Therefore, a robust API security program should be grounded in the following key principles:

Adopt shift-left security for API development

Security practices should be integrated into the early phases of API development. This way, developers can identify and address potential vulnerabilities before they become serious issues. With shift-left security, fewer security flaws will find their way to production.

Enforce the principle of least privilege in API access

API access permissions—both to human users and machine services—should be restricted to the minimum necessary. Each component or user should have only the permissions they need to perform their task. The principle of least privilege reduces the potential attack surface of your APIs.

Verify and validate all dependencies

External components and software dependencies must be trusted, secure, and compliant. Otherwise, integrating them can make your APIs vulnerable. Ultimately, this concept of dependency validation is tied to software supply chain security and the use of Software Bill of Materials (SBOMs) in conjunction with Common Vulnerabilities and Exposures (CVE) databases.

Automate consistent enforcement of security policies

When API security checks are automated, then you can be confident that any change in the API code will trigger a suite of tests and checks to ensure the new version of the API is secure. By codifying your security policies with security-as-code (SaC), you also improve the consistency of security implementations and enable a rapid response to emerging threats.

Continuously assess the security state of your APIs

Security is never “one and done.” New threats are continuously emerging. Your application, along with all the APIs that connect its various components, is continuously evolving. As the environment is ever-changing, continuous vulnerability scanning is essential for maintaining the security of your APIs. It provides ongoing assurance that your APIs remain secure throughout their lifecycle.

Effective tools and methods for API security

Focused on the right principles for API security, a DevOp team can build its API security strategy and begin to think concretely about tools and methods to implement that strategy. The following list of tools and methods can serve as a helpful launching-off point:

  • API discovery and inventory management: This involves determining all of the APIs—both external and internal—used in your organization. This process also helps to bring shadow APIs and zombie APIs into the light. Remember: If you don’t know it exists, you can’t secure it.
  • Static application security testing (SAST) and dynamic application security testing (DAST): Ultimately, APIs are software applications. The same code scanning and security tools used for applications can be used for APIs. SAST tools analyze source code for vulnerabilities, while DAST assesses the application during runtime.
  • Continuous monitoring tools detect API threats in real time. Monitoring API traffic and behavior can lead to anomaly detection and swift threat response.
  • OpenAPI specification analysis ensures that an API implementation adheres to the defined spec. This reduces the risk of inconsistencies and vulnerabilities.
  • Drift analysis solutions identify changes in API behavior that either indicate a security risk or a departure from the original spec.
  • API scoring and risk assessment tools can prioritize vulnerabilities based on a combination of exploitability and potential impact. This prioritization enables an organization to focus on the most critical threats first.
  • Fuzz testing subjects APIs to random inputs, simulating real-world attack scenarios in order to uncover potentially unanticipated vulnerabilities.
  • Modern APIs depend on third-party libraries, many of which are open source. Using SBOMs to facilitate dependency scanning helps ensure the security of your software supply chain.

Embracing automated API security

Today’s interconnected application environments make API security an absolute necessity. The consequences of insecure APIs are too grave to ignore. However, the common vulnerabilities and attack vectors are no secret; they’re clear. As long as DevOps teams focus on key principles for API security, they can employ the right strategies and tools to protect their APIs from cyber threats.

Because modern software applications are complex, the APIs that connect their components can also be complex. A traditional security approach that depends on manual, human intervention is insufficient for addressing the needs of today’s APIs. Automated security is vital.

Automated API security tools can ensure the consistent enforcement of security policies, provide real-time threat detection, and enable a rapid response to threats. By integrating automation into your API security strategy, you enhance your ability to protect your applications without slowing down development.

Panoptica is an all-in-one cloud-native application protection platform (CNAPP) from Outshift by Cisco. Among its suite of tools for cloud-native application protection are built-in API security tools to handle:

  • API discovery and inventory
  • Spec analysis and risk scoring
  • Data protection measures to reduce the risk of data breaches and ensure compliance
  • Continuous monitoring and threat detection

Learn more about Panoptica by scheduling a live demo or signing up to use it today.

 

Panoptica blog

Becca Gomby

Friday, Oct 4th, 2024

Becca Gomby

Friday, Sep 27th, 2024

Shweta Khare

Wednesday, Sep 11th, 2024

Gui Alvarenga

Wednesday, Jul 31st, 2024

Popup Image