An application programming interface, or API, is a type of software that allows communication between different software and services.
There are four primary API architectures:
REST is a stateless, uniform architecture where the client and server operate independently and interact via HTTP.
SOAP is more intricate and consumes more bandwidth than REST, exclusively working with the XML data format.
RPC, or Remote Procedure Call protocol, allows procedures to execute on a remote server within a distributed system.
GraphQL is a schema-driven, strongly-typed infrastructure with its unique query language, enabling clients to obtain specific data in a single request.
APIs are subject to a wide array of threats. Some come from outside, such as unauthorized intrusions by hackers, but others come from within and can disrupt systems or leave the API open for attack. API security refers to the strategies, tool sets, and procedures designed to keep APIs safe.
API security focuses on three significant security sectors:
API security can also help address issues such as access control, identity-based security, content validation, rate limiting, request throttling, monitoring and analytics, and data protection. Given that APIs serve as entry points for applications or networks, API security is paramount to shield organizations from potential threats.
Why API attacks are the #1 worry for cloud security practitioners
Wiz and Procter & Gamble experts share their security insights and tipsRead more
APIs are now foundational in modern software development. Most organizations utilize APIs to exchange data and interface with internal or external software components.
However, APIs are susceptible to cyberattacks, and they’re often targeted by hackers aiming to exploit vulnerabilities for malicious purposes. Broken or exposed APIs rank high among causes for significant data breaches.
Ensuring an API's security means preserving its data confidentiality and ensuring that only authorized users can access it. That includes safeguarding data integrity during and after transmission. This heightened awareness has amplified the focus on API security.
The OWASP Top 10 is a list of security risks curated to help developers design applications with security in mind. Let’s take a look at how these points relate to APIs:
Broken object-level authorization: APIs can connect controlling object identifiers, and without proper security in place the API might reveal those identifiers, leaving them open to attack. For instance, in 2018, the United States Postal Service (USPS) experienced a vulnerability due to weak access and authorization controls, compromising over 60 million users' critical data.
Broken authentication: Without robust authentication mechanisms, it can be possible for attackers to gain access to APIs and use them for malicious ends. In June 2021, an exposed API lacking proper authentication was exploited, compromising the personal data of approximately 1.3 million individuals. Simple token or key authentication could have thwarted this attack.
Broken object-property-level authorization: Developers occasionally return superfluous data, assuming APIs will be accessed solely by authenticated users. However, attackers can exploit this excess data. HealthEngine suffered from this vulnerability in their feedback API, leaking over 59,000 patients' personal information.
Unrestricted resource consumption: Every time an API request is made, a certain amount of resources are used up, including network bandwidth, memory, and compute. This presents an internal vulnerability, as unlimited requests can overload an API, increasing operational costs or even causing service denial for legitimate users.
Broken function-level authorization: Many systems have access control policies that are complex. If function-level authorizations aren't implemented, attackers can access unauthorized functions. A recent case in September 2022 saw an attacker infiltrate Uber's IT infrastructure due to this vulnerability.
Unrestricted access to sensitive business flows: Excessive access to critical business flows can disrupt operations. In 2011, CITI suffered a data breach affecting 350K North American cardholders due to an attack that manipulated its business flows.
Server-side request forgery (SSRF): SSRF vulnerabilities occur when an API fetches data from an unvalidated user-defined URL, potentially allowing attackers to bypass security measures. Modern tech stacks, such Docker and Kubernetes, are especially vulnerable.
Security misconfiguration: Insecure API configurations can lead to various attacks that expose data and gain unauthorized access. These vulnerabilities arise from myriad factors, such as missing patches, outdated systems, or exposed error details.
Improper inventory management: With APIs often exposing more endpoints than traditional web applications, maintaining accurate documentation is essential. Poor inventory management can result from insecure storage, weak encryption, or inadequate access controls.
