API and Security: From IT to Cyber

The primary inspiration for this article was my feeling that unfortunately, IT and Cyber too often work in silos — with security constraints often poorly addressed or insufficiently shared. It was also inspired by meetings with people working in Cyber, who may recognize each other. 

Indeed, on the IT side, API security is often perceived as a subject that is covered as long as authentication and rights are properly managed and an API Gateway is used. Of course, this is necessary. But thinking about API security, in terms of what it involves, means thinking about a large part of the security of your IT.

As I do not come from the world of Cyber, the only aim of this article is to try and bring these two worlds together by addressing all the aspects that API security can cover. And of course, this article is an invitation to you to get closer to your Cyber teams! —  and to provide you with as concise a shopping list as possible for exchanges between IT and Cyber teams. . . but long enough :). Hence, a very concise format was chosen for this article.

To do this, we will first explain the risks that I have identified, then look at securing APIs across their entire value chain, from DevSecOps to API WAAP (WAAP stands for Web Application and API Protection — a kind of Web Application Firewall for APIs). We then offer a panorama of technologies and finish with some recommendations. On that note, let's get going!

Why Is API Security Crucial?

1. The data exposed is very often sensitive: APIs often return confidential data, making it essential to protect it. 
2. It is a preferred attack vector: As a single point of entry for data, APIs are prime points of attack. 
3. Their complexity is increasing: The evolution of architectures (microservices, cloud, service mesh, etc.) can increase the potential attack surface.
4. APIs must comply with the regulatory framework: RGPD, PCI DSS, PSD2, etc. are all regulations that require APIs to be securely exposed. 

Does that only happen to other people? Well, it doesn't. 

• 2019, Facebook: Data leak involving 540 million users due to unsecured servers accessible via APIs
• 2018, Twitter: Poor management of access authorizations made some users' private messages available.

Now that we've covered the issues, let's look at the risks and solutions.

The Major Risks Associated With API Security

Common API Vulnerabilities

Code Injection 

Code injection is one of the best-known threats, along with:

• SQL injection, for example,
• But also by command, with the not-so-distant example of the Log4J flaw.

Inadequate Authentication and Authorization

It is vital to have a properly applied authentication and authorization policy in order to block attackers as effectively as possible. The main principles are as follows:

• Sessions must be well managed: Unexpired or incorrectly revoked sessions
• Access tokens must be properly secured: Insecure storage or transmission of tokens
• Access controls must be properly configured: Incorrectly configured permissions allowing unauthorized access

Exposure of Sensitive Data

APIs can inadvertently expose sensitive and useless data if they are not properly defined, configured, or secured. Typical cases are:

• API responses are too verbose: Inclusion of unnecessary data in responses
• API responses are not encrypted: Unencrypted data transmission
• Errors are poorly managed: Error messages revealing sensitive information about the infrastructure

Emerging and Sophisticated Threats

Brute Force Attacks and Credential Stuffing

This is a well-known strategy involving testing combinations of usernames and passwords. They are as easy to defend against as they are particularly dangerous because:

• They can be automated on a large scale.
• They can also exploit identifying information from data leaks (avoid having a single password).

Man-in-the-Middle (MITM) Attacks

An MITM attack consists of the attacker placing himself between the client and the API Gateway to intercept or modify exchanges. Risks include:

• Theft of sensitive data: By intercepting unencrypted data
• Manipulating queries: By altering data exchanged between the client and the server
• Identity theft: By recovering server certificates to pass itself off as the legitimate server 

DDoS Attacks

These attacks consist of making a very large number of calls in order to make the API unavailable. They can take several forms:

• Volumetric attacks: By saturating the bandwidth
• Attacks at application level: Using API vulnerabilities to drain server resources 
• Slow attacks: This involves keeping connections open to drain server resources. 

Risks Specific to Modern Architecture

Microservices and Containerization

Containerization and microservices add new security challenges:

• The exponential complexity of access management: Security requirements have to be managed by microservice.
• Container orchestration risks: Orchestration tools can also have their own vulnerabilities. 
• Increased exposure of internal APIs: Internal APIs must absolutely not be exposed externally!

API in the Cloud 

Deploying APIs in cloud environments presents specific risks:

• Incorrect configuration of cloud services: Inadvertent exposure of APIs or data
• Complex identity and access management: You need to integrate the security mechanisms of your cloud provider with those of your API.
• Dependence on the cloud provider's security: You need to understand and complete the security measures, depending on your cloud provider's policy.

Shadow APIs and Zombie APIs

Shadow APIs (undocumented or unmanaged) and zombie APIs (obsolete but still active) represent significant risks:

• Lack of visibility: This makes it difficult to identify and secure these APIs.
• Unpatched vulnerabilities: Obsolete APIs may contain known security vulnerabilities. 
• Uncontrolled access: There is a risk of attackers exploiting sensitive systems or data.

