Ignore API security at your peril
Application programming interfaces (APIs) are at the core of nearly every digital experience – whether that is the delivery of mobile apps that enable consumers to monitor and personalize their exercise routines using an IoT connected device, or making it easy for car owners to track and share their in-vehicle driving behaviors with an insurer, or enabling remote monitoring services that allow patients with chronic conditions to record and report their daily stats and receive important guidance that helps them better manage their health.
API security and performance are critical for engaging customers and increasing revenue, but recent news stories about security vulnerabilities that expose private data has brought the issue of API management into sharp focus. In many cases, simple failures to treat API security with respect have resulted in some significant data breaches affecting millions of users.
API use is growing, but security is lagging
In today’s digital economy, organizations are becoming increasingly dependent on APIs to power web and mobile applications that make it easier for customers to consume services via connected devices or apps. But API attacks are on the rise and Gartner has recently predicted that APIs will become the top attack vector by 2022.
API vulnerabilities enable cybercriminals to access sensitive user data, including identity and billing information. With consumers increasingly reliant on IoT connected devices and entertainment and lifestyle subscription services, API security problems open the door to denial-of-service attacks or the mass exposure of the personal information of users.
Let’s look at some of the issues underlying a recent serious API vulnerability that led to the exposure of the private data of millions of global users.
What caused the incident
APIs can be classified as private, partner or public. In the case of consumer-facing connected things and apps, APIs are often classified as both private and public, since external users won’t be accessing them using an organization’s private intranet.
This, however, creates a potential vulnerability if companies assume that a private API does not need to be secured. Limiting API access to authenticated users isn’t enough. In this instance, the firm in question relied on its app (on an IoT connected device or a user’s phone) to “hide” the information of others, which still left the API itself exposed.
This meant that anyone, anywhere, could sign up for a new account and then retrieve the profile information of other users – including their name, gender, and location – including users who had set their accounts to “private” expecting this would prevent their information from being seen by others.
To properly hide information that should not have been exposed through the API, such as private account details, the application code implementing the API itself should have been changed rather than simply configuring the API so that certain conditions had to be met (such as an “authenticated user” token) before granting access.
In this instance, in addition to undertaking a quick and inadequate fix, the firm’s inadequate process for reporting and addressing a known security issue meant that it took over three months to implement a final fix to address the issue.
Getting API design, implementation, and management right the first time
Many organizations are quick to embrace the potential and possibilities of connected devices and apps. However, they frequently neglect to put in place the right technology and processes needed to make their APIs secure.
Understanding APIs in terms of private/partner/public differences and understanding that these are not the same as internal/external is just the start. Organizations should have both an API strategy and a well-managed API management platform in place so that before teams expose APIs to anybody, a thorough security review is undertaken before rolling out certain API designs.
Similarly, any identified issue needs to be handled in a highly structured way. This includes conducting a full assessment of the impact and scope of reported vulnerabilities and having processes in place to ensure that all these issues are then resolved in a timely manner to prevent bigger problems arising further down the road.
Adopting a proactive API management approach
As organizations push ahead with using APIs to power up digital transformation and deploy a new generation app-based services, so the risk of unauthorized access and data exposure is growing.
To prevent future monetary and brand damage, organizations will need to put a solid enterprise API strategy in place and start treating APIs as first-class citizens of the business. That means having structures in place to ensure that API design, implementation, and management are done properly together with an appropriate internal API program to manage any identified API vulnerabilities in a comprehensive and fast way.
Thriving and surviving in today’s hyper-connected economy increasingly depends on having sufficient API maturity in place to ensure that anything connecting to an organization’s servers – devices, apps, customers – is managed appropriately to keep APIs, customer data and the company’s reputation safe.