API Security: Why It’s Unique and Where We’re Going Wrong

Application programming interfaces (APIs) are the building blocks of modern applications, and their usage is growing at a staggering rate. With increased use, however, comes increased risk. Philip Ingram MBE, former senior British military intelligence officer and content lead for International Cyber Expo,  explains how traditional security approaches fall short in protecting APIs and why dedicated API security is a business necessity.

Application programming interfaces (APIs) serve as the glue that connects all of the critical data needed to run today’s new digitalized services and are an inescapable facet of our online and mobile lives. What’s more, API usage is growing at a staggering rate. The Salt Security Q3 2022 State of API Security report found that overall API traffic increased 168% over the past 12 months. With increased use, however, comes increased risk. The same report found that malicious API traffic now accounts for 2.1% of overall API traffic.

See More: APIs: A Bottleneck for SaaS Backup

Why Is Traditional Security Not Enough for APIs?

The scope and risks inherent with APIs mean they require a different approach to security, one unique from all other forms of cybersecurity. Traditional security approaches fall short in their ability to protect APIs for many reasons, including: 

    • Rapid change and development of APIs: The API landscape is constantly changing. It is nigh on impossible to keep pace with new and changed APIs. Organizations are challenged in getting a complete inventory of their APIs, And – as the adage goes – you can’t protect what you don’t know exists. API security must start with an accurate inventory, and traditional tools such as WAFs and API gateways don’t provide any visibility to support API discovery. 
    • Low-and-slow nature of API attacks: Traditional attack techniques such as SQL injections or cross-site scripting are launched on APIs but typically fail. “One and done” attacks such as these leverage known vulnerabilities – a technique that doesn’t transfer to APIs. Every API is unique and has its own unique business logic. Cybercriminals must probe APIs repeatedly to find business logic gaps they can exploit – hence, an API attack’s low and slow nature. 
    • Shift-left shortcomings: While the shift-left movement is, on the whole, a worthwhile one, these tactics don’t necessarily work for APIs. Pre-production testing provides value, but not everything can be secured in code. Shift -left finds security gaps only for what is in development. Runtime monitoring and protection capabilities must be in place to protect what is already running in your environment. Behavioral analysis in runtime always provides the greatest value for fast attack detection and response. 

A World Without API Security

Now that we have a better understanding of why APIs need their own specific security approach, we can take a look at what the world would look like without them. 

Imagine you’re shopping, standing at the counter till everything’s scanned, and waiting to pay. You slide in your card and punch in your PIN, but the screen reads insufficient funds. The cashier looks at you awkwardly, and you feel the shoppers behind you bristle with impatience.

Weird, you think, there was money in the account this morning. You open your online banking app, sign in, and your world falls apart. The account is empty, and it’s not just your pay packet that’s missing. Your savings have been drained; your pension is gone – you’re broke in every sense of the word. 

This is a nightmare for, well, everyone. It’s also a situation that, without dedicated API security, would occur at a frightening rate. 

Let’s dive a little deeper. FinTech platforms are an irresistible target for cybercriminals. Not only are the potential rewards astronomical, but these platforms have unbelievably rich and complex API landscapes. 

Remember the shortcomings of shift-left? That comes into play here. Recent threat research found that a security misconfiguration and server-side-request-forgery (SSRF) found in a large US-based FinTech platform (no one writes perfect code every time) could have allowed: 

    • Attackers to gain administrative access to the banking system 
    • Attackers to leak users’ personal data 
    • Attackers to access users’ banking details and financial institutions
    • Attackers to perform unauthorized fund transfers in their own accounts

This is a shocking, real-world example of why API-specific security is so important. If this FinTech platform had relied on shift-left platforms tactics alone, we wouldn’t be reading about it in threat reports, and it would have made global headlines as a historic cyber-disaster. 

API Vulnerability in Coinbase

However, it isn’t only traditional finance lines with API security issues. In February of this year, a potentially catastrophic API vulnerability was found on Coinbase, a cryptocurrency trading platform. The vulnerability would have enabled an attacker to make unlimited cryptocurrency trades between accounts if it had been exploited. Its discovery was so crucial to Coinbase that Twitter user “Tree_Of_Alpha” netted $250,000 in bug bounty. 

So, in a world without APIs, neither your FIAT nor DeFi money is safe. 

But let’s have a deeper look at that Coinbase vulnerability. According to his tweet, “Tree_Of_Alpha” was inspecting Coinbase’s new “Advanced Trading” feature, which allowed users to place orders for selling one type of cryptocurrency and use the funds to buy another. 

A standard RESTful API is used to carry out a request of this nature. It contains a number of critical parameters, including: 

    • The product being traded – in this case, Ethereum to Euro
    • The source account funds should be sold from
    • The destination account to transfer the converted currency into

The problem here is that, although these parameters exist in every request, they weren’t properly validated. What’s more, these are basic proper validation requests. If this hadn’t been flagged, it could have been a major embarrassment for Coinbase. 

To get into specifics, “Tree_Of_Alpha” was able to edit the “product” parameter manually, but Coinbase’s back-end systems failed to validate that the user is the owner of the wallets defined in the product. This meant that anyone could carry out a transfer of funds from a wallet that didn’t exist – in essence, your crypto wallet wouldn’t belong to you. 

To validate his findings, “Tree_Of_Alpha” sent the same request but changed the “ETH-EURO” product to “BTC-USD.” By doing this, he could validate his findings while mitigating the enormous risk to both Coinbase users and the ecosystem at large. The kicker? He didn’t even own a Bitcoin wallet. To everyone’s surprise, particularly Coinbase’s, the platform correctly processed the request. The funds were transferred from a mysterious, non-existent, “unknown” Bitcoin account into a valid USD wallet. 

While this vulnerability is shocking, it is by no means uncommon. API threat researchers and security professionals come across this kind of thing daily. 

This case is another example of why API-specific cybersecurity is so important. API development is rattling along at an extraordinary pace. Recent research from Salt even found that the average number of APIs per customer has increased 82% over the past year, leaping from 89 in July 2021 to 162 in July 2022. In this insatiable quest for innovation, it’s easy for security to take a backseat. Other organizations should see Coinbase’s near miss as a dire warning of the dangers of neglecting API security to make way for innovation poses. These aren’t petty issues, and they are existential threats. 

Where Are We Going Wrong with API Security?

The Salt Security survey found that, despite the industry push towards shift left, only 22% of industry professionals value shift-left capabilities as a top need, compared to 41% who saw the ability to stop attacks in runtime as the most critical attribute. The same survey revealed that 53% of respondents attempted to remediate API security gaps during development and 59% during testing. Of course, these measures are worthwhile, but with 94% of those surveyed reporting recent API security incidents, it’s clear that shift-left tactics just aren’t up to scratch. 

More concerning is the widespread failure to implement runtime protection. It’s no secret that most successful API attacks target gaps in logic flows – which cannot be identified during pre-production testing – so why is it that so few (31%) are addressing security gaps during runtime or production? 

Dedicated API Security Is a Business Necessity

APIs power the interconnectivity of the essential data that businesses require to deliver their digital goods and services. Every company operating in the cloud relies on APIs. API security has become an absolute necessity for these companies to protect their critical services and customers’ data. 

It’s imperative that the industry wises up to the need for API-specific security. APIs have nuances and technical oddities, meaning traditional cybersecurity methods are simply ineffective. With the increasing number and complexity of API attacks, it’s time to approach API security differently. 

How are you upgrading API security? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!