Cool APIs: Top Tips To Secure Valuable APIs Against Growing Security Threats
IDN continues its ‘Cool APIs’ series with a focus on API Security. As APIs become more and more popular, they are also the target of a growing number of cyberthreats. Experts from Axway, Built.io, CA, MuleSoft, Red Hat, SmartBear, discuss top API threats, how to fight them, effective API Security technologies -- and what’s next.
IDN continues its ‘Cool APIs’ series with a focus on API Security. APIs are no doubt becoming one of the most popular ingredients in how companies achieve digital transformation and deliver innovation. That said, APIs have also become a more popular target of cyber threats.
For this edition of ‘Cool APIs,’ IDN asked many of the leading API technology firms to share what they are seeing and doing about API Security.
APIs are proving every day to offer more benefits to business – agility, faster time-to-deploy and simpler ways for developers to deliver apps to IT operations. But the dark side is that APIs are also offering the ‘bad guys’ easier and more numerous ways to get into critical systems. Companies need to keep the ying-yang of APIs in balance.
Our experts will guide is through how API Security is a necessary ally to achieving benefit while maintaining protection. In these insightful interviews with top API Security experts we’ll learn about:
- Today’s top API Security threats,
- How users combat API Security threats (common use cases)
- Trends in API Security technologies and partnerships – and
- What’s coming for API Security 2017 and beyond.
Top API Security Threats: “Beneficial to hackers, APIs pose as new attack vectors that scale beautifully for those looking to achieve widespread damage,” says Aaron Landgraf, senior product marketing manager at MuleSoft. “It’s vital organizations today understand the lengths that hackers will go to discover and exploit weaknesses in their security, as well as that of the surrounding technologies that could provide a back door."
Use Case Strategies for API Security: The new demands of fast-paced business are big drivers for MuleSoft’s customers’ use of APIs, Landgraf said. So, it’s no surprise that API Security is getting attention to avoid any slowdown in how APIs can provide competitive advantage.
"To keep up with the demands of the digital era and outpace fast-moving competitors, MuleSoft’s customers are building application networks and applying the API-led connectivity approach to create reuse and agility across the entire organization,” he told IDN. “This shift is not just about technology; the organizational mindset also shifts to align with this distributed way of discovering existing assets, reusing them and building security patterns into the way people develop assets day-to-day and governing it at that level."
API Security Technology: The balance of move fast / stay secure is the key to MuleSoft’s API Security technology approach. "To help customers move faster while staying secure, MuleSoft’s approach is to weave security principles into the design of applications, data access points and integration,” Landgraf said.
MuleSoft’s Anypoint Platform “provides the functionality required for full API lifecycle management, connectivity to any application or data source and visibility, security and governance from design through API registration and policy management,” he said. MuleSoft offers customers a focus on treating APIs as what he called “consumable products.”
“This perspective opens up the value of APIs to multiple IT and business stakeholders,” Landgraf added. “The broader organization–including developers–can discover and reuse [APIs] without starting every project that requires secure access to backend systems from scratch."
Partnerships: By nature, APIs are designed to promote connectivity with other assets. MuleSoft approaches its API Security partnerships in that vein.
"Creating a network of applications, data and devices connected with APIs requires a wide array of technologies with out-of-the-box solutions,” Landgraf said. “To amplify the value of our customers’ application networks and ensure they stay secure, MuleSoft recently announced a partnership with leading identity provider Okta.”
Through Okta API Access Management, joint MuleSoft-Okta customers can control and manage access to critical systems with granularity and even reject access should expected thresholds be surpassed by a malicious bot. “Working in concert, MuleSoft and Okta make it easier to securely extend APIs to employees, partners and customers,” he said.
API Security - The Future: In the future, APIs will open a whole new dimension of agility, API Security will be one of the keys that unlocks such power, according to Landgraf.
“API security is paramount as organizations increasingly ‘lego-ify’ their business by creating and adapting building blocks to match changing consumer tastes,” he told IDN. “Once an organization establishes an internal API economy and unlocks its core, it then opens the door for the organization to participate in the external API economy where it can tap into new revenue streams and deliver digital products and services to customers, partners and employees in innovative ways."
Top API Security Threats: Tom Donahoe, director for secure software engineering at Axway, says there are many security threats posed by API, but a few stand out. “SQL injection (SQLi) remains the number one threat, even if it’s hard to believe that it is still so prevalent,” Donahoe told IDN, adding other ‘crucial security threats’ to pay attention include: cross-site scripting (XSS), cross-site request forgery (CSRF) and session fixation.
