Securing an organization’s web presence is vital to customer experience. For this reason, most organizations focus plenty of website security efforts on protecting sites. Best practices like picking a secure host that can offer technical expertise, when required, or backing up data regularly, if lost, are deservedly areas that people focus on. But Application Programming Interfaces (APIs) get overlooked as a potential point of vulnerability too often.
A software intermediary that lets two applications talk with one another, APIs are a frequently used part of model websites. They are, in essence, plug-and-play web services that let users add functionality to their websites by implementing a sort of mini-app that can sit on the website and automatically fetch data or features from another application without you having to code this from scratch.
Think of them a bit like a wall power outlet. You don’t have to know anything about power generation or, in all likelihood, wiring a house to know that you can go to the store and buy an electrical appliance that will plug into your standardized wall socket. As long as the product supports the correct voltage, the appliance will work. The same is true of APIs.
APIs add functionality
Instead of just including a static image of a map on a hotel’s website, you could embed Google Maps, complete with real-time traffic data. Similarly, instead of uploading videos to an organization’s own server, including the Application Programming Interface linking to a popular video sharing service like YouTube, it might be considerably easier. Other APIs could do everything from on-page translation to web analytics to user commenting services to… well, pretty much anything else you can imagine.
With more and more APIs becoming available, organizations can easily build a set of unique features as required for their website — all without worrying about building or maintaining those features.
But because of APIs’ work, it’s easy to overlook them as a potential vulnerability source for websites. After all, we’re trusting them to pull information or features and present them on our website. Why wouldn’t we also trust them to be properly secured and safe? In reality, APIs are vulnerable. One of the biggest potential vulnerabilities for APIs, ironically, comes from the same things that make them so useful: their ease of use. APIs are designed to make it easy for developers to get things done, so they may lean more into being easy to use than keeping endpoints locked down and secure. In some cases, APIs may also not be properly maintained by their creators, meaning that security issues won’t be properly addressed.
Insecure APIs are under Attack
Increasingly, insecure APIs are attacked by bad actors. Such attacks are becoming increasingly common and one of the big new attack vectors is for cybercriminals. One of the security issues APIs face may relate to a shift from SOAP (Simple Object Access Protocol) APIs, accessed via VPNs or two-way encrypted connections, to REST (Representational State Transfer), which are designed to be accessed via mobile apps and web browsers.
There are several potential API security threats which can be exploited by attackers. Weak authentication features, lack of encryption, insecure endpoints contribute to some of the vulnerabilities APIs can face, which may be exploited by malicious actors. Attacks include a man in the middle (MITM) attack, in which an attacker intercepts and potentially alter communications, potentially allowing them to gain session tokens that let them steal sensitive data. Meanwhile, code injection attacks let hackers inject malicious scripts into vulnerable APIs for cross-site scripting (XSS) or SQL injection (SQLi) attacks.
In some instances, attacks on a web API could be used to stage a devastating DDoS attack, overloading a target with fraudulent traffic in the form of fake requests for large amounts of information. This can cause a website to crash.
Protecting insecure APIs
Protecting insecure APIs is essential. When organizations choose to use an API they should do their due diligence to ensure that it is a reputable API from a trusted source. (Think of it a bit like the way you would view handing out a spare key to your house.)
But you can also call in cybersecurity experts to help. Tools such as Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP) will detect and block attempted exploits of insecure APIs. This means that users will benefit from the API without worrying about potential security weaknesses.
APIs have been a game-changer for the way that websites operate and the functionality they can offer. They do this while making the process incredibly easy. Just make sure that this ease of use doesn’t come at the expense of your website’s safety. Using the right tools means you don’t have to.