Why Executives and IT Teams Overlook API SecuritySince APIs provide external developers with programmatic access to internal databases, they straddle the divide between "database security" and "network security.” Large enterprise security teams may have personnel directly responsible for API security, but small and mid-sized organizations are more likely to distribute multiple responsibilities to a core team. This can lead to API security falling through the cracks. In some cases, small and mid-sized IT departments that outsource API development might assume that they must be getting a secure API in return since they’re working with third-party contractors. Professional API developers recognize the value of API security principles, but time and budget pressures can easily result in less-than-optimal results. Many small and mid-market organizations don't have an in-house API development team. As a result, the tendency is to see API security as "the developer's problem.” Making sure the project requirements are met on time takes precedence over verifying the technical security approach used. But the main pitfall that executives and IT leaders fall into is assuming that API security is static. Like every other part of the cybersecurity framework, API security must adapt to new threats in real-time. This responsibility does not fall squarely on the shoulders of the original API developer – it's a database monitoring and network security issue.
Apps and APIs are Like Windows into Your Business InfrastructureIt can be helpful for IT leaders to think of their business infrastructure as a house. When burglars break in, they rarely enter through the front door. An unsecured window is a much more compelling entry point, especially if the intruder can see through it before attempting.A payment API works using the same principle. It's a programmatic interface that receives customer credit card data and directs payments to company accounts. It reports completed payments to accounting software and processes returns. It's not something you can easily hide or conceal – not without compromising customer trust.Since customers can see what your payment API is doing, cybercriminals can too. Like residential burglars, they can peer inside the window and plan an attack.Many of these attacks are client-side attacks. In a client-side attack, cybercriminals target third-party code to compromise trusted systems. For example, a hacker may tell the payment API to copy all incoming customer credit card data and send it to an unauthorized offsite address. This card-skimming exploit is a textbook example of a Magecart attack.The more apps and APIs a business has, the more opportunities it presents to potential attackers. But it's not the number of apps and APIs that lead to data security blind spots. It's the complexity of the API environment itself.
How API Complexity Impacts the Security LandscapeApps and APIs are critical components of the next-generation user experience. Organizations are increasingly investing in API development initiatives (and increasing the complexity of their environment) in multiple ways:
Organizations Expose Multiple Data Sources.It's rare for a business of any size to limit itself to just one API. According to Postman's 2020 State of the API report, most enterprises use at least 50 APIs concurrently. It's worth pointing out that very few of Postman's survey respondents actually knew how many APIs their companies use, pointing towards a troubling trend in API visibility.According to Imperva, the average enterprise manages 363 APIs. This number reflects a smaller survey of enterprise IT professionals, but the takeaway is clear. API security must accommodate hundreds of moving parts.Cybercriminals may not need to fully compromise a single API to gain access to sensitive data. They will increasingly be able to exploit visibility loopholes through multiple access points. This could allow attackers to compile sensitive records by comparing data captured from multiple sources.
- DevOps Increases Deployment Frequency.APIs are a fundamental tool to DevOps and the Agile development methodology. This development approach prioritizes automation and empowers self-governing teams to deliver software changes and updates in an ongoing way. This means IT teams can reduce the amount of time it takes to publish software updates from months to minutes.Since client-side attacks can take advantage of compromised third-party software integrations, increasing the frequency of integrations can increase vulnerability. For companies using DevOps, establishing security practices that don't result in production bottlenecks is a significant challenge.Under traditional development models, security comes at the end of app testing. This doesn't work in a DevOps environment. Security testing must occur at every stage of development so that flaws and loopholes can be addressed immediately.
Service-Oriented Architectures Are Expanding.APIs are at the core of service-oriented architectures, including microservices. This architectural style structures applications as a collection of independent, easily maintainable services owned by a small, dedicated team. It enables the rapid development of large applications in complex environments.This can create serious security challenges. Individual services may be distributed over several different cloud providers in multiple data centers across the globe. Independent application components are harder to test independently without seeing how they communicate across different infrastructure layers.Importantly, service-oriented architectures expose new entry points for internal and external users. This can significantly increase the need for comprehensive access controls. Not only must API security accommodate hundreds of moving parts, but it must also verify the relationships between these parts.
Most Database Monitoring Solutions Don't Identify API Users IndividuallyExecutives and IT teams intent on securing their infrastructure need to distinguish between two basic threat categories:
- Insider Threats are internal network users with malicious intentions. These might include compromised accounts, corporate espionage, or deliberate sabotage by disgruntled employees. These kinds of threats typically focus on exploiting code loopholes, access privileges, and data exfiltration opportunities.
- Outsider Threats are external hackers and bots looking for vulnerabilities to exploit. Since they exist outside the network, they must first infiltrate it – often using email phishing scams – before they can start causing damage. This damage might come in the form of DDoS attacks, account takeovers, or SQL injections.
- User. This is the user's self-reported name. If an employee directly accesses a database from a recognized device, it's probably the employee's real name.
- Role. This explains what the user does. It also shows what level of permission the user has been granted.
- Source IP. This is the network address of the device that the user is connecting to the database.
- Destination IP. This is the network address of the destination the user would like to connect to.
- Object. This record describes the asset this user interacted with during this particular session.