Businesses have steadily improved their perimeter security to better protect against an ever increasing number of cyber attacks. This has left hackers to look for other, less challenging paths to an enterprise’s data in 3rd party APIs.
Application Programming Interfaces, otherwise known as APIs, by their nature, open up a door into otherwise protected applications and data. While companies can control the APIs they develop, the increased use of 3rd party APIs can provide cybercriminals with a clear and easy path to your data.
The Pros and Cons of 3rd Party APIs
Using 3rd party APIs saves companies a lot of time, simplifying the development process and providing easy access to a company’s data, tools, and technology. Whenever someone uses a smartphone app to get directions, make reservations, share photos, purchase tickets, or check email, they are using APIs. A simple example is a business adding a map to their web site using tools developed by Google. While this API is designed to allow you to use the Google Maps functionality to display a map and provide driving directions on your web page, the API can potentially provide a path to expose parts of your data. With over 21,000 3rd Party APIs available today, and most businesses employing 3 rd party APIs, the potential for a security weakness is high.
In 2018, cyberattacks became much more focused and planned. Criminal researchers study a business’s systems and take the time to carefully identify weak packages and tools on targeted servers. These open up many attack options for cybercriminals depending on how well the 3rd party API was designed for security. Common vulnerabilities exposed by APIs include unencrypted transport of data, authentication, cross-site scripts, cross-site request forgery, denial of service, injection of malware code, man-in-the-middle attacks, replay and spoofing, and capturing data stored in a uniform resource identifier such as keys.
Related: Did British Airways Violate The GDPR?
Biggest Security Issues with APIs
The biggest security risk, according to a Trustwave Report, is cross-site scripting (XSS). This is the most common attack, being used in 40% of all attacks reviewed in their 2018 report. SQL Injection (SQLi) was the second most common attack technique at about 24% of attacks. And Path Traversal attacks came in at 7% of attacks. These are combined with other techniques to steal the targeted data or credentials. T-Mobile, Verizon, Snapchat, oBike, Panera, PF Changs, and LocationSmart are all companies that suffered breaches due to vulnerabilities in APIs. Customer accounts were taken over, private information and photos were stolen, and in some cases the cyber criminals were able to extract credit card numbers.
The Trustwave Report explains on page 31 that the payday for cyber criminals is particularly high with healthcare records fetching, on average, $250.15 USD per record due to the high volume of personal data contained in these records. By comparison, a payment card record goes for $5.40 and a lone social security number is $0.53 per number.
Your business can occur losses in many ways. Financial loss through regulatory fines, increased scrutiny by regulatory agencies, and litigation. You can face civil, criminal, and class-action law suits, resulting in large jury awards and settlements. Your business faces loss of value, loss of investors, loss of customers, and increased capital spending. Negative press exposure and competitor positioning can ruin a good reputation, resulting in expensive campaigns to try to rebuild trust. Over time, you risk market loss, heavy spend to recover over time and raise long-term sustainability questions of the business.
The challenge becomes properly vetting the 3rd party APIs that are used in your environment and constantly monitoring these APIs for updates which may impact their security. API security is a hard problem. You have to manage a massive amount of simultaneous connections that are all using different devices, browsers, and applications which are accessing a variety of APIs, data, and applications in your environment. To ensure the safety of your data (and be able to prove it to your compliance people), there needs to be a complete bi-directional audit trail between the 3rd party APIs and the digital assets served by the APIs.
The good news is that there are tools available to help you. API Management Platforms provide analytics, developer engagement, monitoring and alerting, service integration, and lifecycle management, enabling you to not only identify problems, but to be proactive in making sure your data is kept safe. The leading products today, according to Gartner's 2018 Magic Quadrant for Full Life Cycle API Management, are:
- Google Apigee
- CA Technologies CA API Management
- IBM IBM API Connect
- Software AG webMethods API Management Platform
- Salesforce Mulesoft Anypoint Platform
- TIBCO Software Mashery
- Red Hat 3scale API Management
- SAP Cloud Platform API Management
- Amazon Web Services Amazon API Gateway
- Axway AMPLIFY API Management
- Microsoft Azure API Gateway
Final Thoughts
APIs are making our digital society and digital businesses work. According to One Poll, Businesses on average manage 363 different APIs. Third party APIs provide easy access to data, applications and technology that make life easier for your developers, reduce costs, keep your customers engaged, improve your customer experience, and enable you to deliver more functionality faster. Targeted attacks are only going to get more sophisticated as the cybercriminals find more ways to get at lucrative data. If you have not done so already, now is the time to implement the capabilities to audit your API use, secure loopholes in your environment, and help ensure the security of data in your environment.