Have you heard the phrase “a chain is only as strong as its weakest link?” It’s usually used to express the sentiment that a group of people are only able to be as successful as the least powerful or successful person in the team. However, much the same is also true when it comes to API security and vulnerable libraries.
Web applications and web APIs
While there’s plenty of emphasis put on web app security, APIs are frequently more powerful and simultaneously easier to exploit. On the surface, a web application and a web API sounds like it refers to the same thing. Certainly, there is a degree of commonality between both, but there are also critical differences.
One of the reasons web apps are often targeted by attackers is because of their visibility – being designed with human users in mind. No-one needs to point out how significant popular web apps like Google Docs are. Bringing a target like Google Docs, or even other smaller but still well-known solutions, to its knees would therefore be cause for major bragging rights among malicious actors.
Unsurprisingly, there is therefore a spate of attack methods that are used against web apps, such as Cross-site Scripting (XSS), SQL injections, Cross-site Request Forgery (CSRF), Remote File Inclusion, and more.
But there’s also a growing number of similar attacks which go after APIs: the functions and procedures which let applications access features or data belonging to another service. (For instance, a button that allows you to pay with PayPal on a website or calls up Google Maps data to show you the location of a landmark.) APIs are back-end applications (on the server side) as opposed to front-end applications (on the client side) and are therefore less visible – although no less potentially devastating if they’re subjected to an attack. Possibly even more so than a web app.
The fear of API vulnerabilities
The fear of API vulnerabilities is because of what’s known as a supply chain vulnerability. Like having a secure house, but then installing a hackable smart lock on your front door, they open up potential vulnerabilities that can be overlooked by the people relying on these APIs. It’s not just small players whose APIs may contain vulnerabilities, either.
Recently, a new vector was discovered that allowed attackers to potentially exploit vulnerable versions of Google’s SLO Generator, making possible remote code execution attacks. The tool is utilized by a huge number of Google services. While the flaw has been patched since September 2021, outdated versions used could nonetheless potentially be used to attack targets.
This is just the latest example of vulnerable APIs opening up security weaknesses. A report published at the start of the year claimed that API attacks exploded by a massive 681 percent in the preceding year. Of the respondents, all running production APIs, many remained totally unprepared to deal with API attacks. A terrifying 34 percent said that they had no kind of security strategy in place as relates to APIs.
If it ain’t broke…
Here’s another idiom: “If it ain’t broke, don’t fix it.” Unfortunately, this is totally the wrong advice when it comes to APIs. In fact, the problem with just about any security vulnerability is that it looks like nothing’s wrong – until you suffer an attack.
So what’s the best way to secure APIs? As is always the case with cyber security, there’s no one-size-fits-all solution. But there is practical advice that can be followed. For starters, prioritize security rather than ignoring the problem. Conduct an inventory of your APIs and then work with dedicated DevOps teams in order to better manage them. In addition, use strong authentication and authorization solutions, encrypt traffic, use rate limiting, and other similar approaches.
Perhaps the best advice you can follow, however, is to call in the experts. Solutions like Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) can be used to help secure APIs – or, at least, to stop potentially insecure APIs from causing damage to the organizations who rely on them.
An unfortunate reality of modern computing
Cyberattacks like this are an unfortunate reality of today’s computing landscape. Like web apps, APIs have been a game-changer in all sorts of ways. But vulnerable libraries can yield no end of problem, potentially far outweighing the benefits of using these tools. By taking advantage of the right solutions, however, it’s possible to reap all the benefits without the risk.
That’s one of the smartest investments you can make as a business. After all, failing to take this issue seriously can be an incredibly costly error to make – not just for you as an organization, but for the customers and users who have put their faith and trust in you.
