ABI-based apps are significantly different than a traditional application. Thus, they require a different security approach. To dive deeper into API-based application security and how companies can adequately protect their API-based applications, we sat down with API and AppSec expert Erez Yalon, head of security research at Checkmarx. In addition to his day job, Erez is one of the project leaders for the OWASP API Security Top 10 and co-founder of AppSec Village at DEF CON and RSA Conference.
Q: What is an API-based application?
Although it may look the same from a user’s perspective, an API-based app is significantly different than a traditional application. In the past, users would access a web server via a browser, for example, and most of the “data processing” was performed on the server itself. As client devices became more varied (browsers, different smartphones, IoT and smart devices, bots, b2b service), and increasingly powerful with faster CPUs, extensive memory, more bandwidth etc., much of the logic moved away from being performed on back-end servers to the front-end (i.e. on the client device itself). In the modern application, the downstream server acts more like a proxy for the data consumed by the API-based app. The rendering component in this instance is the client who consumes the raw data, not the server itself.
A good example to illustrate this concept is an airline mobile app. The app is interacting with the user, allowing them to specify travel dates, departure and arrival cities, seat selection, and purchase options. In turn, The app uses a series of API calls that are interacting with back-end servers primarily to retrieve data about flight schedules, availability, pricing, seats, etc. In this case, the smartphone’s app is performing the rendering of the data into an easily readable screen. A different client like a tablet app, a browser, or a software of a travel agent, would use similar API calls to retrieve similar data, but it will be rendered differently to fit the use and the client.
Q: Why are API-based applications vulnerable?
While the concept of API security is somewhat new, the attacks that can be performed through APIs are not. The difference is that relying on APIs, the many components that make up a modern application, and the communication between them, increases the attack surface. Attackers now have many more “ways in” to try and take over an application, and more “ways out” where they can try and find information leaks.
In addition, several reasons make modern API-based applications more prone to attacks: APIs expose the underlying implementation of an app, more data is sent in each HTTP request (object IDs, filters, etc.), and the bookkeeping of new and deprecated APIs is sometimes complex.
Q: Why should organizations be paying attention to API security?
As APIs increasingly become the beating heart of every modern application, the attack surface is also shifting in their direction. Many companies have felt this trend first-hand recently.
In fact, recent reports suggest that by 2022, API abuses will be the vector most responsible for data breaches within enterprise web applications. This is primarily due to the extensive growth of API implementations world-wide, providing a relatively new target that malicious actors have only scratched the surface in targeting. With this, protecting APIs is becoming more important than ever.
Q: What can companies do to protect against API security issues?
Before changing even one line of code, organizations must conduct proper API housekeeping and documentation. Not knowing exactly which APIs are open, what they do, and what they expose is a recipe for disaster, and the frequency in which we see these issues means that there is still much work to be done.
Another major challenge revolves around authorization processes. In API ecosystems, we see not only the need for different levels of authorization – object level (which objects is a user allowed to access?) and function level (what is a user allowed to do with an object?) – but also very complex users and roles hierarchies.
To make things even more difficult, there are different ways and places to control authorization: the code itself, configuration files, and API-gateways. Creating a very clear process is essential to prevent broken authorization processes and is a very good first step of protection.
Q: How can organizations and developers stay up-to-date on secure API implementation best practices?
Oftentimes the main issue with security is awareness. The different ways to protect APIs require an understanding of the new threats facing modern applications. There is a knowledge gap between the traditional ways to protect applications from attacks and what needs to be done to protect modern applications.
In order to bridge this gap, I, along with Inon Shkedy, Head of Security Research at Traceable.ai, have been spearheading the OWASP API Security Top 10 Project. The Project is designed to help organizations, developers and AppSec teams become more aware of the risks they face daily in the context of APIs. Developers and security professionals can refer to the OWASP API Security project's API Security Top 10 list. This is an awareness document that aims to help developers and security professionals focus on the issues that exist in API-based applications.