Guard against the risk of API, even the perfect API may be abused.

In the field of API (Application programming Interface) security, "attack" and "vulnerability" are common words. The threat to API is now exploding.

Akamai statistics show that up to 75 per cent of library-hit attacks against the financial services industry directly target API. A report from Salt Security found that API attack traffic to its customers increased by 681% over the past year, while overall API traffic increased by 321%. Compared with traditional Web applications, attacking API has lower cost and higher value. Gartner also said that by 2022, API will become the most common online attack vector.

In fact, even very mature API users face the most pressing situation. To a large extent, the existing API security framework and guidelines in the industry do not solve the security problems well. For example, the current API authorization and authentication system has been relatively perfect, but the access control after authorization is relatively weak.

Not all API attacks exploit vulnerabilities

Traditional application security vulnerabilities, such as those itemized in OWASP API Top 10, are defined as flaws in the implementation, deployment, or configuration of API. The software development life cycle (SDLC) has focused heavily on scanning code and running dynamic analysis for early detection of API vulnerabilities.

Common attacks are carried out through vulnerabilities, but even a well-designed API can be abused if the attacker uses legitimate credentials.

API is designed to expose core business logic and sensitive data to external connections. Many successful attacks bypass the detection of API security by hiding in legitimate authorized traffic, which is a very important reason why API attacks are difficult to detect.

Today, API abuse is the riskiest attack, and the harm of these attacks goes far beyond vulnerability exploitation. API abuse may include:

The problem of API abuse deserves API developers and product managers to reflect on why these API features did not evolve in the same path as they were created and were exploited by attackers.

How big is the problem of API abuse?

API abuse is a very serious problem. Some companies may think that their API has been assessed for vulnerabilities and is secure, but this idea is one-sided. Some enterprises will think that API gateways or WAF have been deployed to protect API. But even if API programs are written "flawlessly", they can be abused in unexpected ways to expose the core business functions and data of the enterprise.

On the whole, the risks faced by API include: credential trapping, unauthorized access, data tampering, illegal crawling, data leakage and many other security risks.

The Facebook data breach that shocked the world in 2018 reflects some flaws in API security in some ways, including technical or management aspects. In this event, Cambridge Analytica (CA) collected a large amount of data about at least 87 million users using Facebook's open API, by using the Facebook quiz application, which allows third-party applications to collect all kinds of personal information about the tester.

This incident did not involve the exploitation of program vulnerabilities in the Facebook API infrastructure, but eventually led to the abuse of API.

The impact on the enterprise

As enterprises increasingly provide their valuable digital assets to partners and users through API, the incidence of API abuse is also greatly increasing. For example, we now use online transactions, financial applications and services every day, in which API plays an important role. Every API developed is a window of enterprise business, and there is a possibility that API can be abused.

In addition to user privacy risks, API abuse can also have a devastating impact on enterprise business. There are similar risks in almost all industries, because most of our daily B2C and B2B business activities are conducted online through API.

Dealing with the problem of API abuse

Existing best practices and resources, such as OWASP API Top 10, provide a solution roadmap for security professionals. But companies need to see eliminating API infrastructure vulnerabilities as the starting point, not the only point, let alone the end point. Establishing a security policy to prevent API abuse will be an effective way to win API security.

one

Start with the essence of API attack

In other areas of security, there are two different types of frameworks:

In the area of API security, OWASP API Top 10 provides a starting point. But more work needs to be done to break down each broad vulnerability type in the list into subareas that the API team focuses on. It can be said that OWASP API Top 10 is an excellent blueprint for proactively addressing vulnerabilities in API infrastructure.

"

OWASP API Security Top 10-2019 is specifically:

Object-level authorization for API 1 Broken Object Level Authorization-- invalidation

API 2 Broken Authentication-- invalid user authentication

Excessive data exposure of API 3 Excessive Data Exposure--

API 4 Lack of Resources & Rate Limiting-- resource scarcity and rate limit

Function-level authorization for API 5 Broken Function Level Authorization-- invalidation

API 6 Mass Assignment-- bulk allocation

API 7 Security Misconfiguration-- security configuration error

API 8 Injection-- injection

API 9 Improper Assets Management-- assets are mismanaged

API 10 Insufficient Logging & insufficient logging and monitoring of Monitoring--

two

Greatly increase the amount of analysis API data

Much of the early API security work focused on monitoring a single API call, or at best short-term session activity. But that's not enough for now. The evaluation of a single request or session does not really understand normal or illegal abuse and its background. Many legitimate business processes take place within minutes, hours, and even days, as do many attacks. Therefore, API monitoring and analysis methods must be improved to analyze data sets that cover these extended periods.

The blind spot is another Achilles' heel of many API security. API monitoring and analysis should not be limited to applications identified by the security team, but should also include those API that are not normally noticed, namely shadow API, to prevent attackers from entering.

In order to deal with the above shortcomings, cloud computing is an effective and key factor. The cloud provides scalable storage to collect detailed data from the broadest range of sources, including API gateways, network devices, micro-service orchestration solutions, and cloud providers, as well as the computing power needed to perform modern behavioral analysis and AI on these data sets. Of course, cloud API scenarios should also be viewed dialectically, and the security issues in them should not be ignored.

three

Create a security tool using AI

It is a very effective way to think about security issues from the perspective of an attacker to improve protection weaknesses, but it is also very difficult to implement in many cases. A large amount of human intelligence and automation are being used in a variety of attacks, including API attacks and abuse. What companies can do is to bring more resources and creativity to identify, detect, and mitigate API threats.

AI is the key. Even security experts can never predict which API attack an attacker will use. However, enterprises can set normal benchmarks for the use and activity of API. Next, you can use AI to better understand entities that use API and monitor their behavior for compliance. After all, traditional application security methods are not built to check for API abuse.