Customer Strategies for API Security: “Axway works daily with many organizations across industries (financial services, automotive, healthcare and government/federal) to execute their digital business strategies,” Donahoe said, and shared some examples:
An energy and utility company uses Axway’s API Management solution to unlock all of their internal web services (which are part of their SOA), while securely making them available to the outside world. “For this organization, it’s critical to manage external communications across different user groups. They call API management their first line of defense,” Donahoe said.
When Axway first started working with this energy / utility firm, Donahoe said Axway implemented four security patterns -- one for each of type of user -- public, customer, partner and employee. “This enabled the company to secure access to web services across platforms, reuse web services in different applications, automate the web services opening process and increase overall agility,” he said.
Another customer is a European paint manufacturing company, which is subject to many safety regulations. It uses Axway’s API Gateway to ensure their products are purchased only by qualified customers “[F]or safety reasons, only qualified professionals may purchase these products,” Donahoe said. Axway’s API Gateway lets the company receive prospective customer’s credentials, and in turn forward them to the back-end system for verification. “That way, only validated customers are given access to the site,” he added.
Axway also has an eye to the future for APIs, helping an automaker to secure its API-enabled connectivity between cars and drivers with its Axway’s API Management.
API Security Technology: While Donahoe says there are many components to securing an API, he simplified the technology discussion into three generalized areas:
#1. Ensuring an API is designed effectively – This means the [API] creator understands the tenets of RESTful design and the concept of application resources. “The creator also needs to understand HTTP verb usage and the meaning (e.g. proper mapping and behavioral controls) of HTTP error codes,” Donahoe said. “The API creator also needs to balance the needs for security and change. API creators need to plan for ‘secure-by-default,’ while allowing for configuration flexibility – often competing technical concerns,” he said. Finally, the API creator needs to understand why leaking information in error scenarios is not good security practice.
#2. Effectively using authentication (AuthN) and authorization (AuthZ) techniques. Generally, an independent Identity Broker or Identity Provider (IdP) provides AuthN. In almost all usage scenarios, some form of a trusted identity broker/provider for proper AuthN exists. For AuthZ, a common service used today is OAuth. Once there is an authenticated identity, OAuth services can be used to determine the access controls that an application may provide to the specific identity (or role), Donahoe explained.
“While some commercial IdP’s support AuthZ, others do not. How this works in one’s environment can vary wildly,” he said, adding insight into some options.
“Integrating the AuthN and AuthZ services has proven beneficial for token generation and performance. It is imperative to understand the differences between the AuthN and AuthZ concepts and what this means in the application behavior using the REST API. It is commonplace to use security tokens generated by an IdP. Ideally the token also holds role information for AuthZ as is provided using JWT’s, for example.
“Security information may also be passed in cookies. An important consideration is the cryptographic strength of the tokens generated (whether JWT or in cookies). If the tokens are captured, they should be able to withstand cryptographic attack,” he said.
#3. Effectively using the transport protocol. “Using HTTPS is strongly advised in today’s world for cross trust-boundary communications,” Donahoe said. “Using the available HTTP header semantics, like HSTS, HTTPOnly, CORS and creating CSP’s are critical for securing the transport and trying to limit the attack surface as much as possible.”
Partnerships: Axway has many vendors that support the company’s internal Secure Software Development Lifecycle (SSDL), which includes securing API’s and API endpoints. “We have strong relationships with industry leading vendors for static analysis, dynamic analysis, fuzzing, attack surface, and cloud security,” Donahoe said. Further, Axway sponsors third party penetration API testing and design review. “If you look at the top five vendors in these technical areas, Axway either has strong relationships with them, or we currently use their products,” he said.
API Security - The Future: “Security is an important element in APIs and digital business, unfortunately, it isn’t as easy as some practitioners and vendors may tout,” Donahoe said. Among the issues: architectural layers of security solutions, especially in API build and deployment. “An oversight or error in one layer may perpetuate attacks across other layers,” he added
In the future, an oversight or error with API Security could impact many of API’s most exciting upsides. Donahoe sees a world where, thanks to API power, “applications become fuzzy” and . . .
- Mashable API’s are weaved together to create a new user experiences. A version of an application may have a lifetime of weeks, not years.
- Testing and verification is completed when the API is created. Integration and performance testing are done in real time with simulated loads. This results in cuts to production happening much faster than today.
- We will see the application runtime results in real time. Patches and updates are done daily for behavioral changes. User experience will change dramatically.
“The DevOps revolution may be partially responsible for the API enablement, but not solely responsible. The application development technology, the transport protocols, and the security infrastructures deployed are also key contributors to the phenomena,” Donahoe said.
“At Axway we are excited about digital technology, but also cautious to ensure current and future customers are secure. Our customers’ business and our business depend on it,” he said.
Top API Security Threats: “The majority of high profile breaches are still due to poor security implementation, poor procedures around key management and issuance,” says Steven Willmott, senior director and head of API Infrastructure at Red Hat, and former CEO of 3scale, which was acquired by Red Hat in June. “The openAuth protocol, for example, requires complex implementation and we often see custom implementations with issues,” Willmott added.
Use Case Strategies for API Security: “Red Hat focuses on making server side APIs more secure rather than client applications,” Willmott said. Specifically, enforcement points can be inserted in the API traffic flow. Customers can then use it to help secure both the perimeter (operating a dedicated set of gateway nodes in a DMZ on the edge of their network) and internal services (up to and including enforcement internal service instance). The latter is particularly common for microservices environments with a lot of internal traffic flow, he added.
API Security Technology: The Red Hat 3scale API Management Platform solution is designed to “help make API traffic more secure in a customer’s infrastructure,” offering access control and rate limit policies that can be administered centrally and enforced at gateway nodes,” Willmott said. These nodes can be deployed anywhere. The Red Hat 3scale API gateways are lightweight and flexible so the customer can deploy as many as they like. Functionality includes traffic filtering, restrictions by service, application, method and end-user.
Partnerships: Red Hat 3scale API Management Platform works tightly with the NGINX open source application delivery solution. (NGINX provides the reverse proxy engine that executes the 3scale-defined API policies for API traffic.)
Willmott detailed the depth of this Red Hat 3scale / NGINX partnership, and how it gives adopters a wide range of choice when it comes to assembling their own API Security ecosystem.
“There are numerous security plugins and filters available in the product. The open source nature of NGINX also means that core system vulnerabilities are quickly detected and patched via the large user base. We see this as an advantage over closed source gateway products from other vendors,” Willmott said. “The solution also works well together with Red Hat’s server side application and integration technologies such as Red Hat JBoss Enterprise Application Platform and Red Hat JBoss Fuse. These products have security modules and patterns which can be implemented to help increase application-level security.”
On top of all this, the Red Hat 3scale API Management Platform also integrates tightly with Red Hat’s SSO Single Sign-On identity solution, he added.
API Security - The Future: Like other experts, Willmott says attention to API Security is paramount to the success of just about any digital business initiative. In that context, he has some definite views on the future of how API Security will get smarter and more responsive.
“APIs are now part of the lifeblood of many enterprises and security is of paramount importance. The biggest upcoming innovations we anticipate in API security have to do with tracing traffic flows between internal and external services,” he said.
Willmott also underscored the advent of microservices will make attention to API Security even more critical. “As microservices proliferate, enterprise architects have an opportunity to document the APIs being used and manage them proactively. The resulting usage patterns can give a more detailed map of traffic flows, permissions and real-usage than ever before. We expect security solutions to increase their ability to analyze these patterns for unusual usage and changes to detect bad actors and compromised systems,” Willmott added.
Top API Security Threats: “The single most dangerous security threat when it comes to APIs is negligence – simply ignoring or failing to secure your APIs,” said Rahim Bhatia, general manager, API Management, CA Technologies. “Teams take the attitude that security gets in the way of getting a product out the door and that is a risk and threat. Think of Snapchat, Nissan, Samsung – these are just a few of the recent headlines of unsecured APIs.”
As dangerous as negligence is to securing an API, Bhatia shared another danger -- “assuming that security-by-obscurity is an adequate security model.” He explained this hazard in terms many IT practitioners will relate to – thanks to a recent headline-grabbing incident.
“Developers sometimes believe that by making an API private, they have ‘good enough’ security. The Pokemon debacle is a great example of fallacy in action; failing to properly secure APIs has a significant and negative effect on uptime and customer experience,” Bhatia said. There are many other API threats that deserve attention, he added, but on Bhatia’s short list are: buffer overflows, SQL/Code injection, man-in-the-middle and parser attacks.
Bhatia also shared ways to approach API Security solutions: “These [threats] can be easily protected with policies that ensure that transmission channels are secure, users are properly identified and authorized, and all data is validated to ensure it fits the model the application expects,” he said.
Use Case Strategies for API Security: Bhatia shared several examples of customers using CA’s API security technology to protect their applications and data.
