Authored by: David Sajoto, Vice President, Asia Pacific and Japan, ExtraHop
In an ideal world, the application programming interface (API) is intended to streamline cloud computing processes. However, when left unsecured, APIs can add to the attack surface and allow individuals to exploit private data. As the world becomes more digitally connected, the reality of this threat has become increasingly difficult to ignore.
In Asia Pacific (APAC), open banking initiatives are gaining momentum. As the financial sector continues to innovate to provide better products and services, banks and fintech companies are adopting API in their IT infrastructure. To create an ecosystem that "supports financial innovation and inclusion in the region and around the world," Singapore launched a global, open-architecture platform called API Exchange (APIX). With a robust and thriving open banking platform, the goal of APIX is to connect organisations and financial institutions and help businesses deploy solutions to serve the needs of the consumers.
What Makes Insecure APIs Such a Looming Threat?
Driven by the rise in mobile connectivity and app usage, the number of industries and sectors adopting APIs are increasing. While the banking sector leads in the cloud API adoption, other industries such as retail, transport and government offices are embracing the technology. However, with this growth, cyber threat actors are drawn in looking for ways to exploit API for malicious purposes.
With this growing threat, organisations are called to establish stricter policies and more stringent measures to prevent cloud APIs from becoming entry points for cyber attacks. Recently, the Personal Data Protection Commission (PDPC) of Singapore imposed a steep fine to a ride-sharing company that compromised driver and passenger information due to an API update that was not tested before its roll out. When implementing system changes that may put data at risk, a robust security process should be in place to prevent unauthorised use of information.
As dependency on APIs increases, cybercriminals have found two common ways to leverage them to access company data.
The Exploitation of Inadequate Authentication
The Open Web Application Security Project (OWASP) 2019 report lists flawed user authentication as one of the top vulnerabilities of API. In some cases, developers create APIs without authentication. As a result, these interfaces are completely open to the internet, and anyone can use them to access enterprise systems and data. Think of it as walking around a neighbourhood trying doors until you find one left unlocked.
Profiting From Increased Use of Open Source Software
A component-based approach to software development has become commonplace in the IT world. To save time, many developers incorporate open source software into their code. This can leave many applications open to supply chain attacks. For instance, a developer could download components from the public online Docker hubs that are unknowingly tainted with cryptocurrency mining code.
The Best Defense Against Insecure Cloud APIs
To avoid accidental or malicious data exposure via APIs, businesses should consider adopting the following best practices:
Encourage developers to practice good API hygiene. APIs should be designed with authentication, access control, encryption and activity monitoring in mind. API keys must be protected and not reused.
Rely on standard API frameworks that are designed with security in mind. Examples of this include the Open Cloud Computing Interface (OCCI) and the Cloud Infrastructure Management Interface (CIMI).
Ensure complete visibility into the enterprise security environment. Even with comprehensive policies for cloud API design, security issues are never off the table. Businesses must invest in solutions that provide complete visibility, such as network detection and response, so security teams can quickly identify and address API security risks.
APIs are predicted to become the top attack vector soon. Given the critical role they play in digital transformation and the access to internal sensitive data and systems they provide, APIs warrant a dedicated approach to security and compliance.