Blog

APIs - Underpinning Modern Technologies to Popular Data Breaches

In today’s world software is an essential piece driving digital transformation and also business value for every enterprise. Microsoft CEO Satya Nadella not long ago said, “every company is a software company, every company is a digital organization”. At the crux of this transformation is the API which has become the fabric to integrate the software and services within an enterprise and also with partners, vendors, and most importantly customers. 

API stands for Application Programming Interface. In layman terms, API provides an interface for another program to interact with the application. APIs built into legacy systems and new green field applications result in agility and flexibility enabling enterprises to accelerate the business value to their customers. 

Customers, partners, and vendors today are interacting and engaging with enterprises in multiple ways – Single page web applications, Mobile applications, Smart devices, Automation integrations, etc. Enterprises serving such diverse platforms are rapidly adopting APIs as the interface for these platforms. Hence underneath these single page web applications, mobile applications, smart devices etc. is the API which is communicating with the enterprise applications and delivering the business value. 

Traditional development methods and monolithic application architectures are unable to keep up the pace and have to take a back seat due to ever-evolving and demanding consumer needs. This led to the advent of microservices architecture which aims to build a single application as a suite of small, loosely coupled services or components, each performing its own tasks. As the applications are evolving to follow microservices architecture from monolithic, APIs have emerged as the de facto communication channel between services. 

Though APIs have become the de facto way to build software, the adoption, design and management of APIs needs a different set of security and developer workflows than those used in traditional enterprise architectures. For example, with traditional web applications, when a browser sends a request, usually on port 80 or 443, data processing happens on the server side and results in the web page that is sent as a response. Due to this, there aren’t many entry points to the applications running in the network and hence setting up content inspection systems such as Web Application Firewalls (WAFs) at the perimeter or in front of the application server is the norm.

Figure 1: Accessing Traditional Web applications 

However, most modern API based applications make calls to backend servers to fetch data and pass on this information to the clients who requested the API. Clients are equipped to maintain a state and the data received via the APIs is processed to provide the functions of application. As more application deployments move towards the microservices with service mesh architectures, the individual application components are becoming APIs and each of these microservices will have an entry point to communicate. 

Figure 2: Accessing Microservice based applications

Therefore, the functionality of an application is dependent on microservices communicating with each other via APIs. This in turn significantly expands the attack surface for a hacker as the API technology is broad, easily accessed, and poorly defended by legacy security tools. According to Gartner, API abuses will become the most-frequent attack vector by 2022.

Considering the above API transformations with respect to how applications are deployed and the consequential rise of API based vulnerabilities, OWASP project which is popular for its top 10 list of web application vulnerabilities started a separate project dedicated purely to API security called OWASP API security. The list below captures the top 10 API threats:

  • Broken Object Level Authorization

  • Broken authentication

  • Excessive data exposure

  • Lack of resources and rate limiting

  • Broken Function Level Authorization

  • Mass assignment

  • Security Misconfiguration

  • Injection

  • Improper asset management

  • Insufficient logging and monitoring

We will do a deep dive of each of the listed OWASP API Top 10 threats with real world examples in a series of blogs and demonstrate how CloudVector can help address these concerns. 

OWASP API Security Top 10 – API1:2019 Broken Object Level Authorization

Sekhar Chintaginjala

Sekhar Chintaginjala

Sekhar Chintaginjala is an experienced information security researcher who brings 15+ years of hands-on knowledge to the CloudVector team. He has proven expertise in the area of vulnerability research, security content development and leading teams for large global companies. At CloudVector, Sekhar is a member of the Security Research team and also leads efforts for new feature development that help protect from API abuses.