Strategies and Solutions for Effectively Securing API

Global Approach to API Security

Securing the API via DevSecOps

The DevSecOps approach makes it possible to secure an API upstream of its deployment, via:

• Shift-left security: Incorporating security tests from the beginning
• Automated security testing: Using static (SAST) and dynamic (DAST) code analysis tools 
• Ongoing management of vulnerabilities: Code, libraries, dependencies, etc. — all these elements can fail or contain flaws discovered too late. They must therefore be detected and corrected.

API Governance and Security Policies

What would we be without governance? This is obviously an essential point, and we will be particularly vigilant on the following aspects:

• The definition of security standards: Via best practice documents for the development and deployment of secure APIs
• Identity and Access Management (IAM): To cover the definition of strict policies for authentication and authorization
• Regular audits: To continually assess API compliance with security policies

Team Training and Awareness

API security relies to a large extent on the skills and vigilance of all teams, whether they be DevOps, Cyber, or Dev:

• Training programs: Dedicated sessions on API security practices
• Practical exercises: Via simulated attacks and incident responses
• A culture of security: By encouraging the reporting and resolution of security problems

API Security Technologies and Tools

API Gateways and Web Application and API Protection (WAAP)

API Gateways (and their service mesh and micro-gateway cousins) and WAAPs (WAFs for APIs, if you prefer) represent the first line of defense:

• By filtering traffic: By blocking malicious requests
• Managing authentication: Centralizing and strengthening authentication mechanisms
• Rate limiting: Protecting against DDoS attacks
• Analyzing traffic: By detecting and blocking suspicious behavior

API Management and Protection Solutions 

There are other specialized tools with advanced API security features:

• Automatic API discovery solutions: To detect the notorious Shadow APIs
• Behavioral analysis solutions: To detect anomalies and suspicious behavior
• Version management solutions: To control and secure different API versions
• Regulatory compliance solutions: To demonstrate compliance with safety regulations

API Security Analysis Tools

There are also dedicated tools for identifying specific API vulnerabilities:

• API-specific vulnerability scanners: As the name suggests
• API fuzzing solutions: Fuzzing is a testing technique that sends random and/or malformed data to identify vulnerabilities
• Static and dynamic analysis tools: SAST and DAST are available for APIs.

Best Practices for Securing APIs

Robust Authentication and Authorization

• Using standard protocols: OAuth 2.0, OpenID Connect
• Via fine-tuned management of authorizations: Via implementation of the principle of least privilege, using scope APIs
• Via regular rotation of keys and tokens: To limit the impact in the event of a compromise

Centralization and Breakdown of Gateway APIs

A Gateway API should ideally be placed centrally in the architecture so as not to multiply the entry points. However, you can have two Gateway APIs — one "public" and one "private" — to mitigate the risks as much as possible:

• Single point of entry: Centralization of API traffic for greater visibility and control
• Version management: Easier management of different API versions
• Transformation and mediation: Adapting requests and responses to ensure compatibility and security

Encryption and Data Protection

• Encryption in transit: Systematically using TLS (in a non-deprecated version); possibly also signing the data exchanged, as Stripe does with its API, to guarantee authenticity, integrity, and non-repudiation
• Encryption of sensitive data: Whether at rest or in transit
• Secure key management: By managing encryption keys throughout their lifecycle; this includes:
  • Using strong, randomly generated keys
  • Regular rotation of keys to limit the impact of potential breaches
  • Storing keys securely in a "Vault," separate from the data they protect
  • Implement access controls
  • Manage digital identities via certificates using a PKI, coupled with a
    an HSM to secure cryptographic keys in a hardware environment

Log Management and Auditing 

• Logging: By recording all security-related events
• Retention of logs: By keeping logs for a sufficiently long period to enable them to be analyzed in the past
• Regular log analysis: By setting up regular log analysis processes
• Protecting logs: By preventing any unauthorized modification to guarantee their integrity in the event of an audit

Real-Time Monitoring

• Behavioral analysis: To detect anomalies in API traffic
• Real-time alerts: To react quickly to security incidents
• Continuous monitoring: To constantly monitor API availability and quickly detect attacks

Penetration Tests and Security Validation

• Regular testing
• Realistic scenarios based on real cases
• Continuous validation via the CI/CD chain

Conclusion

As we can see, API security requires the skills of various teams, but also a commitment from everyone. IT solutions exist, but they are nothing without a security policy shared by all and for all. And also, and above all, the establishment of best practices defined internally, as we have shared in this article.

DevOps, Dev, Cyber — it's your turn!