Today, API, as an important channel for connecting services and transmitting data, has become a new type of infrastructure in the digital age, but the accompanying security issues have also become increasingly prominent. In order to enable various industries to better cope with the challenges of API security threats, Ruishu Information, as the first batch of professional manufacturers in China with the "cloud native API security capability" certification, has continuously exported API security-related views in recent years, and has done a good job in API security for government and enterprise users Protection provides a reference guide.
Today, Ruishu Information officially released the "2023 API Security Trend Report" (hereinafter referred to as the "Report"), which conducts in-depth analysis from various aspects such as API threat situation, attack methods, and API security development trends, and analyzes typical API attack cases. Combined with API trends, protection suggestions are provided.
The report pointed out that with the increase in the number of API calls and the rise of automated tools, API attacks continue to rise, and risks such as improper API asset management, automated attacks, business fraud, and data leakage are posing new challenges to enterprise business security. At the same time, under the trend of telecommuting and enterprise application migration to the cloud, API threats are becoming more and more complex. With the development of artificial intelligence, machine learning and other technologies, Bots automated attack methods are becoming more and more intelligent, which can quickly and accurately scan API vulnerabilities or launch attacks on APIs, causing serious threats to the system.
1. Analysis of API Threat Situation
With the development of digital technology and the explosive growth of the number of Web APIs, the proportion of security attacks faced by APIs has exceeded that of traditional Web vulnerability attacks. APIs and applets have gradually become the traffic portals of many enterprises and organizations, causing more and more attacks. Attacks through API interfaces break through web applications and serve as a springboard to enter the target network.
The report pointed out that more and more attackers are using APIs to implement automated "high-efficiency attacks". Data security incidents caused by API vulnerability exploits or security management vulnerabilities have seriously damaged the rights and interests of related companies and users, and are gradually being attacked. attention from all sides. Among the detected web attacks in 2022, the proportion of attacks against APIs has exceeded 70%.
According to relevant statistics, API attacks will increase by about 60% in 2022 compared to 2021. Although affected by the epidemic in 2022, most units will work from home, but the attacks of black and gray products have not stopped because of this, but have increased.
2. Difficulties in API security protection
Different from traditional web protection, API security protection requirements are more comprehensive, including asset management, defect identification, attack detection, Bots detection, parameter detection, behavior identification, access control, etc. The lack or insufficiency will affect the overall protection effect:
01 Multi-channel and multi-border is difficult to comprehensive protection
The diversification of access entrances has brought about the diversification of business application deployment boundaries, such as: Web, APP, small programs, third-party platforms and other business access channels, resulting in the expansion of the exposure of vulnerable points and increasing the complexity of risk management and control . Therefore, integrating the protection of multiple service access channels within the same protection system is one of the difficulties in API protection.
02 Interface dispersion and transmission format diversity make interfaces difficult to find
Comprehensive and accurate API interface discovery is the basis of API protection work, and it is particularly important to automatically identify and classify API interfaces. Unlike traditional web applications, which can rely on a unified entrance in their own structure, APIs themselves mostly exist in a scattered manner as independent individuals, adopting a point-to-point access mode, and it is difficult to discover APIs through the connection between interfaces. At the same time, the diversity of transmission data formats (JSON, XML, GraphQL, etc.) also increases the difficulty of API identification.
03 The business tight coupling protection strategy is difficult to generalize
APIs and businesses are tightly coupled, and protection strategies for APIs are often related to businesses, which makes it difficult for API protection strategies to be universal across businesses, and the characteristics of rapid iterative changes in applications under the microservice architecture and DevOps mode are also magnified Overcoming this difficulty, solving this problem is a difficulty in the rapid deployment and promotion of API protection products.
04 It is difficult to identify the risk of abuse under legal authorization
At present, API access control after authorization is relatively weak. According to the "State of API Security" released by the overseas security agency Salt Security, 95% of API attacks occur after authentication. API protection needs to focus on risks such as attacks, abuse, and excessive data exposure under these legal authorizations. How to identify abnormal access in requests that have obtained legal authorization is a problem that needs to be solved in API protection.
3. Analysis of API attack characteristics
In offensive and defensive confrontation, the attacker usually has the initiative. Therefore, mastering the attacker's intrusion methods and means, discovering the potential vulnerability of the information system, and using this as the basis for prevention will greatly improve the prevention effect. In the face of increasingly serious API security threats, the report analyzes the characteristics of API attacks from multiple aspects such as industry distribution, defect analysis, type analysis, and API attack methods.
1 Industry distribution
The differences in applications and business forms in different industries lead to different API usage. The Internet has the highest proportion of API request access traffic, followed by finance and operators.
2 Defect analysis
A variety of API defects have been defined in the OWASP reference, but it is often difficult to correspond one-to-one in the user's production environment. In order to display these defects more intuitively, Ruishu Information has reassembled them. The most common API defect is excessive data exposure, followed by parameter traversal, unauthorized access, parameter tampering, plaintext password transmission, and interface error exposure.
3 Type analysis
Different types of API functions face different levels of attacks, especially those interfaces that are suitable for automated attacks by Bots, such as interfaces for public data query, login, and order placement, which are most vulnerable to attacks.
4 Attack methods
API, as a combination of application and business, faces double attack threats. In addition to traditional SQL injection, SSRF, malicious file upload and other attacks, it also faces various business-level attacks, such as: unauthorized access, information traversal, etc.
4. API Security Development Trends and Protection Suggestions
With the explosive growth of the number of APIs, API security risks are further exacerbated. Combined with the analysis of API threat situation and attack characteristics, the report predicts four major trends in the development of API security: Bots automated attacks intensify API security risks; API security management becomes more intelligent; API security becomes an important component of cloud application security; compliance requirements become Elements of API security.
Based on this, the report points out that when dealing with new types of API risks, the main idea of defense construction can be summed up as "one foundation, four perceptions". **
One foundation, that is, API asset management is the foundation of all security protection, ensuring that all APIs that have been launched are within the scope of control, and preventing the failure of the security defense line due to fish that slip through the net.
Four perceptions, including: environmental awareness, strengthen the environmental awareness of the API calling environment, and improve the environmental security detection capabilities of API callers. Risk awareness, which detects the API's own defects and external attack risks. Data perception, to identify sensitive data, combined with industry classification and grading standards, to carry out corresponding security policy management and control, and comprehensively improve the ability to monitor sensitive information. Business awareness, formulating a suitable API security strategy, and improving business awareness.
V. Conclusion
In the digital age, while APIs bring many benefits to developers, they also greatly increase the new risks of application systems. According to Gartner's forecast, "By 2022, API misuse will become the most common attack vector leading to enterprise web application data breaches. By 2024, API misuse and related data breaches will almost double." How to correctly view API security risks and effectively protect API security will become a compulsory course for all enterprises.