You can't avoid APIs, so you need to secure them
As APIs emerge as the unsung heroes behind modern software development for their ability to accelerate innovation and streamline processes, it’s no secret or even a surprise that API security is a lingering problem that the broader cybersecurity industry has yet to fully solve. Since abandoning the use of APIs is not a viable option, organizations need to focus on building strong AppSec programs that give the teams developing with APIs, the structure and tooling to ensure connections are secure and software deployed is safe.
To be most effective, organizations need to prioritize designing security best practices into development workflows from the beginning and by adopting secure-by-design based principles.
The Cybersecurity and Infrastructure Security Agency (CISA) has called for a renewed emphasis on this approach as a key strategy for protecting against API attacks. This focus is reflected in its latest 2024-2026 plan which also includes the publication of official secure-by-design guidance for organizations looking to improve their security position.
While organizations continue to prioritize the acceleration of go-to-market timeframes, they need to consider security as a balanced part of the equation, and not as an override. Cutting corners in security is not the answer. Prioritizing security within the development process can help ensure APIs are deployed securely and potential vulnerabilities are fixed prior to shipping to production.
In recognition of the ongoing security challenges posed by APIs, OWASP has also recently revised its Top 10 API list to incorporate emerging trends. These encompass authorization, also known as access control, particularly relevant as API-driven applications grow in complexity; unregulated access to sensitive business flows, underscoring the imperative of secure planning and design during development; and the escalation of Server-Side Request Forgery (SSRF) as a pronounced, widespread threat to API-based systems. Understanding how these emerging security challenges affect APIs and taking steps to secure them is critical.
Authorization issues are widespread throughout API-based applications, because servers rely more on client-provided information to determine which objects to access. This can lead to broken object-level authorizations (BOLAs) that occur when attackers manipulate object IDs within user requests. As a result, the application can disclose data without authorization. Implementing object-level authorization checks and using an API management platform can help mitigate this problem. Object-level authorization checks make sure users have the right permissions to access requested objects, while API management platforms monitor and log access between the application server and the user’s information service, storing this data with an access token to ensure ongoing authenticity.
Another vector in which attackers can take advantage of APIs is through the identification of sensitive business flows and automated access to them. As this new threat tops the OWASP Top 10 list at No.6, it’s important to highlight this growing concern. The crux of this threat is based on scenarios in which APIs inadvertently expose business flows without adequate safeguards, leading to potential harm if exploited. A focus on proactive measures to identify and classify sensitive business flows is a crucial first step to minimizing potential threats. Additionally, separating the API layer from other business components via an API gateway can also act as a promising strategy.
Server-Side Request Forgery (SSRF) flaws can be exploited as APIs fetch a remote resource without validation of the URL supplied by the user. Attackers can take advantage of this to send application queries to an unexpected destination, and access sensitive resources as a result. While SSRF flaws cannot be eliminated completely, businesses can avoid exploitation by isolating the resource fetching mechanism in their networks, preventing it from returning unauthorized resources. Logging every API request can also help prevent requests from being manipulated and provide secure storage for the data to prevent unauthorized access.
Investing in securing APIs yields more than just technological dividends; it is a strategic imperative that builds customer trust and safeguards brand reputation. Organizations that demonstrate a commitment to API security signal to their customers that their data is handled responsibly. Such assurance can be the differentiating factor in a competitive market, where trust is the currency that underpins long-lasting customer relationships.
Image Credit: totallyPic.com / Shutterstock
Scott Gerlach is CSO and co-founder, StackHawk.