Why security is so important for web APIs

This article is the second in a series about digital business security from information security consultant Kevin Beaver.
Today’s web application environments can be quite complex. From the underlying server configuration to the application and database servers involved, there are many moving parts. These parts not only need to be properly configured and deployed from the get-go; they also must be well-maintained. This includes not just hardware and software maintenance, but the systems need to be overseen to monitor for security anomalies and attacks. All this complexity can serve as a distraction for internal technical staff as well as outsourced vendors and end up facilitating security exploits against your most critical business applications.
And that’s just the traditional web side of things.

Web API exploits can facilitate attacks against users

Further complicating web security and increasing business risks are web APIs (application programming interfaces). Web APIs provide application-to-application interaction with feature sets allowing for further extensibility and connectivity to customers and business partners. Web APIs are nothing new but they’re certainly more pervasive today. Modern web application languages associated with JavaScript and its various iterations are leveraging APIs more than ever in the cloud. Good for business and criminal hackers alike.
Web API endpoints have a relatively small footprint compared to the overall application environment. Still, they provide an entry point into critical parts of the application that can let attackers interact and manipulate the systems for ill-gotten gains. Many web API exploits can facilitate attacks against users. Others can lead to full compromise of the web environment. What’s often overlooked is the reality that APIs are often vulnerable to the same web flaws that have plagued websites and applications for the past two decades. A common weakness is input manipulation whereby the attacker injects code that’s not expected leading to injection and scripting attacks. Attackers can also manipulate user sessions, especially in situations where APIs interact with user authentication.

Many web APIs are overlooked in terms of security testing and oversight

Many web APIs are overlooked in terms of security testing and oversight. This oversight can happen in the scoping phase of vulnerability and penetration testing. Either the party doing the testing, or the system owner/developer doesn’t think about whether a published API even exists. Some development and security teams fail to bring web APIs under the same umbrella of security standards. Another scenario is when web API security testing is performed but it wasn’t properly tested from all appropriate angles using the right tools. Still, other times, the assumption is that web APIs can be skipped altogether because they’re not highly-visible or don’t offer up much in terms of attack surface or value. That’s a dangerous approach. The worst situation is when APIs are not adequately monitored as part of the organization’s overall security initiatives. When exploits occur, no one ever knows about it.


If an API exists, it needs to be in scope for oversight and scrutiny

All of these oversights can lead to a false sense of security – that the web environment is secure. The work was performed. Good money was spent. The box was checked. Yet, still, not every part of the system was evaluated for security weaknesses then or on an ongoing basis. It’s like how a doctor might not order the proper bloodwork or radiology tests for an ailing patient. The work was done, and the patient gets a clean bill of health, but unidentified disease is still lurking because of a simple oversight.
It’s important to bring web APIs into the security discussion. There are too many things that can happen and there’s just too much to lose. Proactive threat modeling and security standards should apply to APIs as much as they do to other web application components. Ditto for proactive security testing and system monitoring and alerting – across the entire lifecycle of the application. If an API exists, it needs to be in scope for oversight and scrutiny. Anything else is likely not enough and may just facilitate that exploit that you’ve invested so much time, money, and effort in preventing to this point.
About the author
Kevin Beaver, CISSP is an information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specializes in independent security assessments and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,000 articles on security and regularly contributes to TechTarget's SearchSecurity.com, Ziff Davis' Toolbox.com, and Iron Mountain’s InfoGoTo.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin races cars in the SCCA Spec Miata class and enjoys riding dirt bikes and snow skiing.
If you want to know more about how you can increase the revenue of your digital business by offering add-on insurance using state-of-the-art API technology, please contact us directly or book a time for us to call you, its free and there are no strings attached.

We will be happy to contact you at a time that suits you, for a free, no-obligation consultation.

Recommended Reading
The difference between a web service and an API 07 January 2020
© PSA Insurance Solutions,
PSA Insurance Solutions Ltd Reg No: C83206 is a limited liability company under Maltese Law, having its registered address at: MIB building 53 Abate Rigord Street Ta’ Xbiex Malta, Tel + 356 22 58 34 92. The company is enrolled to act as an insurance agent in terms of the Insurance Intermediaries Act, 2006 by the Malta Financial Services Authority (MFSA), Notabile Road, Attard BKR 3000, Malta.