- Retailers, such as L’Oréal, pursuing omni-channel digital delivery models, are using CA’s API security model to protect personally identifiable information and payment information.
- Orlando Utilities Commission uses CA’s API Gateway for their trust partner model.
- Amerigroup, (The Advisory Board, Patient Engagement Advisors), and several other healthcare vendors use CA’s API security model to address HIPAA mandates.
- The four major credit card vendors in the U.S., as well as other financial services companies, use CA’s API Security model to securely integrate legacy technology.
Bhatia also recommended other steps customers can take to increase API Security, includinG
- reduce the attack surface by consolidating APIs that are too granular,
- always use secure transport (TLS/SSL),
- explicitly control access (OAuth, SAML, etc.),
- enforce strict interfaces (validating protocol, resource, method, parameters, and schema before access), rate limiting, and
- on-going monitoring (log/audit).
“We believe that implementing even basic levels of API security (TLS+OAuth), coupled with these simple policies to protect against threats will thwart the most common attacks,” Bhatia said.
API Security Technology: CA provides a holistic solution for API Lifecycle Management (of which API Security is a foundation) and provides API Management integration with its portfolio of IT management solutions. Many components of CA API Management integrate API Security capabilities with traditional enterprise assets.
Among CA’s API portfolio with a security capability are:
- A main line of API Security defense comes from the CA API Gateway, deployed in front of API servers.
- CA Single Sign-On (SSO) for integrated access control solution across web, mobile, and APIs;
- CA Service Virtualization to accelerate the development of API-based applications;
- CA Application Performance Management to identify API issues and ensure SLAs are met;
- CA App Experience Analytics to provide insight into mobile app performance allowing developers to improve both speed and quality of apps;
“The [API] gateway assumes responsibility for all aspects of API security including confidentiality, integrity, authentication, authorization, audit, key management, threat detection and even availability,” Bhatia said. “The security model is implemented using our rich policy language, which provides a perfect balance between ease of use and sophistication to address a continuously changing threat landscape.”
Because API Security should also involve an end-to-end perspective, developers and IT operations both need to play a role in API Security, Bhatia noted, adding that CA’s approach promotes such engagement.
“At design time, developers simply integrate predesigned policies (as APIs) into the CA API Gateway. At runtime, the Gateway will then execute those policies to ensure that an API is secure. CA further integrates API security with existing identity and access management systems,” Bhatia said.
Also, because many mobile (and new-gen IoT) apps are powered by APIs, CA has also optimized an API Security solution for this use case. “The CA Mobile API Gateway greatly simplifies the development of secure mobile apps through mobile SDKs. This lets developers focus on building great customer experiences instead of sweating the details of security.
“Finally, with the addition of CA Mobile App Services, CA provides the ability to extend this security model to the IoT. It provides mobile and IoT developers a rich library of SDKs that protect data at rest and in motion, and offers simple interfaces to create and maintain user accounts, authenticate and authorize users, and to facilitate secure, device-to-device communication,” Bhatia said.
Partnerships: Beyond CA’s holistic portfolio approach, API Security, CA also works with Thales (to ensure secure integration between Thales’ nShield Network Attached HSM and the CA API Gateway). This provides the highest levels of protection for vital key material and addressing PCI-DSS compliance requirements.
CA also works with multiple system integrators in the healthcare and financial services sectors. They use CA API Management as a key component in their security framework for their customers.
API Security - The Future: Bhatia makes a compelling case for why API Security must get more attention earlier – even though it’s the APIs, apps and functionality that often take center stage for any new project.
“Security must be a core component of any digital initiative for the enterprise – not just for the obvious factor of protecting IP in the enterprise, but actually protecting both workers and consumers from nefarious actions,” Bhatia said. “But security is too often neglected in the rush to ship new apps and functionality.”
That said, Bhatia recognizes API Security must get easier for all API stakeholders. “CA believes that good API security must be effortless for developers, allowing them to focus on delivering great apps. We are working hard to make API security fit seamlessly into modern Continuous Integration/Continuous Delivery workflows, so that API security is ‘on-by-default,’” he said.
Longer-term, Bhatia says with better API Security can be a boon to Internet of Things. “IoT will flourish when devices can share information using APIs. We are working hard to make secure APIs available to a wide range of devices [across[ automotive, home automation, logistics, predictive analytics, sensor monitoring (think farming, wineries, etc.) and even warehousing,” he said.
Top API Security Threats: API Security isn’t just a one-time thing. Unless you can prove an API is always secure, assume it isn’t. That’s the to-the-point advice from Harsh Upreti, Product Marketing Manager, API at SmartBear Software.
