APIs - Underpinning Modern Technologies to Popular Data Breaches
In today’s world software is an essential piece driving digital transformation and also business value for every enterprise. Microsoft CEO Satya Nadella not long ago said, “every company is a software company, every company is a digital organization”. At the crux of this transformation is the API which has become the fabric to integrate the software and services within an enterprise and also with partners, vendors, and most importantly customers.
API stands for Application Programming Interface. In layman terms, API provides an interface for another program to interact with the application. APIs built into legacy systems and new green field applications result in agility and flexibility enabling enterprises to accelerate the business value to their customers.
Customers, partners, and vendors today are interacting and engaging with enterprises in multiple ways – Single page web applications, Mobile applications, Smart devices, Automation integrations, etc. Enterprises serving such diverse platforms are rapidly adopting APIs as the interface for these platforms. Hence underneath these single page web applications, mobile applications, smart devices etc. is the API which is communicating with the enterprise applications and delivering the business value.
Traditional development methods and monolithic application architectures are unable to keep up the pace and have to take a back seat due to ever-evolving and demanding consumer needs. This led to the advent of microservices architecture which aims to build a single application as a suite of small, loosely coupled services or components, each performing its own tasks. As the applications are evolving to follow microservices architecture from monolithic, APIs have emerged as the de facto communication channel between services.
Though APIs have become the de facto way to build software, the adoption, design and management of APIs needs a different set of security and developer workflows than those used in traditional enterprise architectures. For example, with traditional web applications, when a browser sends a request, usually on port 80 or 443, data processing happens on the server side and results in the web page that is sent as a response. Due to this, there aren’t many entry points to the applications running in the network and hence setting up content inspection systems such as Web Application Firewalls (WAFs) at the perimeter or in front of the application server is the norm.
Figure 1: Accessing Traditional Web applications
However, most modern API based applications make calls to backend servers to fetch data and pass on this information to the clients who requested the API. Clients are equipped to maintain a state and the data received via the APIs is processed to provide the functions of application. As more application deployments move towards the microservices with service mesh architectures, the individual application components are becoming APIs and each of these microservices will have an entry point to communicate.
Figure 2: Accessing Microservice based applications
Therefore, the functionality of an application is dependent on microservices communicating with each other via APIs. This in turn significantly expands the attack surface for a hacker as the API technology is broad, easily accessed, and poorly defended by legacy security tools. According to Gartner, API abuses will become the most-frequent attack vector by 2022.
Considering the above API transformations with respect to how applications are deployed and the consequential rise of API based vulnerabilities, OWASP project which is popular for its top 10 list of web application vulnerabilities started a separate project dedicated purely to API security called OWASP API security. The list below captures the top 10 API threats:
Broken Object Level Authorization
Excessive data exposure
Lack of resources and rate limiting
Broken Function Level Authorization
Improper asset management
Insufficient logging and monitoring
We will do a deep dive of each of the listed OWASP API Top 10 threats with real world examples in a series of blogs and demonstrate how CloudVector can help address these concerns.