"Dangerous'API'" is born in this way: Concerns about API security [Part 3]

Related keywords

API | Application | Security | Vulnerability | Vulnerability Countermeasure | Application Development

Behind the scenes of applications and Internet of Things (IoT) devices, APIs (application programming interfaces) have become commonplace to interact with cloud services. Along with that, the risk of companies being attacked by APIs is also increasing.

"The APIs used by cloud services are diversifying and API usage opportunities are skyrocketing," said Karl Matson, chief information security officer (CISO) of API security vendor Noname Gate. Is the most important issue in terms of security. "It's extremely difficult for both IT and security departments to keep up with the diversification and growth of these APIs," Matson said.

"It's difficult just to compose an intricately intertwined API," said Matson. "A large number of APIs have become extremely complex and diversified, making them'moving targets'."

「危ない『API』」はこうして生まれる:APIセキュリティへの懸念【第3回】

In August 2021, security vendor Rapid7 researcher Arabind Bishwakarma said that home security equipment vendor Fortress Security Store's home wireless LAN security product "S03 WiFi Security System" has multiple vulnerabilities. I found. According to Bishwakarma's blog entry (post), one of these vulnerabilities, "CVE-2021-39276," could allow unauthorized API access.

Why is a "dangerous API" born?

Recommended articles you want to read together

What is an API

Dror Ally, a cloud solution engineer at cloud security vendor Global Dots, has discovered a vulnerability that could reveal the status of vaccination against the new coronavirus infection (COVID-19) in Israel. Allie discovered the vulnerability on the Israeli ministry's website while filling out his health report form. The API used by the website did not use an API endpoint (a unique address to access the API). He noticed that if he had the ID, he would be able to know the vaccination status of the owner of the ID.

To make matters worse, IDs aren't just about individual vaccination status. In Israel, the government gives people IDs, which are used everywhere in payment services and point-of-sale (POS) systems.

API for which vulnerability countermeasures are difficult

Insufficient security tools make API vulnerabilities even more dangerous. According to Sandy Calieri, principal analyst at research firm Forrester Research, one of the biggest challenges in ensuring API security is "there's no tool for it." In other words, different tools are required for API vulnerability search and evaluation. This is a multi-faceted approach. "We have to research all the API security tools out there and ask our colleagues and vendors,'Is this the API we're dealing with?'"

The biggest challenge for API security, Eliyaf thinks, is to ensure API security when running an application. He believes that the difficulty is due to the increasing sophistication and uniqueness of the attack.

There are also vulnerabilities created by problems and misconfigurations that exist in API design. These vulnerabilities are caused by someone modifying the source code of the API, such as a web conferencing tool, a bank's web service, or a developer of SaaS (Software as a Service). Since these vulnerabilities are not common between products / services, they are generally not assigned Common Vulnerabilities and Exposures (CVE). "The biggest challenge in APIs is that developers can learn their own development methods in the absence of design and configuration standards," Eliyaf speculates.

On the other hand, API security is also advancing. As an example of efforts to improve understanding of API vulnerabilities, Mr. Calieri cites the activities of the community OWASP (Open Web Application Security Project), which promotes the security enhancement of web applications. In 2019, the group created a category to classify the types of API vulnerabilities. We also announced a list of the top 10 risks that threaten API security, "API Security Top 10 2019".

Patrick Sullivan, CTO of Security Strategy at Akamai Technologies, emphasizes "lack of API rate limits" among the risks addressed by API Security Top 10 2019. Rate limiting is a technology that limits the number of communications via the API. "APIs are less mature in security measures than web applications. This issue is more serious than any vulnerability with CVE," Sullivan said.

TechTarget Preemptive IT Trends

From the abundant articles of TechTarget in the United States, we will carefully select and deliver the latest technical explanations, product comparisons in hot fields, IT product introduction cases of overseas companies, etc.

Related article

Tags: