SHARED INTEL: APIs hook up new web and mobile apps — and break attack vectors wide open

By Byron V. Acohido

If your daily screen time is split between a laptop browser and a smartphone, you may have noticed that a few browser web pages are beginning to match the slickness of their mobile apps.

Related: The case for a microservices firewall

Netflix and Airbnb are prime examples of companies moving to single-page applications, or SPAs, in order to make their browser webpages as responsive as their mobile apps.

The slickest SPAs leverage something called GraphQL, which is a leading edge way to build and query application programing interfaces, or APIs. If you ask the builders of these SPAs, they will tell you that the scale and simplicity of retrieving lots of data with GraphQL is superior to a standard RESTful API. And that brings us to cybersecurity.

APIs are being created in batches on a daily basis by the Fortune 500 and any company that is creating mobile and web applications. APIs are the conduits for moving data to-and-fro in our digitally transformed world. And each new API is a pathway to the valuable sets of data fueling each new application.

Trouble is that at this moment no one is keeping very good track of the explosion of APIs. Meanwhile, the rising use of SPA and GraphQL underscores how API growth is shifting into a higher gear. This means the attack surface available to cyber criminals looking to make money off of someone else’s data is, yet again, expanding.

I had a chance to discuss this with Doug Dooley, COO of Data Theorem, a Silicon Valley-based application security startup helping companies deal with these growing API exposures. For a full drill down, give a listen to the accompanying podcast. Here are a few key takeaways:

Cool new experiences

Amazon Web Services, Microsoft Azure, Google Cloud and Alibaba Cloud supply computer processing and data storage as a utility. DevOps has decentralized the creation and delivery of  smart applications that can mine humongous data sets to create cool new user experiences.

Microservices are little snippets of modular code of which smart apps are made of. Written by far-flung third-party developers, microservices get mixed and matched and reused inside of software containers. And each instance of a microservice connecting to another microservice, or to a container, is carried out by an API.

In short, APIs are multiplying fast and creating the automated highways of data. The growth of APIs on the public Internet grew faster in 2019 than in previous years, according to ProgrammableWeb.  And this doesn’t account for all the private APIs business built and use. The services on that smartphone you’re holding makes use of hundreds of unique APIs.  Some large number of new APIs are, at this moment, under development in ongoing DevOps projects across the corporate landscape.  And whatever that number of APIs is today will surely spike as SPAs and GraphQLs gain more traction.


The rub: “Every little microservice, with an API on it, is now a new attack vector to break into an application to extract data, potentially illegally, in a way that a company would never want to occur,” Dooley says. “Existing tools are not well-suited to protect business in this environment.”

Best practices overlooked

If anything put APIs on the map, it was DevOps, a form of distributed software development. DevOps is the opposite of traditional in-house software development which happens behind a rigid firewall. DevOps requires open collaboration, which spurs creativity — but also opens many more windows of opportunity for threat actors. Dooley affirms that cyber criminals are moving to take full advantage.

“Right now it doesn’t take all that much for an attacker to breach a business, not like it used to be,” Dooley observes. “There was a time when you really had to have a very sophisticated attacker to get millions of records; right now, because of this new API attack vector, it’s alarming how often we hear about millions of records being stolen from a business.”

A big part of the problem is that fact that little consideration is being given to apply basis cyber hygiene to APIs. With DevOps and API advances steamrolling forward, no one has thought to establish the practice of requiring passwords to authenticate users at the API level.

There have been numerous examples of API manipulation coming into play in data breaches leading to the loss of millions of records, Dooley told me.

“It just keeps happening over and over again,” he says. “And you can understand why. It’s because if your motivation is to build an application very quickly, you can do that, but sometimes security is something that gets overlooked.”

Long-run damage

Data Theorem has won customers from the financial services and technology sectors that are routinely creating dozens of new APIs per day. This is all part of leveraging microservices to deliver slicker user experiences. These customers of Data Theorem grasp the security risk and don’t want to get blindsided by unknowingly exposing their data across these new APIs.

Related: A primer on ‘shadow APIs’

“One of the biggest challenges is that just keeping up with the discovery of new applications APIs is almost impossible,” Dooley told me. “We know of some security leaders at big companies who don’t know how to start discovering APIs, because the development team and their business units are operating at their speed, while security is operating at a different cadence. There are cultural and historical reasons why DevOps teams often keep security folk out of their CI/CD (continuous integration and continuous delivery ) loop. We help bridge these two worlds so security can accelerate DevOps efforts.”

Regulatory compliance is adding pressure. Data breach disclosure laws in effect across 47 U.S. states have made sweeping big breaches under carpet harder to do. Last year, Europe toughened its General Data Protection Regulation (GDPR), specifically adding U.S.-style data loss disclosure rules — along with steep fines for violators.

The public scrutiny is having a ripple effect. The damage for companies that sustain a major breach can extend far beyond immediate disaster recovery, or even paying a stiff fine; long run credibility with customers and investors is at stake.

“Data breaches are now board-level issues that if you don’t protect the data at large scale, you can ultimately hurt your business over the long term,” Dooley says.

Getting ahead

APIs need to become part of senior management’s daily lexicon – fast. The forward-pull of digital transformation is kicking in. APIs represent the mobilization and monetization of data. Enterprises with traditional browser websites are being compelled to improve their stale browser experience by leveraging SPAs and GraphQLs.

“It’s not just companies like Facebook or Netflix or Airbnb doing SPAs, we’re seeing all kinds of banking, government and health care organizations starting to build SPAs, as well,” Dooley told me. “You can think of them as very rich performance web applications delivered through a browser, not just a mobile phone.”

Related: Automating API security

Legacy web security tools were designed at time when no one had any inkling of microservice-driven APIs hosted in the public cloud.  Data Theorem was founded with a mission to provide organizations with an API discovery and inspection platform that can keep up. Their analyzer engine, for instance, can discover and keep track of GraphQL-based APIs and SPAs, for instance.

Each API in the field represents a clear and present leak point. If data can leak, it will leak. It’s encouraging Data Theorem is driving API security practices in this direction. We’ll soon see if Enterprises can get ahead of this rapidly emerging exposure, or not. I’ll keep watch.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone