SHARED INTEL: Here’s why it has become so vital to prioritize the security-proofing of APIs

By Byron V. Acohido

Application Programming Interface. APIs. Where would we be without them?

Related: Supply-chain exposures on the rise

APIs are the snippets of code that interconnect the underlying components of all the digital services we can’t seem to live without. Indeed, APIs have opened new horizons of cloud services, mobile computing and IoT infrastructure, with much more to come.

Yet, in bringing us here, APIs have also spawned a vast new tier of security holes. API vulnerabilities are ubiquitous and multiplying; they’re turning up everywhere. Yet, API security risks haven’t gotten the attention they deserve. It has become clear that API security needs to be prioritized as companies strive to mitigate modern-day cyber exposures.

Consider that as agile software development proliferates, fresh APIs get flung into service to build and update cool new apps. Since APIs are explicitly used to connect data and services between applications, each fresh batch of APIs and API updates are like a beacon to malicious actors.

Organizations don’t even know how many APIs they have, much less how those APIs are exposing sensitive data. Thus security-proofing APIs has become a huge challenge. APIs are like snowflakes: each one is unique. Therefore, every API vulnerability is necessarily unique. Attackers have taken to poking and prodding APIs to find inadvertent and overlooked flaws; even better yet, from a hacker’s point of view, many properly designed APIs are discovered to be easy to  manipulate — to gain access and to steal sensitive data.

Meanwhile, the best security tooling money can buy was never designed to deal with this phenomenon. The threat intelligence platforms and detection and response systems installed far and wide, in SMBs and large enterprises alike, simply are not doing a terrific job at accounting for how APIs are facilitating multi-staged network breaches. At the moment, it’s a major challenge for organizations to detect, much less figure out how to deter, malicious activity pivoting off gaps in APIs.

“Most API vulnerabilities are flaws in application logic that someone can exploit to get at data they shouldn’t be able to access,” says Michael Isbitski, technical evangelist at Salt Security, a Palo Alto, Calif.-based supplier of API security software. “You need to see the APIs running to catch these problems.”

I’ve had a couple of wide-ranging discussions about this dynamic with Isbitski. We spoke about how his company recently took a deep dive into six months of API data generated by its enterprise customers and found overall API traffic increased 141 percent, compared to the prior six months. Meanwhile, malicious API traffic spiked 348 percent in the same period.

Salt Security also polled more than 200 IT professionals from companies of varying size and in several different industries and found fully 94 percent of companies reported an API security incident in that same six-month period.

These metrics highlight how prevalent the use of APIs is in modern business systems – while also quantifying the pervasive nature of API exposures.

API hacking escapades

Hackers, both white hats and black hats, have long been fully cognizant about the extent of API vulnerabilities and completely in tune with just how susceptible these flaws are to being remotely manipulated. Over the past couple of years, good-guy researchers and malicious hackers alike have steadily scaled up their hacking activities to flush them out. As APIs have become more numerous and more capable, hacking them has become far more fruitful.

In one recent example, researcher Jan Masters found a way to manipulate an API supporting subscription services offered by Peloton, makers of the popular cycling machine. Masters reported that very little slowed him down as he discovered ways to make unauthenticated requests for private account data of Peloton cyclers including names, birth dates, gender, location, weight and workout stats.

In another high-profile example, Bill Demirkapi, a sophomore at Rochester Institute of Technology, was shopping for student loans when he stumbled across an Experian API. Demirkapi discovered he could utilize the credit bureau’s API to retrieve the full credit history of just about anyone at all; he needed only to type in a name, address and date of birth — personal data that’s trivial to get.

API vulnerabilities are running rampant. So much so that the OWASP industry standards group maintains an API Security Top 10 List. Indeed, API security has become a red-hot topic. This summer Gartner designated API security as a stand-alone pillar in its security reference architecture, not just an add-on component to other systems.