Unsafe consumption of APIs: API consumption often hinges on the trust developers place in third-party responses. Many developers believe that third-party APIs, especially those offered by well-known companies, are inherently secure. This misplaced trust can lead to vulnerabilities. Instead of directly targeting your APIs, attackers might exploit these third-party integrations. Incidents, like the SSRF attacks, can manifest because of inadequate validation and sanitization of responses. For instance, in January 2021, Parler faced security issues by allowing third-party APIs to access data without authentication. Attackers guessed URLs containing sensitive information and accessed the data without authentication.
Each of the three primary API architectures—SOAP, REST, and GraphQL—has its own unique security implications.
|API Architecture||Security Implications|
|SOAP API Security||SOAP is a streamlined, XML-based messaging protocol designed for exchanging structured data in decentralized computer networks. It's adaptable across various protocols such as HTTP and SMTP. SOAP's security layers incorporate both transport layer security (like HTTPS) to encrypt data in transit and message-level security, including XML digital signatures, to uphold message integrity. By following Web Services (WS) specifications, which offer standardized guidelines, SOAP provides robust security features such as WS-ReliableMessaging for enhanced error-handling.|
|REST API Security||REST APIs employ JSONs for data representation and rely on HTTP/s for data transfers, streamlining the development process. Since REST lacks inherent security mechanisms, its security is contingent upon the design of the API. Implementing security measures in data transmission, deployment, and client interactions is essential. Typically, REST APIs rely on protocols such as HTTPS and employ token-based authentication to enhance security.|
|GraphQL API Security||GraphQL, an open-source API language, functions both as a query language and a runtime for query execution. Its strictly typed schema ensures data consistency. However, its flexibility can be a double-edged sword: complex, unfiltered queries could lead servers astray, potentially running malicious requests. Adopting security practices like throttling, setting query depth limits, and implementing query timeouts can mitigate these vulnerabilities.|
The key to keeping your APIs safe is by upholding better API security standards. You can start by adhering to the following points:
To safeguard an API, you need to be aware of its existence first. Continuous automated discovery and inventorying using scanners is crucial to detect all API endpoints and understand their parameters and data types.
Recognizing your system's vulnerabilities is critical to keeping APIs safe. Stay updated with system components, identify potential weak points in your API lifecycle, and employ multi-layered security against threats that were covered in OWASP's top API risks, bot attacks, and DDoS attacks.
Encrypted APIs are less prone to breaches. Leveraging signatures ensures only authorized users can access and alter data. Methods such as TLS encryption protocols effectively safeguard API data.
Authentication verifies the user, typically using API keys or basic access authentication, while authorization ensures users access only permitted data, often achieved via Role Based Access Control (RBAC). Both are vital for robust API security.
DoS and DDoS attacks present serious threats to your operations, and APIs are a common vector. By enforcing quotas and rate limits, you can thwart such threats and additional risks, such as credential stuffing.
Managed APIs reduce vulnerabilities. Since API gateways serve as in-between mediators for clients and backend services, they can authenticate traffic and enhance your API security.
Automatically discover and secure your APIs with Wiz Dynamic Scanner
Wiz enhances its Dynamic Scanner to detect publicly exposed, unauthenticated APIsRead more
As we discussed, API security starts with the discovery of APIs and inventorying. Existing solutions for API security are mostly based on agents and network scanners. However, these fall short of giving complete visibility and are also complex to deploy as well. With the Wiz Dynamic Scanner, Wiz has brought a new and modern approach to API security.
With its agentless scanning for all of the major cloud providers, Wiz Dynamic Scanner analyzes all the cloud layers of your deployment, making it possible to detect any risk components and attack paths that might be present in your cloud environment.
This approach gives you complete visibility to identify all your APIs that are exposed to the internet, along with their associated context so you can get a full understanding of what is exposed and what the blast radius might be if they were exploited.
To get a more clear understanding and see how it behaves for your environment, schedule a demo with Wiz to see for yourself how it works and all the features it provides.
Learn how with Wiz, customers can now simply answer the question of where do I have exposed APIs in my environment with all the context associated with the execution environment.
API Security FAQs