As Federal agencies seek to incorporate an application programming interface (API) strategy into their IT modernization initiatives, a word of caution: make sure you have API-specific security integrated into your IT infrastructure.
An API is a set of routines, protocols, and tools for building software applications. APIs serve as bridges between legacy systems and modern application platforms, such as the cloud. APIs can expose data in a way that protects the integrity of legacy systems, enabling secure and governed access to the underlying data, according to some observers. But is the API itself secure?
In 2017, The Open Web Application Security Project (OWASP) listed “under-protected APIs” in its Top Ten Most Critical Web Application Security Risks. OWASP is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
“Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities,” according to the OWASP report.
“APIs have transformed the IT landscape. Modernization and DevOps all feed into the concept of an API strategy, which is a means to more easily communicate and modernize systems,” said Jason Macy, chief technology officer of Forum Systems, developer of the Forum API Security Gateway.
There is a huge difference between API management–managing, versioning, metering, and other lifecycle capabilities–versus securing APIs, Macy noted.
“APIs are unique in the characteristics of what they require from a security perspective,” Macy said. Most IT departments don’t really understand APIs and think that if there are network firewalls, web application firewalls, and intrusion detection systems in place, their APIs are secure, he explained. But none of that technology does anything for APIs because they are basically encoded or encrypted communications between systems. Consequently, most of the security infrastructure does not see the threats levied against them, much less the vulnerabilities they bring to the network.
“So, it passes through all of the infrastructure undetected into your API layer. And that is where you turn on the rules and capabilities, which is effectively API security,” he says.
Some observers think API security is all about access control, but that is only one piece of the puzzle. “Knowing who your user is, is important,” Macy said. “But cybersecurity teams would want to know what information is coming in and being taking out of the API, because APIs are bidirectional.”
API security is about access control, plus intrusion detection–“looking at inspecting information inside those API messages for threats like embedded malware, or malformed information trying to gain access to data,” Macy explained. The Forum Sentry API Security gateway deploys a hardware appliance, that can also be virtualized and put in the network as a software gateway, which links all networked devices from modems to legacy systems, while at the same time hardening and monitoring connections to protect them from being compromised. Macy said 80 percent of its technology is virtual now.
“We are securing Amazon services, VMware service, and Microsoft Azure services in the cloud,” he added.
OWASP has identified five key steps for protecting APIs. The organization recommends that agencies should fully understand the threat model and what defenses they have in place, especially as it concerns the often overlooked APIs that are tying everything together. Their specific advice can be broken down into five major points. They include:
- Ensure that you have secured communications between the client and your APIs.
- Ensure that you have a strong authentication scheme for your APIs, and that all credentials, keys, and tokens have been secured.
- Ensure that whatever data format your requests use, that the parser configuration is hardened against attack.
- Implement an access control scheme that protects APIs from being improperly invoked, including unauthorized function and data references.
- Protect against injection of all forms, as these attacks are just as viable through APIs as they are for normal apps.
Finally, be sure your security analysis and testing covers all your APIs, and your tools can discover and analyze them effectively. It is not overly difficult to secure APIs with specifically-designed toolsets and processes in place. But it is very easy to overlook them, which could be disastrous if an attacker decides to focus on them before defenses can be put in place.