Clearly, it is not just white-hat hackers and precocious students having a field day probing API flaws. Malicious actors are heavily engaged as well, and they are quietly wreaking havoc. Cyber assaults – from data theft to credential stuffing to account take over — today often start with legitimately accessing a client-facing application and then manipulating an API to extract valuable data, launch a DoS attack, or perform an account takeover.  A startling 95% of API attacks happen on authenticated endpoints.

Dearth of planning

A chilling illustration of how APIs can factor into an attack sequence comes from the massive Capital One data breach. Former Amazon programmer Paige Thompson is facing a growing list of federal charges for her alleged theft of personal data of more than 100 million Capital One patrons.

Court documents depict in some detail how Thompson misused authenticated and authorized credentials to perform her attack. Thompson was thus able to manipulate APIs and command line interfaces (CLIs) to a number of bank systems, including S3 buckets holding valuable data. She then extracted the data to her local machine and openly bragged about her escapades in hacker forums, Twitter, and even via posts in her Github repositories — which led to her arrest by the FBI.

The Peloton, Experian and Capital One hacks reflect the challenge of balancing security with the fast pace of digital transformation. The pursuit of agile software has companies, large and small, consumed in rapidly developing and tossing into service software meant to function far beyond the perimeters of legacy company networks, in the wide-open Internet cloud. Yet many organizations have yet to fully accept that old security tactics are no longer very effective in this heady environment.

Many organizations, for instance, continue to rely heavily on legacy firewalls and WAFs, which, of course, is precisely where Capital One went wrong. WAFs came along specifically to filter web app traffic and protect websites. They do this by examining web requests for the signatures of known malicious website traffic.

“Unfortunately, WAFs were not designed for the world of APIs.” Isbitski says. “They inspect traffic per transaction, as opposed to inspecting entire sequences. WAFs fail to provide adequate context for detecting API attacks and protecting an organization’s APIs.”

And as Paige Thompson showed, WAFs can rather easily be subverted. Thompson was able to tap into command line interfaces (CLIs) and thus gain access to customer data that Capital One had stored in its Amazon Web Services S3 buckets. She then extracted the data to her local machine and openly bragged about her escapades, which brought the FBI knocking at her front door.

Runtime vigilance

Obviously, companies are going to have to come to grips with API exposures or digital transformation may come at too great a cost. Gartner’s designation of API Security as a separate category of tools signals that this effort is now underway in earnest. Cybersecurity vendors competing in this nascent space, Salt Security among them, are ramping up their efforts to leverage Big Data and advanced analytics to meet a highly dynamic and complex security threat.

It boils down to the fact that companies must become very proficient at  monitoring their API calls — during runtime. API vulnerabilities are rooted in business logic failures, and those exposures cannot be detected in static testing.  Companies must be able to confidently authorize billions of legitimate API calls while, at the same time, instantly identifying any API calls or manipulations coming from a bad actor as part of a multi-stage attack.


Salt Security is taking a big data and automation approach to this monumental challenge, Isbitski told me. The platform gets a copy of an enterprise’s API traffic and applies ML and AI to discover and inventory all APIs, assess where APIs might be exposing sensitive systems, detect and stop API attacks, and provide remediation insights. “To detect indicators of API attacks, you need to gather large amounts of API telemetry,” he says. “And to produce signals useful to security teams, you need to analyze this data, in real time.”

Deriving the singular algorithms required to accomplish this heavy lifting is a tall order and couldn’t happen without the evolution of big data; today, it’s technically possible and economically feasible to store this extensive amount of data and apply processing power to extract security intelligence from it.

“Creating, training and maintaining algorithms specific to API security requires a great deal of data science expertise,” Isbitski says.

“Traditional approaches just aren’t working or can’t scale. Runtime security, paired with behavior analysis, is the ideal approach, which brings us back to Big Data.”

It’s terrific that API security is formally out of the gate and on an upward trajectory. So too are major advancements in security frameworks, data encryption and identity management. All of these developments must progress and converge in order for privacy and data security to get where it needs to be. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone