01 What is API?
Baidu Encyclopedia gives the definition of API:
API (Application Programming Interface) is a set of predefined functions, or a convention for connecting different components of a software system. The purpose is to provide applications and developers with the ability to access a set of routines based on a piece of software or hardware without having to access the source code or understand the details of the inner workings.
A simple understanding is that API is a way to provide services to customers. When an enterprise or data center provides an API to customers, it means that they have established a set of dedicated URL channels, and the service returns pure data after responding.
In many cases, the API itself can be packaged into a service model. For example, Weather Underground sells access to its weather data API to others, and Huawei also has a service model for API services that requires payment beyond the free number of API requests.
API interface is the basis for data sharing and openness. With the advancement of digitalization, more and more enterprises and data centers are encapsulating services into data interfaces and opening them for third parties to use.
Generally speaking, API interfaces are divided into three categories: open API, partner-oriented API and internal API. As shown in Table 1.
| AP type |
Introduction |
| Open API |
Open API refers to an application program interface that the caller does not need to establish a cooperative relationship with the API provider, is open to the public network, and allows public calls. |
| API for partners |
Partner-oriented API refers to the application program interface for data interaction, communication and system integration between organizations and external partners and users. |
| Internal API |
Internal APIs are only used within the organization and are application programming interfaces used to coordinate the calling relationships between different internal systems and applications. |
Table 1: API classification
Open API (OpenAPI) is the most used category by developers. Due to its advantages such as standardization and versatility, it is constantly being used in service scenarios that require fast service. In the era of open data sharing, almost no one can bypass APIs to build information systems and apps.
API is the basis for sharing and openness. As shown in Figure 1, the main value of API can be summarized in three points:
-
Open data sharing enables us to reach customers more accurately and provide richer services.
-
Through API interface aggregation, realize the transformation of application scenarios and business models
-
Quickly access massive data through API interfaces to increase the value of data
Figure 1 API is the basis for sharing and openness
02 Main risks faced by API interfaces
The security risks of the following eight API interfaces require our attention (Figure 2):
Figure 2 Main risks faced by API interfaces
In the past, applications could be safely hidden behind firewalls. Nowadays, APIs have become the key to enterprise applications. They make the features of applications richer and more dynamic. With digital transformation, data is constantly being connected, and APIs have become an important circulation link for data. This is a good thing, but at the same time the API also increases the attack surface, has no firewall protection, and is often accidentally exposed.
The data types transmitted by API interfaces are complex and changeable, and some interfaces involve sensitive business data and personal privacy data. Once leakage and theft occurs, enterprises will face huge compliance risks and risks of confidential data leakage. The reason behind many major data breaches is that APIs have been compromised, leaked or attacked.
03 Common solutions for API security
In 2019, OWASP released the top ten projects for API security. However, due to the wide scope of API security, many common security issues were not included.
The API security market is in a relatively early stage, and there are not many domestic manufacturers specializing in API security. From a market perspective, there are two main categories: API gateway solutions and API security solutions based on data flow analysis.
1. API gateway solution:
The usual solution is to set up API gateways for both on-premises and cloud deployments, and have a data center provide them as a hosted service.
Unfortunately, not all API gateways are a good idea. Most of the proxy APIs and API gateways currently on the market can only solve a few of them, and cannot provide comprehensive protection against these risks.
Of course, API gateways have their advantages: by pooling all API traffic through an API gateway, you can ensure that basic security policies (such as encryption, authentication, and access control) are fully implemented, as well as implement policies such as load balancing and DDoS protection.
This seems like an ideal choice, but the reality is very skinny.
First, the entire process needs to start with creating an API directory, including all API directories exposed by the data center. But keeping the catalog updated can be difficult, especially in today's era of rapid iterative updates, where new services are rolled out within days or even hours.
Second, use tokens to identify each API and control access to data and services. Developers without authorization tokens cannot expose new APIs. But the practice of some companies shows that getting all developers involved may be more difficult than imagined.
Third, it is a wonderful idea to provide the API gateway as a managed service, but the data center cannot and cannot force customers to do so.
Fourth, single points of failure and central gateway delays are hidden dangers that API gateways cannot avoid, which increase data center complexity and management overhead. With thousands of enterprise APIs communicating through APIs, having a single point of failure and latency is a nightmare.
2. API security solution based on data flow analysis
Use AI technology and small sample deep learning to analyze API access behavior and traffic to discover various abnormal access behaviors of APIs. This type of API security solution based on data flow analysis can achieve dynamic protection in all scenarios and mainly includes four categories, as shown in Figure 3.
Figure 3 API full-scenario dynamic protection
Illegal call protection: mainly includes preventing unauthorized API calls, detecting API security verification mechanisms, identifying API unauthorized access, traversal detection, etc...
Malicious access protection: mainly includes continuous monitoring of API interface access behavior, identification of API interface attack access, etc...
Data leakage prevention: mainly includes monitoring API interfaces to transmit sensitive data, preventing sensitive data from being obtained out of range, etc...
Abuse prevention: mainly includes monitoring high-frequency access behaviors of API interfaces, identifying API interface data crawling behaviors, abnormal address access of high-privilege accounts, identifying API interface data aggregation analysis behaviors, etc...