Why and How to Protect Your API Endpoints

Image from Pixabay

An attacker is the only one who knows more about your API endpoints than you do. By some indications, they know a lot more. Gartner predicted that APIs would become the number one attack vector in 2022, and per one 2022 report, API attacks had increased by 681% in the past twelve months alone.

A lot of this comes down to securing API endpoints. Those are often an attacker’s initial point of contact and can be a system’s weakest link. As such, mitigating access to API endpoints needs to become an increasing focus of enterprise security strategies. Here’s why and how.

Why protecting your API endpoints is so important now

First of all, let’s clarify the definition of an API endpoint. APIs are popularly referred to as hubs: API endpoints are where the spoke hits the wheel. An API endpoint is the “specific digital location where requests for information are sent by one program to retrieve the digital resource that exists there,” as aptly described by TechTarget. An API’s success depends on its ability to communicate with its endpoints: and so does its failure.

Criminal hackers go after the endpoints because this is where the rubber hits the road. As OWASP states, “APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using an input from the user.”

An API endpoint is like a key to the kingdom. Because it enables access to an entire object, compromising it drastically widens the attack area.

On the other hand, shutting down an API endpoint also does its fair share of damage. For example, a DDoS attack can make an API endpoint unreachable, meaning the objects connected to it are also unreachable. This is especially problematic for e-commerce systems, as they can lead to IDA (inventory denial attacks).

Because APIs tend to expose more endpoints than traditional web applications, it’s important to ensure that decommissioned APIs (testers, for example) are removed from the production environment. Leave it there, and it’s like a piece of gauze left in a wound – an infection waiting to happen.

Consider the API threat landscape

Knowing just how valuable API endpoints are, API security has to be top of mind. According to Salt Security’s State of API Security Report Q1 2023, it’s already top of mind for attackers. Consider the following statistics from the report:

  • Malicious API traffic spiked 400% increase from just a few months prior
  • 94% of respondents experienced security problems in production APIs
  • Almost 60% had to delay a product rollout due to API security concerns
  • 31% of participants experienced sensitive data exposure or a privacy incident with their production APIs
  • 30% lack an API security strategy entirely

The odds aren’t looking good, and simply leaving APIs to chance or not having a strong enough security strategy isn’t doing the job. Bad actors are cashing in on a gold mine of API activity while most businesses find themselves uncommitted at the wheel. Less than 10 percent of those involved in the Salt survey had an advanced API security solution, complete with API testing and protection.

In hopes that that number could be higher, it’s worth noting how API-based protections are done.

How exactly do you lock down API endpoints?

There are several ways to prevent unauthorized access to your API endpoints – and, therefore, to what lies beyond. Here are a few:

  1. Inventory your APIs. This prevents orphaned or out-of-date APIs from languishing on the network and becoming liabilities. It reduces the attack surface and is the first step to strategizing an API security play: After all, you can’t defend what you can’t see.
  2. Apply Authorization and Authentication. Authorizing with API keys controls access to public REST services. To authenticate a single person, use OAuth2 to integrate with SSO (Single Sign-On) providers. And all web APIs should employ TLS when sending or receiving information, ensuring all messages in transit are properly encrypted.
  3. Validate Input. Although this may seem obvious, many APIs are subject to code injection attacks because they fail to sanitize their inputs. Remove any characters that could be part of a malicious script, and don’t neglect to lock the door because you think nobody’s checking – as the API attack statistics show, they are.
  4. Perform Client Filtering. This falls under basic API hygiene, but it cannot be overlooked. Practice the principle of least privilege and only allow the minimum number of clients to access the API as necessary. The best attacks arise from within, so don’t trust – verify.
  5. Apply Rate Limiting. Similar in principle to the above, rate limiting prevents DoS attacks by limiting the volume of requests accepted by your API. Additionally, limit how much information can be retrieved (or how many requests can be made) within a legitimate operation.
  6. Invest in Dedicated API Security. The existing toolset – WAFs and API gateways – simply cannot detect the low-and-slow behavior of today’s API attacks. Rate limiting only works for volumetric attacks – today’s hackers slow down their attacks to avoid that detection. You need API security systems that can track API behavior over time and identify the signs of a malicious actor at work.

Conclusion

There are many ways to get in trouble with unguarded APIs, and bad actors make a living out of finding them. API endpoints are tantalizing options as they are often overlooked in the overwhelm of day-to-day security operations. Because there are so many, it’s easy to give up on vigilantly securing them all. It’s understandable to think that cybercriminals won’t notice if you don’t, and security fatigue can hit hard when every digital operation relies on an API in some way.

However, this doesn’t change the fact that the key importance of APIs will only increase. Attackers show no sign of slowing down, so it’s time we, as security practitioners, learned why – and how – to keep pace.

Katrina Thompson: An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire and many other sites.
Related Post