The rapid growth of cloud computing and the rise of today’s dynamic workforce have spurred organizations of all sizes to accelerate their move to the cloud. To adapt such changes, many applications that heavily rely on the call of application programming interfaces (APIs) are developed. Alongside the increase of the APIs and exponentially-growing data transmitted via APIs comes serious security issues. In the past few years, attacks targeting API vulnerabilities that caused great damage to the victim enterprises have been spotted globally, and API security has garnered rising attention from security vendors and users across the world. If you had visited RSA Conference in person, you may find many API-related discussions during the Conference. Here we’d like to talk about what API risks there are and how to mitigate them.
1. API Risks
An API is a predefined function that allows data interactions between applications. At the development stage, various functions are integrated into an application. Leveraging the API, functions can be invoked and used without having to rewrite the source code or understand how they work. An API generally involves the following elements: communication protocol, domain name, version number, path, request method, request parameters, and interface description document. There are three types of APIs (by architectural style) commonly used: Restful APIs, Simple Object Access Protocol (SOAP) APIs, and Remote Procedure Call (RPC) APIs.
The API technology has been used by organizations in a variety of complex environments. In the course of API development and deployment, security issues are inevitably brought in with vulnerable communication protocols, request methods, request and response parameters, and access behavior, exposing organizations to outsider and insider threats. For example, an external actor can leverage an API for unauthorized access to data or tamper with data because an API does not insufficiently validate parameters. Besides outsider threats, APIs are facing insider threats, such as unauthorized access and anomalous behavior from an internal account. The Open Web Application Security Project (OWASP) has identified top 10 API security risks:
- API1: Broken Object Level Authorization
- API2: Broken User Authentication
- API3: Excessive Data Exposure
- API4: Lack of Resources & Rate Limiting
- API5: Broken Function Level Authorization
- API6: Mass Assignment
- API7: Security Misconfiguration
- API8: Injection
- API9: Improper Assets Management
- API10: Insufficient Logging & Monitoring
2. Dynamic Protection of APIs
Dynamic protection of APIs usually starts from API asset identification and then proceeds to detect and respond to threats to close the loop. All these actions are coordinated to form a complete solution for API protection.
2.1 API Asset Identification
To identify API assets, you need to make an inventory of APIs available in the system and create an asset repository containing multidimensional information of APIs, including the aforementioned elements, service properties, criticality, and configurations. Information of each API should be recorded and presented in a normalized manner, for example, via Swagger, an API management tool. API identification is a continuous process. When a new API is identified, related information should be standardized and added to the repository in time. APIs are usually identified in one of the following methods:
- Manual identification: This involves review of system design documents and update documents for any APIs. This way, a relatively complete list of APIs can be created. The problem is people may be overwhelmed by huge loads of work, leading to unintentional omissions here and there.
- Traffic-based passive identification: Traffic probes are used to collect network traffic, from which API and parameter information is extracted for typical protocols. This can reduce the workload, but may miss out APIs in zones where no traffic has been collected. Besides, it is still necessary to manually supplement API information with service properties subsequently.
- Proactive collection of API information through API probes: API probes are deployed at gateways to proactively collect API information. While sharing a certain level of similarity with traffic-based passive identification, this method produces more accurate and thorough information about APIs.
2.2 API Threat Detection and Response
Attackers exploit various API flaws to mount different types of attacks for different purposes, with impacts of varying levels. Dynamic protection of APIs should be performed based on the following considerations:
- Network attacks: API request parameters and bodies should be analyzed for threats to prevent compromises from malicious actors.
- Sensitive data: Data should be graded and classified according to customer requirements, and sensitive data should be identified from API traffic before being subject to masking and protection from disclosures.
- API access: Permissions for access to APIs should be properly planned and granted. API running and access behavior should be continuously monitored for any deviations such as access with escalated privileges or unauthorized access.
To protect against the preceding typical API threats, we need to detect and analyze API data and implement different mitigation measures. For example, pattern matching can be adopted to detect and block unauthorized API access in real time; continuous monitoring and analysis are required to identify data disclosures, which may be achieved by exfiltration of data little by little in multiple attempts. Therefore, dynamic API protection usually starts from deployment of API gateway probes for advanced detection. These probes are then connected to a big data analytics platform to provide mitigation and response at different granularities of time.
- API gateway probes: implement millisecond-level detection and response.
- Millisecond-level detection: The probes employ simple but efficient detection mechanisms like built-in rules and black/whitelists for fast detection of API traffic. On the other hand, the probes receive new detection policies dispatched by the big data analytics platform and update their local policies accordingly.
- Millisecond-level response: The probes respond to detected threats by taking such actions as blocking and alerting. Besides, they receive fast response policies from the big data analytics platform.
- Big data analytics platform: Powered by the knowledge base, the platform can conduct analysis of complex logic over a long span of time to identify advanced threats and assess the risk before dispatching corresponding policies.
- Second-level, near real-time (NRT) detection: The platform conducts relatively sophisticated analysis, for example, correlative analysis of logs or machine learning (ML) algorithm-based analysis. By analyzing flows of received data this way, the platform can detect threats in near real time.
- Long-period detection: The platform conducts periodic analysis of API behaviors and baseline-based analysis for anomalous behaviors in data breach scenarios and other complex scenarios.
- Knowledge base: provides various types of knowledge for correlative analysis, including assets and vulnerabilities, helping users detect and identify risks.
- API risk mitigation: analyzes the risk of threats detected through big data analytics by taking into account the criticality of API assets. Mitigation policies of different granularities are created and then automatically or manually dispatched to the API probe, as orchestrated by the built-in response playbook.
Securing APIs is a closed-loop process spanning from automatic API identification to threat detection and automatic mitigation. Automatic API identification needs to be conducted continuously, accurately, and completely. For threat detection, different types of context correlations are supported. With a global view of API assets, it is possible to distinguish between APIs of different properties and monitor them in real time. When it comes to response, a mitigation process is integrated into the workflow and fine-grained response policies are created to achieve automatic response triggered by matching conditions. API security is becoming an aggravating real-world issue that is drawing wide attention from customers. In response to this trend, security vendors are busy working on effective solutions. NSFOCUS WAAP is a four-in-one package helping our customers defend against the modern threats in a comprehensive manner. Visit our website for more information about API security and other security solutions.