APIs: The "New" Security Attack Vector?

January 17, 2019
Garrett Bekker
451 Research

As the app economy has grown, so too has the reliance on APIs. APIs provide an opportunity for enterprises in various industries, including financial services, to engage more deeply with customers as part of an overall effort to build and retain customer loyalty. Not surprisingly, APIs have become nearly ubiquitous, but despite their benefits, they also provide direct access to a potential treasure trove of valuable data—which makes them an increasingly popular and highly critical attack vector.


As lifestyle, personal finance and budgeting apps become more tightly woven together by APIs, assuring the security of those integrations and protecting the resources at the backend of each API will become critical. Yet few security vendors—let alone identity and access management (IAM) vendors—have yet to completely address the security threat that APIs pose.

Common API Security Challenges
One of the main problems with respect to API security is a lack of visibility. As is also the case with sensitive data, databases, network assets or SaaS applications, many organizations simply don’t know what APIs they have, what versions they are running, what traffic is flowing across them, or who is connecting to them.  “API sprawl” is a growing problem; according to a recent study by One Poll, the average enterprise is managing 363 APIs, and over two-thirds of organizations expose their APIs publicly.  

Other potential problems with API security include verifying that the data that is being accessed by an API is permitted by policy, and verifying that the user or entity behind the API is who you think it is. Another problem stems from bots and DDoS attacks on APIs.

API Breaches On the Rise
Not surprisingly, breaches that directly involve APIs are on the rise. McDonald’s, for example, had an API that exposed the personal data of users of its mobile delivery app, including names, email addresses, phone numbers, home addresses and social media links. Panera Bread, [24]7.ai, T-Mobile, Instagram, Salesforce, the IRS, Facebook, Twitter, Buffer and Snapchat are all examples of organizations that have experienced breaches directly related to insecure APIs.

Protecting APIs
So how do we go about protecting our APIs?

Historically, common ways to protect APIs include WAF-based approaches that look for common attack types such as cross-site scripting. API gateways are also commonly used, with rate limiting features  relied on frequently as a means to guard against DDoS attacks.  However, such approaches are often of little help with “low and slow” attacks that can fly under the radar of rate limiting approaches.   


Further, attacks that rely on credential stuffing or stolen tokens or cookies can be harder to detect since they can appear to be coming from a normal user. This is where an identity and analytics-based approach to securing APIs can be helpful to create a baseline of normal API behavior, and you then look for deviations from that baseline that could be indicative of an attack that other methods might miss. AI and machine learning, particularly unsupervised machine learning, can be extremely helpful in understanding API activity, flagging anomalous behavior and detecting attacks without human-written policies or signatures.


Identity-based approaches can also be helpful in verifying the person or system attempting to access an API is who they say they are. Indeed, the recent PSD2 requirements passed by the European Commission have requirements for strong authentication of users before granting access to APIs, specifically defined as having at least two factors. And this is a good thing, since a surprisingly low percentage of consumer-facing web sites actually offer a variety of two-factor authentication options, according to twofactorauth.org.

In addition to verifying the user or system is who they claim to be, an API security system should also be able to help determine what that user is able to access, per policy, which is essentially a governance function, as well as provide some policy enforcement mechanism.

And as we noted earlier, one of the main problems with respect to API security is a lack of visibility, and thus the ability to perform automated API discovery and provide deep visibility into the traffic across each API should be a core capability of any API security offering.  

Lastly, “API deception” technology can also be useful, by profiling attackers in the deception environment without allowing them to interact with production APIs.