API Security is one of the top concerns for most organizations. The headlines are full of news of cybersecurity attacks and APIs are becoming a bigger target every day. Recently, I had the opportunity to join Keith Casey and Matthias Biehl where we looked a little deeper into the API attacks that have been in the news and discussed how these could have been prevented. Keith Casey has authored a book on API design and has had an interesting career in security while working at organizations like Twilio, Okta, and now, ngrok. Matthias Biehl joined us from Software AG where he is an API strategist, and he is also the author of several books on APIs.
One notable story that highlights the importance of having a good strategy for API security was the incident with Twitter. For developers to use the Twitter API in mobile and web applications, it is necessary to get a generated API key from Twitter. Over 3,200 of these developers embedded these keys in their mobile apps and left them there when these apps went into production. While this is not an issue that Twitter had direct control over, it goes to show how users of your APIs can make mistakes that can affect your company. It is important to provide additional limits and restrictions on the use of API keys and combine this with other forms of API security like OAuth 2.0.
There are a few other API Security best practices that can be used in combination with API Keys such as placing short expiration windows on keys and rotating keys used, in case of accidental leaks. Another best practice is to limit the permissions that API keys have by default. Malicious attackers are going to look for the weakest link in your API security strategy. It is essential to combine proven best practices for API security alongside a properly implemented and configured API gateway, which is the core to your API security strategy.
In the past couple of years, Uber was also the target of an API incident that involved attackers being able to steal valuable data, including personally identifiable information (PII) records and authentication tokens of riders and drivers. One of the vulnerabilities that Uber suffered from was “Broken Object Level Authorization” or BOLA. Unfortunately, this is a common API vulnerability that involves the API verifying an authenticated user but not verifying that this user has permissions to be able to perform the actions that they are trying to take. APIs that have this vulnerability might have low-level users authenticate with the API and then try to access data that should require administrator access permissions. All resources need to run authorization checks before providing access. Using an API gateway can provide a highly granular level-of-access control necessary to prevent access control issues.
Peloton also made the headlines with its API vulnerabilities in 2021. Although Peloton’s case had some of the same vulnerabilities as other companies, they received an extra share of attention as President Biden made plans to bring his Peloton bike into the White House. The API vulnerabilities that Peloton’s API experienced were Broken Object Level Authorization, Broken User Authentication, and Excessive Data Exposure. Take a look at our API Resources to learn more about The OWASP Top Ten list for API Security and how you can properly protect and shield your APIs from attacks.
API Security can often feel like an overwhelming challenge but with the proper resources, you can secure your APIs by applying security policies, using rate limiting, and much more. webMethods API Management Platform was selected a Leader by Gartner for 5 consecutive years and is the highest current offering in the latest Forrester Wave. Its API Gateway has a comprehensive set of policies for threat protection, access control, and mediation. All types of APIs, API-mashups, and asynchronous APIs for event driven architectures are supported, both on premises and in multi-cloud deployments.
Software AG’s partnership with specialized API security vendors such as Cequence, NoName, and Salt enables businesses to complement the API Gateway with enhanced defenses for zero-trust cloud environments. Take a look at Software AG webMethods API Gateway solution today and protect your APIs, your data, your company, and your reputation.
About Brenton House
Brenton House is an ex-hacker, developer, API cybersecurity strategist, and VP of Digital Evangelism at Software AG. He is probably best known for his popular and creative YouTube channel where he talks about APIs and Cybersecurity.
In his 25+ years of experience, he’s worked across many industries including broadcasting, advertising, retail, financial services, supply chain, transportation, technology, and publishing — gaining a breadth of knowledge on all things APIs and Integrations. His diverse experience and unique creative skill sets have enabled him to equip organizations in creating innovative products that captivate and delight.