Safely connected solutions: Top tips for securing APIs throughout the enterprise
- 28 June, 2019 09:00
Modern IT shops would struggle to operate without APIs, the digital gateways or intermediaries that enable software systems and applications to connect and exchange information seamlessly.
They make it possible for businesses to roll out new applications and link them to existing ones quickly and economically; a boon in the competitive and fast-moving digital era.
APIs are the glue that hold solutions together but they can also be the fault lines that compromise cybersecurity. To avoid the latter, organisations should implement robust measures to prevent API attacks..
Publicly-listed Australian property valuation firm Landmark White learnt this lesson the hard way earlier this year. It suffered losses of $7 million after one of its valuation platforms was hacked due to an API vulnerability.
Almost 140,000 records and documents containing client information were exposed. As a result, the company saw its shares suspended from trade – and its share price plummet once relisted – after the firm lost the custom of a string of large clients from the financial services sector.
Further afield, global digital behemoths, including Facebook and Snapchat, have fallen victim to similar attacks in recent years.
Expanding the attack surface – and increasing the risk
Unless appropriate security measures are implemented, every newly-adopted or deployed API expands the attack surface and increases risk.
The danger is compounded by the fact recent API attacks appear to have bypassed the traditional tools intended to detect and neutralise them. Determining whether API connections are instigated by bad actors or legitimate systems and users has also proved problematic for businesses.
So, how can Australian enterprises strengthen their security measures and reduce the likelihood of their falling victim to a Landmark White style attack? Here are some tips.
Dedicate resources to the issue
Security can take a backseat when developers are rolling out new applications, particularly if the time frame is tight. Appointing an individual or team to oversee API protection can ensure it’s implemented at the outset, not overlooked, or bolted on as an afterthought.
Stay on the job
Cybersecurity shouldn’t be a one-off or occasional activity. In the best protected enterprises, it’s an ongoing process that spans the software development lifecycle, from conception and design to decommissioning and replacement.
Continuous security methodologies include tracking and securing APIs as they’re deployed, and using tools to automatically locate and log any APIs that have been rolled out unofficially.
Test and retest – automatically
Secure solutions don’t always remain secure. A regular API testing program can help the security team identify vulnerabilities before hackers and cyber-criminals beat them to the punch.
Scanning, testing and monitoring APIs for vulnerabilities manually can be an activity akin to searching for the proverbial needle in a haystack. It’s an arduous task for humans but one that’s well suited to automated scanning software, which can harness the power of artificial intelligence to pinpoint and neutralise attacks.
Monitor API usage
Detecting suspicious network behavior is tricky if normal behaviour is unknown. Using API gateway audit trails and system and application data log to profile the activity of valid users and accounts can make it easier to identify anomalous activity (like data exfiltration, credential stuffing and fuzzing) for investigation before critical systems and data are compromised.
Utilise a range of preventative technologies
There’s no single measure that can be used to protect APIs across the enterprise. Improving security posture is likely to call for a range of tactics and technologies. Typically, they will include multi-factor or continuous authentication, flow control and TLS encryption, which prevents data from being intercepted or stolen while in transmission.
Ensuring the tools and technologies deployed are up to date makes it easier to stay a step ahead of hackers and cyber-criminals, who are nothing if not innovative and adaptable.
Broadcasting the details of the APIs in use is rarely a good idea. Keeping internal API names private and keeping the APIs themselves off public DNS servers is prudent. Additionally, from a security perspective, enterprises should treat all APIs as if they were externally facing.
Securing the benefits
Adopting an API-centric IT infrastructure model is no longer optional for Australian businesses that want to use digital technology to cut costs and improve efficiencies. Implementing appropriate cyber-protection measures concurrently with API use makes it possible to capitalise on the benefits without laying the enterprise open to additional risk.
Mark Perry is APAC chief technology officer at Ping Identity.