What data center managers can do to protect the API

Others 2020-04-12 15:06:58 views: null

  What data center managers can do to protect the API

  APIs make application features richer and more dynamic, but they also increase the attack surface.

  API or application programming interface is a way for multiple computer programs to communicate with each other. For example, a website can use APIs to request information from a database or pass information to a third-party service. Mobile applications often use APIs to send data back and forth to a central server. Traditional websites are rapidly being replaced by highly interactive API-based websites. API is also the key to enterprise applications, it replaces the original information exchange mechanism.

  According to a report released by Akamai earlier this year, API calls now account for 83% of all web traffic. This means providing more powerful and feature-rich applications, but it also means greater security risks. According to a survey by research firm Gartner, by 2021, 90% of Web-enabled applications will have a greater attack surface in the form of exposed APIs rather than user interfaces, compared with 40% in 2019. By 2022, API abuse will become the most common attack.

  For example, McDonald's API exposes the personal data of users of its mobile delivery applications. Other companies that have caused data breaches due to APIs include Facebook, Twitter, Panera Bread, T-Mobile, Instagram, Salesforce, and Snapchat. Even the Internal Revenue Service encountered an API data leak.

  Israel Barak, chief information security officer at Boston-based security agency Cybereason, said, "In the past five or six years, APIs have become a growing problem. The increased interconnectivity between businesses, systems and applications has accelerated The adoption of public-facing APIs. Then came the use of services such as microservices and containers. "Take a web application for booking flights as an example. If it is a traditional monolithic application, the user will select a flight, get a quote, pay and book. They will complete all these steps in order. Barak said, "The transaction process ensures that the first step occurs before the second step."

  Now, the same application on the network may be a set of independent functions, each of which calls a separate API. A passenger may send a request to the payment system. Another passenger may send the airline a request to book a flight. Using public APIs, hackers can skip the payment step and go directly to the booking step. In addition, an attacker may also hijack the API that confirms all user information and obtains the names, addresses, and payment details of other customers.

  Sometimes, even a completely harmless API can cause damage, Barak said. For example, after the user selects the country where the city is located, the web form usually provides a list of cities. If the list of cities is provided via an API, an attacker can send a large number of fake requests, enough to shut down that particular service-and stop the entire web form from running. Barak said, "And the verification code cannot be used because there is no one on the other side."

  Ido Safruti, co-founder and chief technology officer of PerimeterX, a San Mateo-based cybersecurity agency, said that when people use APIs to verify credit cards and access is not properly locked, another common API abuse will occur. He said: "I can directly use the API and try to verify the stolen credit card or gift card, which is easier, because the user's name or zip code is not needed." He added, "The use of this third-party API is very difficult to lock . As a data center operator, if its application calls an API outside the data center, it may not know anything about it. "

  From the background to the foreground In the past, enterprise applications communicated with each other within the internal network and could be safely hidden behind a firewall. It should be said that this means that access and authentication issues are not too stressful for developers. Implementing a large number of security checks can be cumbersome, can slow down development and interfere with functions. Nowadays, in the case where the hybrid data center and everything are clouded, the API does not have the firewall protection of the enterprise, but developers often forget this fact and accidentally expose it.

  Bumber Security consultant Humberto Gauna said, "Protection of the API is not difficult. But it requires a certain amount of resources, which will increase the company's cost." He suggested that when building a new API, companies should involve security professionals in the early stages.

  Typically, data center security managers have no requirements on how developers write their APIs. But they can ensure that internal databases and servers are properly protected and that cloud-based services are properly configured. They can also set up API gateways for on-premises environments and cloud computing deployments.

  The advantages and disadvantages of API gateways Not all experts believe that API gateways are a good idea.

  When enterprises aggregate all API traffic through one or more API gateways, they can ensure that basic security policies (such as encryption, authentication, and access control) are fully implemented. The gateway can also perform other operations, such as load balancing and DDoS protection.

  API gateways can be set up for on-premises data centers, and most major cloud computing providers provide them as services for systems hosted on the infrastructure. Barak of Cybereason says the process starts with creating a catalog of all APIs exposed by the data center. He said, “It ’s a core component of a good security platform, but many people do n’t adopt it. Keeping the catalog up to date is difficult, especially when developing new microservices and launching them in days or even hours . "Next, companies must use their own tokens (such as API keys or OpenID identifiers) to identify each API, and control access to data and services based on these tokens. Barak said, "Without an authorization token, enterprise developers cannot expose new APIs, but must register the APIs."

  Finally, the data center can set a gateway for API traffic. He said that by implementing secure channels including encryption and signatures, data centers can have a huge impact on API security. But some experts say that it can be difficult to involve all developers in the enterprise.

  Adam Kujawa, director of San Jose-based security vendor Malwarebytes Labs, said, "This will be an ideal choice. But data center operators cannot force their customers to do so. However, what it can do is provide it to its customers or enterprise users API gateway as a service. If they do n’t use the service, they need to make sure they are isolated to avoid infecting other parts of the data center. ”Another challenge is that API gateways cannot always be deployed on all platforms and between providers There are differences, which poses challenges to management.

  In addition, the API gateway may be a single point of failure, adding complexity and management overhead. Doug Dooley, COO of Palo Alto-based application security vendor data theorem, said, "Our customers are building microservices, one of which is of incredible scale and has dozens of data worldwide Deployed in the center, there are different discrete forms of code, they all communicate through APIs, and there are thousands of APIs in the enterprise. "

  He said, "In this case, it is meaningless to try to enforce all operations through the API gateway. It is not scalable or cost-effective, and it is simple to bypass this bottleneck."

  Tim Woods, vice president of the FireMon Technology Alliance, proposed a distributed method for API security. This method may be more dynamic and flexible. For edge computing applications, the speed is also faster. He said: "Whenever a company has to go to a central clearing warehouse or a central gateway, it must worry about delays."

  Nitzan Miron, vice president of application security product management at Barracuda Networks, said that companies have also encountered problems in finding APIs for all activities in the infrastructure. This is especially true when the infrastructure includes public clouds. He said, "Traditional network inventory (scanning IP range) is of no value when IP is dynamically allocated by public cloud providers or even multiple providers."

  But he added that API gateway tools have matured and recently started adding features to properly audit and control API access. He said: "As these tools mature and are easy to use, the challenge of finding the right tools and installing them on all company APIs and applications without disrupting the business will become smaller and smaller."

Guess you like

Origin www.cnblogs.com/jinsexiaomifeng/p/12685160.html
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com