“To start with, an API needs continuous monitoring and observation to find any deviations from normal,” he told IDN. Also, unless an API is completely whetted for security, any API should be considered insecure. The implications are “everything (data, backend, scripts etc.) could be a threat,” Upreti added.
He also addressed API Security in broader terms. “If you look at the bigger picture, we believe that a big and continuous threat to API security is change, and by change I mean the change in code, infrastructure, technology and even personnel. That is why we built [Secure Pro] to work with APIs from [the] ground up.”
Use Case Strategies for API Security: “We recommend that API security checks should be a part of the testing (or even build) process from day one and each after any change the test process should seamlessly test for security along with functionality of the API.” Upreti said. “This is often why customers buy SmartBear’s Secure Pro solution in conjunction with the broader testing infrastructure for API,” he added.
Secure Pro is also designed to let customers “create these sophisticated API scans with ease through [the] front end, and then integrate these in their existing processes with minimal effort,” Upreti added. SmartBear “eliminates any mental and economical barriers that our customers may have for implementation of API security testing. Thus, there is an assurance amongst our customers that there is a place in their process where security is being taken care of,” Upreti said.
API Security Technology: He emphasized that attention to ease-of-use, without mountains of training, is a key part of SmartBear’s Secure Pro technology design.
“We firmly believe that API testing should be easy and accessible for every member of the team. We wish to ensure that complexity of a tool doesn’t come in the way of API quality. On those lines, our products make API security testing so easy and accessible to teams that developers and testers do not hesitate in using our Secure Pro tool every time they make or observe a change to code,” Upreti said.
Specifically, the Secure Pro tool allows easy creation of API scans like SQL injection, cross site scripting and JSON Boundary scans. “These scans are prebuilt and a user has to just create these for an API through some clicks on wizards. This enables easy access to sophisticated API scans to everyone in the team without the need of a security expert,” Upreti said. “Often security testing is considered boring and for many developers and testers it’s an afterthought. Easy to use tools break these notions and encourage teams to embrace security practices upfront,” he added.
SmartBear also says API threats can crop up throughout an API’s entire lifespan, and that’s why it’s offering, Secure Pro pays special attention to the API lifecycle. Upreti explained it this way: “The moment a code is committed, infrastructure is added (or reduced), technology is changed our tools enable continuous scanning of API to find any threats that may have been introduced.”
API Security - The Future: For all his cautions, Upreti is optimistic for the future of API Security. When ease-of-use becomes more important to more vendors, it will create a more level playing field between the largest Internet companies and smaller SMBs and start-ups. That will mean more API-powered innovation across all industries.
“Easy-to-use [API Security] solutions are a precursor to stronger and reliable security systems. It’s [also] important to dispel the notion that you need a security expert,” Upreti said. “A lot of small businesses yet do not know how to securely store their customers’ credit card information for recurring payments. Hence, they often lose ground to big businesses (like Amazon) who can make investments in ensuring security of assets,” he said.
“With better and more reliable security, hackers will be discouraged and more opportunities will be created for small and very small businesses to adopt competitive business practices,” Upreti added.
Top API Security Threats: “The biggest security threat to APIs is the exposure by IoT devices that are in every home now,” according to Kurt Collins, Director of Technology Evangelism and Partnership at Built.io. “Not just the exposure, but the widespread distribution of IoT devices. Remember the giant DNS crash of 2016? IoT is a major vulnerability point because each device utilizes APIs to communicate back to essential servers”
API Technology & Partnerships: Built.io offers a cloud-based, API-first enterprise suite to accelerate digital transformation for data integration, content and apps. The suite includes: (1) a cloud-based integration Platform-as-a-Service (iPaaS); (2) a content management system that shares content across multiple channels and (3) an MBaaS (mobile backend as a service) to support mobile, web and IoT.
Built.io’s biggest API Security partners are cloud giants Amazon Web Services and Microsoft Azure, Collins said.
API Security - The Future: As APIs power more B2B communications (commerce, data integration and sharing), Collins suggested businesses need to pay attention to how those links are secured.
“Businesses can’t do business with each other without having secure methods to exchange information and data,” Collins said. “In the future, information will be exchanged at the best of each organization’s AIs. As such, the exchange of information is going to occur at a more rapid pace than it is today. Instead of two humans exchanging information, it will be done by bots. In order to support that kind of infrastructure, we will need API-driven security.”
IDN will continue to report on how Cool APIs are becoming the new foundation for digital business, digital transformation and innovation. So keep checking in. It should be exciting!