Be On-Guard Against API Attacks

Photo from PxHere

By Guest Blogger, Chris Bonatti, Cybersecurity Consultant, IECA of Casper

Foreword by CyberWyoming:  APIs are often used to allow you to accept payments on your company’s website.  Be sure to research the products you integrate.  Don’t know how to research things like this?  Join Wyoming’s Cybersecurity Competition for Small Business and find out.

Attacks on Application Programming Interfaces (APIs) are an increasing area of concern for Internet-exposed services. According to security firm Salt Labs, the frequency of API attacks has increased by an astonishing 681%. Data breaches via exposed APIs have recently affected Australian telecommunications giant Optus, social media giant Twitter, and more than a dozen well-known automotive manufacturers. So if you have not yet gotten excited about API security, perhaps it’s time you began.

APIs come in all levels of complexity, but regardless of what it serves or how complex… all the usual security engineering principles apply. Sound security policy, solid administration, and the usual list of security controls all need to be engaged. Security policies need to ensure that information available through an API is kept to the minimum necessary to accomplish its purpose, and that the service is properly isolated for other services that could pose liabilities. Security controls need to be inclusive of authentication, authorization, access control, encryption, integrity checks, and logging. The API must be administered properly to ensure that credentials and permissions are properly controlled, and that operation is properly monitored. Administration should also prevent the uncontrolled proliferation of new APIs by ensuring that APIs deployed are centrally registered, and well documented. It’s also a useful concept to have a readily available “kill switch” to shut down and isolate the API in the event that an attack is detected.

It goes without saying that a lot of the APIs deployed over the last decade or so of web growth have been designed by amateurs, or IT specialists lashing together turnkey products developed by others… without necessarily understanding the principles involved. Many tell themselves they know what their doing, but we’re sure that the IT staff at Optus and Twitter did the same. If you need help to ensure your organization’s APIs are properly secured, IECA is standing by to help.


Register to Receive the Tech Joke of the Week!

This Week's Joke:

How many programmers does it take to change a light bulb?

None, it is a hardware problem!

More Posts: