Attackers know how to evade WAFs and API gateways when targeting APIs. Here are some examples of companies dealing with the rapid growth of API attacks.
In early May, Pen Test Partners security researcher Jan Masters
discovered that he was able to request Peloton's official API to obtain other users' private data without authentication, and the user's local device and cloud server were so inconsistent. fortify.
These data include detailed user age, gender, city, weight, exercise statistics, and even reveal information such as birthdays that users have kept private in their profile settings pages.
Application programming interfaces (APIs) allow for easy machine-to-machine communication. Today, the use of APIs in application development has become a new standard of practice. By integrating the functions of third-party services, developers no longer need to build all the functions from scratch, which can speed up the development process of new products and services.
The use of APIs has exploded in recent years. According to Akamai, API communications now account for over 83% of all internet traffic.
While APIs underpin the interactive digital experiences users are accustomed to and are the foundation of a company's digital transformation, they also provide malicious hackers with multiple ways to access company data, and are the root of many security problems.
In addition to Peloton, companies involved in API-related cybersecurity issues that have recently been exposed in the news include Equifax, Instagram, Facebook, Amazon, and Paypal.
API application and rising attack trend
According to a Salt
Security report released in February this year, 91% of companies had API-related security issues in the last year. Of these, the most common were vulnerabilities, affecting 54% of organizations surveyed; closely followed by authentication issues (46% of respondents), bots (20% of respondents), and denial of service (19% of respondents By).
80% of organizations believe their security tools are not effective in preventing API attacks. Additionally, the Salt
Security survey found that two-thirds of organizations are slowing down bringing new applications into production due to concerns related to API security. Even all Salt customers with web application firewalls (WAFs) and API gateways experience multiple API attacks per month, which means that these security tools are no longer able to prevent API attacks.
In fact, according to Salt, WAFs and APIs can't even stop 90% of the OWASP API Security Top 10 threats.
But the sad reality is that more than a quarter of organizations are running critical applications based on critical APIs without any security policies. For example, Peloton started out as an API where anyone, anywhere can access user data without any authentication.
It's not uncommon for APIs to have bugs. According to a Salt
Security report, 82% of organizations lack confidence in knowing API details, such as whether the API contains personally identifiable information (PII), such as customer proprietary network information, protected health information, and cardholder data; while 22% % of organizations say they have no way of knowing which APIs expose sensitive data.
Roshan Piyush, a security research engineer at Traceable
, said that Peloton's mistake was using an unauthenticated API, while other companies that encountered the same problem include Panera, Fiserv, LifeLock and Kay
Jewelers. It can be said that such cases are too numerous to mention. In summary, issues such as authentication and authorization protection of APIs are ignored during the development process.
A Bank's API Application Growth Story
Jeff Serota, a cybersecurity technology manager at a midsize financial institution
, said his company's use of APIs has grown dramatically over the past few months. Today, APIs connect about 3,000 endpoints, including internal applications, applications belonging to business partners, and customer-facing websites and mobile devices.
But this is just the beginning. According to the company's development plan, API applications will increase rapidly in the next three years. Their goal is to eliminate all on-premises data centers and move to web services and APIs for everything.
According to Serota, its API calls go through four main URLs, and different services include different parameters in their API calls. This approach creates a protective layer. "Because there's a lot of risk in using the API, we're actually obfuscating some of the API endpoint names to make it harder to be laterally attacked or detected and used for malicious purposes," he said.
The agency has also been consolidating multiple API gateways into one main gateway for the past six months. And for the API gateway, the company chose Apigee, an API security vendor that Google acquired in 2016.
Some companies have had problems trying to have a single gateway for all developers, or worried about potential bottlenecks, single points of failure, or DDoS attacks. But Serota said that is not the case with their company. Conversely, their developers prefer the API gateway approach because, as a SaaS-based and multi-region service, API actually offers them better availability and lower latency.
For example, one API was expected to have 10 million transactions per month, but 200 million transactions occurred within the first two weeks after launch. And they didn't experience any lag or performance degradation. Currently, in their production environment, there are about 2 billion API calls per month, up from about 800 million two years ago, Serota said.
For authentication, the company's mobile and web-based applications use older Java technology, but they are using a software development kit to move it all over to API-based authentication. And for external partners, the company is also working to establish a zero-trust model for its API calls.
Previously, there would be persistence for consumers accessing the establishment through their own web or mobile applications, which meant that consumers would not need to go through the authentication process multiple times. And the company's zero-trust model means any kind of session persistence is no longer allowed, nor are cookies of any kind. Users must re-authenticate each time. As far as the three requirements of "safety", "convenience" and "speed" are concerned, you can have two at the same time, but there is no way to achieve all of them.
For APIs located within corporate security, there is another approach. Serota said that within the company, we prefer to use methods other than lightweight zero trust. Currently we are using IP Security and depending on what to do the service will authenticate and do more Active
Directory based things.
Behavioral analytics can also be used to detect suspicious behavior in internal and external traffic and automatically filter out the obvious bad messages. "We use everything from IP reputation to behavioral analysis to user and account patterns to analyze any suspicious behavior," Serota said. For example, we have a user who deposits $200 every other Friday and now deposits $800 every Wednesday. That's when it gets our attention. This is not only to protect our assets, but also to ensure that we proactively report instances of possible "money laundering" or "human trafficking".
Serota also said that by using automation, the company was able to reduce the number of issues reaching its network operations center and cybersecurity incident response teams by 35 percent, with fewer false positives appearing on them.
Bot Attacks on APIs
API traffic is growing, but malicious API traffic is growing even faster. The data shows that Salt Security customers saw a 51 percent increase in monthly API calls, while malicious traffic increased by 211 percent.
An Akamai analysis of one month of API data from 100 enterprise customers in the financial services, retail, and media and entertainment industries found that of a total of 744 billion API calls, 12 percent came from known malicious actors; 25 percent From end customers that are neither web browsers nor mobile devices or applications, which means they may come from malicious actors rather than legitimate users.
Rishi Pande, managing director of cybersecurity at Ernst & Young,
said traditional front-end applications (websites and mobile apps) have protections against attackers, including defenses against DDoS, credential stuffing and other automated attacks. However, even if the front end is protected, if the API gateway is not protected, the front end security will also be compromised.
APIs are evolving rapidly, and some enterprises believe their technology can provide adequate protection, when in fact the tools themselves are not ready for the challenge.
In fact, attacks targeting the API layer are becoming more popular with hackers because it's more anonymous, and APIs are often less protected than websites and mobile apps. It could even be argued that API security today is what application security was in 2009.
Once an attacker has disassembled a mobile app and figured out how it communicates, they can use the same API channel to send requests. Artificial intelligence and machine learning can help defend against this, because API requests made by bots look different than those made by real humans using legitimate applications.
It's Time to Solve the Island Problem
According to Postman's 2020 State of the API Report, which surveyed more than 13,500 developers, it revealed that only 36% of companies conduct security testing on their APIs. This compares to 70% of companies doing functional testing and 67% doing integration testing.
According to SmartBear's "2020 API Status Report", usability is the biggest concern of developers for APIs, followed by functions, and then security.
Part of the problem is that development teams and security teams, and security teams and network and infrastructure teams are working in silos with insufficient communication and collaboration. The solution to the silo problem is DevSecOps. Now we can integrate the tests and give control of the tests to the application developers. We want to make everyone a member of the security team.
Building security into the application development process from the start is more important than trying to secure things with technologies like API gateways. Companies should focus on better architecture, better security, and better API calls. Doing this can take a long time, but better protection requires the development of more secure applications. As long as the application is strong enough to resist attacks, we don't need other elements to provide additional security.
Today, developers are starting to understand more about security through DevSec teamwork. However, there are still many problems when it comes to API security. The first is the question of business logic, which is one of the key aspects of application security. The challenge of finding and mitigating logic issues is magnified as monolithic applications are decomposed into small services connected through APIs. The application can function exactly as it was designed, the authentication mechanism can be completely secure, it can be completely free from vulnerabilities, but if there is a problem in the coding, a breach can still occur.
Then there's the standard set of vulnerabilities to watch out for. The fact that the 2019 OWASP API Top 10 Threats have not changed over the past two years shows that we are experiencing the same problems over and over again.
Finally, with insufficient personnel manually monitoring API security, organizations need to investigate tools, automation, scanning techniques, and telemetry monitoring to determine how APIs are being called and look for anomalous behavior that could indicate malicious misuse.
Warehousing and logistics companies gain API security visibility
It's easier than ever for developers to launch web services and set up APIs. Still, like any other new technology, security often lags.
While developers are using new security controls, legacy systems may still exist. These outdated zombie APIs pose a huge security risk. In addition, those APIs that were originally planned for short-term use but not retired in time will also bring great risks.
We can't protect what we don't know! We must be clear about what we have in order to protect it, which is the first priority.
Today, Prologis has nearly 1 billion square feet and approximately 5,000 warehouses in 19 countries around the world. When people hear that Prologis is a warehouse company, they tend to ask, "How can you be developing high technology?" However, Prologis executives clearly understand that technology is a business enabler, not a cost center. So, as early as 4 years ago, the company started developing customer-facing systems.
Now, with the cloud-based Prologis
Essentials platform, customers can submit a service ticket or check the status of a ticket at any time, and more importantly, when someone moves into a new warehouse, they can communicate with them to provide pest control, forklifts, lighting, and other required products. Contact the local provider of the service.
According to Warren, Prologis
Essentials is almost entirely serverless and relies mainly on Amazon and lambda functions, so there is no need to deal with any legacy system issues. The platform uses AWS
API Gateway and has about 15 APIs serving 500 endpoints, including internal connections as well as integrations with external business partners. Last month, the system handled 529,000 API requests.
But Warren found that AWS doesn't provide a lot of information about API visualization. In order to solve this problem, Warren's team tried many methods, but none of them were satisfactory. They worked to find a technology that was easy to deploy without hindering the development team. Ultimately, Prologis chose the Salt
Security solution.
They originally planned to integrate the Essentials system into Salt Security in 2021
, but eventually moved forward. The reason is that API attack surfaces are attracting more and more attention, and malicious actors have discovered many attack surfaces, and they don't have time to take risks.
In the end, the work of integrating the Essentials system into Salt
Security took about a month, as many aspects had to be constantly tested and developers were satisfied with the results without compromising performance.
The tool sits in the AWS environment and listens to traffic at the API gateway, fetches logs and metadata, and sends reports to Salt's SaaS dashboard for alerting and reporting, which gives Prologis great API security visibility .
The system was up and running last fall. It can connect to a WAF and trigger actions automatically, it can send reports for security personnel to review manually, and it can look for potential PII leaks. In addition, the system also captures some situations, such as the API provides a lot of unnecessary information, which is a problem that many enterprises must pay attention to when using the API. Remember, if you don't have to, don't do it!
OK. It can connect to a WAF and trigger actions automatically, it can send reports for security personnel to review manually, and it can look for potential PII leaks. In addition, the system also captures some situations, such as the API provides a lot of unnecessary information, which is a problem that many enterprises must pay attention to when using the API. Remember, if you don't have to, don't do it!
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to the limited space, only part of the information is displayed. Friends in need can [click the card below] to get it for free: