Unsecured APIs – Underlying threat waiting to be realized
APIs & Web Services are essential supporting building blocks for today’s applications. They’re not only the connective tissue between applications, systems, and data, but also the mechanisms that allow developers to leverage and reuse these digital assets for new purposes. Developers can utilize these building blocks to integrate advanced functionality and features into their software without having to design the API from scratch.
Businesses can also integrate software, in-house and third-party using reusable APIs to meet partner/customer requirements, improve performance, optimize usage, etc. The economic benefits and flexibility that the APIs allow have inspired SMEs to adopt the usage and development of APIs. For example: If a hospital intends to consolidate patient history from all clinicians, the operation can be performed merely by using readily available APIs provided by various providers. The developer does not need to understand how the API functions.
These utilities can be used to access sensitive information or, perform sensitive transactions. An adversary with a valid request format and key could also access this data, leading to data leakage. Hence, the security risk in API extends beyond the risks associated with the protocol (HTTP) or, applications. Most developers rely on frameworks and hence, framework associated flaws creep into the mix as well.
Considering more than half the traffic on the internet includes an API sending/retrieving information from applications. APIs are now the new attack surface which could incapacitate or, leveraged to gather information from multiple applications/software. A successful attack campaign could lead to reputation & revenue loss, fines, compliance failures and even spike in infrastructure costs.
It is critical that developers follow secure coding guidelines to eliminate commonly found vulnerabilities. From insecure coding practices like hard coding secrets in code to the usage of unpatched libraries; the cause for introducing a vulnerability could be anything. Hence, it becomes critical that all software/applications and the corresponding APIs be tested for all possible threats. We have also noticed a significant growth in authorization related vulnerabilities while assessing APIs. This is critical to understand that endpoints of APIs are mostly exposed on the internet making it easier for attackers to exploit. A lack of authorization checks leads to attackers successfully guessing/brute-forcing relevant object IDs to get information from the server. This is also the most commonly observed weakness in APIs according to recent attack reports.
APIs have also been known to be vulnerable to traditional vulnerabilities like Injection attacks, broken authentication, sensitive data exposure, security misconfiguration, etc. It is also critical to limit the usage of resources to defend against denial of service attacks. The API or the software itself could become unresponsive if limits are not set for the requests and input parameters.
In the healthcare sector, usage of an API that transmits PHI data should be secured during transmission and in rest. End-user consent is mandatory before sharing of sensitive PHI/PII data and the end-user should have the option to permit and revoke APIs from accessing/sharing these data. These privacy considerations should be made while drafting policies, developing APIs or, using third-party APIs. It is also critical to understand the flow of data for third party APIs. It is essential to ensure that APIs are secured & devoid of security vulnerabilities that could lead to its compromise or, it’s data. This will in turn ensure that the API meets the requirements set by HIPAA & HITRUST. Thus, enabling in achieving and maintaining the health data security compliance of the overall organisation.
In an attempt to help organizations’ leveraging APIs/Web Services understand their current security posture and protect their information; OWASP has released the API Security Top 10. This is also aimed to provide organizations with a basis to measure the readiness to protect itself from known vulnerabilities. We would recommend an annual penetration test across all APIs & web services to understand the current vulnerabilities present in these externally exposed assets. This will ensure that all issues (due to changes or, recently detected findings) are identified and mitigated in a timely manner before being exploited by an adversary.
Accorian is a full-service cybersecurity partner. We can help protect your data, monitor your networks, conduct penetration tests and provide anti-phishing training for your employees. We have extensive experience in conducting penetration tests & vulnerability scanning for applications (Web & Mobile), APIs, networks, and social engineering assessments.