We were honored to have Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, join our recent API Security Summit. This educational event – our second this year! – featured a “who’s who” of cybersecurity leaders, including Joe Martinez, CSO at AON; Ed Amoroso, founder and CEO of TAG Cyber; Michael Sentonas, CTO at CrowdStrike; Colin Williams, CTO at Computacenter, and others. We invite and encourage you to listen to all the sessions on demand here.
Dr. Chuvakin’s session – co-hosted by Salt Security Vice President of Marketing Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem. As we move into 2023, there’s rising urgency around API security, as incidents increase and continue to threaten the safety of critical data and services
As businesses continue their digital innovation, API usage has skyrocketed, bringing with it a growing attack surface and lucrative set of targets. Public breaches, such as Optus suffered recently, highlight the corresponding need for increased API security. The full set of dynamics at play in this dynamic ecosystem is more complex than the simple “more APIs = more API attacks” equation, as explained by Chuvakin and McLean.
A transformed infrastructure, led by cloud migration and the adoption of microservices, certainly drove API usage – at the same time, as APIs became foundational to ever more sophisticated business processes, they also became more valuable. APIs deliver more capabilities than in the past and have become integral to new digital services. They’re enabling critical applications and sharing valuable information, making them an attractive – and lucrative – target. Attackers know they can use APIs to reach valuable data they can steal for monetary gain – through ransoms, sales on the dark web, fraudulent transactions, or other nefarious activities. Money represents the driver for the vast majority of security attacks. Bad actors know that APIs are the gateway to a treasure chest of profitable data.
While the increased usage of APIs expanded the attack surface, another change – a more unusual one – also occurred. The ways that people attacked this application layer also changed. According to Dr. Chuvakin, with APIs, we started to see new attacks against new environments, complicating threat assessment. Moreover, because each API is unique with its own unique business logic, any vulnerability in an API represents a zero-day vulnerability.
Although attackers need to do a lot of probing to uncover an API vulnerability – and that reconnaissance activity typically takes a lot of time – hacking APIs is not technically difficult. Attackers go through a series of sequences to find business logic gaps to target. Attacks require applying “what-if” scenarios, such as if I use this user ID to authenticate, but then a different user ID in a cookie later, can I access accounts that aren’t mine and can I exfiltrate valuable data?
Today’s API attacks differ significantly from the traditional attacks of the past 10-20 years. Those attacks leveraged a “known” gap, propagated as a single transaction, and devices could be taught how to see – and stop – those kinds of pre-set attacks. But because each API varies, each API attack varies. Signature-based, rule-based security approaches don’t work.
API attacks are behavioral, based on a string of activities, making attack detection much challenging. To spot attacks, you need to have a bigger picture. You need the ability to see behaviors – of users, of APIs – over a period of time. This long view provides the understanding of what represents “normal” behaviors within a given API ecosystem, making it possible to spot those “out of the ordinary” behaviors that could indicate a potential threat. It takes context over an extended period of time, with extensive baselining and behavioral analysis, to detect these types of attacks.
While bad actors are often clever in their attacks, unfortunately, common mistakes play their part in contributing to API security risks – as has been the case in security challenges for decades. API governance can often be lacking in organizations. An API might have been designed for internal usage only but then becomes externally used. In that case, it might not have gone through the same governance processes or security checks, making it more vulnerable to threats.
In the case of Australian telecommunications provider, Optus, the breach stemmed from the exposure of an unauthenticated API in a test network – a part of the company’s systems that was never expected to be publicly available. Another common flaw can be a simple configuration error that leaves an API vulnerable once that error is found by an attacker.
All these dynamics contribute to why API security has become a “now” problem for organizations in 2023, a problem also reflected by a jump in API security funding and an influx of new (and legacy) vendors entering the fray. With creative attackers, more attacks occurring, a changed attack surface and a higher volume of APIs transporting your and your customers’ most critical data, 2023 has become the year of API security.
To listen to Dr. Chuvakin’s session in its entirety, feel free to sign up for the on-demand API Security Summit.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.