One of the great indicators of how effective cloud security measures are is the Cloud Security Alliance’s ‘Top Threats to Cloud Computing’. It is usually released every two years, the last one was released a few weeks ago and perhaps the most surprising development is the meteoric rise of insecure interfaces and APIs. In 2017, insecure APIs ranked third, but by 2019 they had dropped to seventh on the charts. This year it was catapulted even higher to number two. So why did this happen and what does it tell us about the steps we need to take to secure the cloud?
The rise of the API
First of all, our reliance on APIs has increased tremendously. There has been a shift from a web-based application infrastructure to an API-based one and this can be seen in the analysis of web traffic. Of the 2.1 billion transactions analyzed in the second half of 2021, 70% were done through API. And it’s a trend that will continue, with a recent Enterprise Strategy Group (ESG) report stating that while 28% of web applications and websites use APIs today, this will more than double over the course of the next two years.
APIs provide developers with convenient building blocks for cloud services, but they also provide access to highly sensitive data, making them a prime target for attackers. The same ESG survey found that nearly a quarter of organizations experienced attacks on misconfigured APIs and a fifth were targeted by account takeover (ATO) and OWASP Top 10 attacks, respectively. The latter point is particularly concerning given that 27% of those same organizations had taken action to address highly publicized OWASP issues.
These attacks had significant impacts. Over 40% of organizations experienced downtime, creating knock-on effects for customers, brand, and the bottom line. 34% reported negative customer experiences, 34% experienced a drop in shareholder value, and 26% lost revenue. There were internal consequences as well: 41% saw employees negatively impacted and 38% had to implement additional security products or services.
Tools and techniques
This brings us to the second reason why APIs top the table, as they are very difficult to secure. Threat attackers take advantage of the way APIs work rather than any particular exploit or vulnerability, also known as a ‘Living off the Land’ (LotL) attack. Since there are no signatures or rules to break, traditional security solutions struggle to detect this activity. Yet despite this, many organizations resort to using intrusion prevention systems (IPS), next-generation firewalls like WAFs, or application security tools like bot mitigation, none of which can capture anomalous behavior. indicating that an API is being abused.
Quite worryingly, the ESG survey found that many were unaware of this fact and thought these tools were up to the task. It is this disconnect that is at the heart of the problem and has allowed APIs to become such a significant threat. Organizations know that API security is a priority—it’s right up there with cloud migration, remote work/flexible work arrangement protection, and threat detection—but their faith in their current security tools is out of place, making them vulnerable to attack.
A unified approach
So what can be done to more effectively address API security? For starters, it’s important to consider that API security covers the entire API lifecycle. This requires a strategic approach that looks at how security is integrated from development to deployment to disposal. For example, a ‘shift left’ approach should be taken during development to reduce the risk of coding errors.
Discovery must be done on an ongoing basis to detect APIs and prevent them from being reactivated and forgotten. This also gives the team an opportunity to gain an attacker’s view of publicly exposed APIs and resources. The APIs then need to be continuously inventoried and tracked to ensure they are properly configured and updated.
Monitoring needs to move away from signature- or rule-based processes associated with application security solutions, towards behavior-based processing. This is much more effective at detecting suspicious or malicious activity and can detect any risky changes to the API without impacting performance or interrupting the API implementation.
Finally, API security must also include active defense. APIs are frequently subject to automated attacks, which means they can be thwarted using stealth tactics. By creating futility, miss, and fatigue in attacks, it is possible to deter even the most relentless attacks. Put all of these elements together, and the end result is a comprehensive form of unified API security that accommodates the idiosyncrasies of the API and cloud environment.
As API adoption continues to grow, it’s vital that we start addressing your security using the right tools and techniques for the job. Otherwise, two years from now, we may well find insecure APIs at number one on the CSA’s Top Threats table.
About the Author
Jason Kent is a resident hacker in sequence Security. The has been ethically analyzing customer behavior, wireless networks, web applications, APIs, and cloud systems for over 20 years, helping organizations protect their assets and intellectual property from unauthorized access. As a consultant, he has led hundreds of organizations through minefields of difficult compliance, ensuring their safety. As a researcher, he found flaws in consumer IoT systems and helped harden them against external attacks. At Cequence Security Kent investigates, communicates with the community, and supports efforts to identify automated attacks against web, mobile, and API-based applications to keep Cequence customers safe.