API - Security Software Glossary

What is an API?

An API (application programming interface) is a set of rules and protocols that allows software applications to communicate with one another. APIs define how requests are made and how responses are received, enabling integration between different systems and services. They are essential in modern web, mobile, and cloud applications, facilitating the exchange of data and functionality between components.

Summary

APIs are intermediaries that help different software systems to communicate and exchange data by defining how requests are made and responses are received. They facilitate data sharing and functionality across platforms, cloud services, and devices, like helping mobile apps to communicate with remote servers for fetching information. They come in various forms like RESTful APIs or GraphQL APIs, and are used across cloud services, social media platforms, and e-commerce apps.

But APIs are also prone to security risks like API abuse, attacks, and scraping. To secure your APIs, you can use API key management, secure storage of credentials, and follow an industry security checklist like the OWASP API Security Top Ten to safeguard against potential vulnerabilities. Ensuring the security of APIs, especially in cloud environments, helps prevent unauthorized access and data breaches.

Deep dive

API keys

API keys are tokens used to authenticate requests to an API. While they are easy to implement, they can be compromised if they are not stored securely. API keys must be managed carefully, with limited privileges and regularly rotated to prevent abuse. To secure API keys, developers should avoid hardcoding them in the source code because it leaves the keys exposed to potential attackers.

For example, the weather app you might use connects to a weather service's API to get the latest data, like current temperature and forecast. To access the weather data, the app sends a request to the service, which includes a unique key, or "API key," that proves it is authorized to use the service. It could look like:

"GET current weather data for Oslo using API key: 12345-ABCDE-67890."

In this example, "12345-ABCDE-67890" is the API key. It authenticates the app's request to access the weather data. If this key were exposed in a public space (like via a public GitHub repository), anyone could use it to access the same service without permission, leading to unauthorized use and potential security risks.

Hardcoded API keys also make it difficult to rotate or revoke keys without changing the source code, leading to security and maintenance challenges for you.

API attacks

APIs are frequent targets of cyberattacks due to their accessibility and the vital roles they play in connecting applications and services. Attackers exploit vulnerabilities like weak authentication, poor access controls, and unvalidated inputs to steal sensitive data, gain unauthorized access, or disrupt operations.

Common types of API attacks include:

Injection attacks: Attackers inject malicious code—like SQL or command injections—into APIs to gain unauthorized access to backend systems.
Broken authentication: APIs with weak or misconfigured authentication mechanisms allow attackers to bypass security controls.
Cross-site scripting (XSS): Malicious actors inject malicious scripts into vulnerable APIs, executing them in the user’s browser to steal data and hijack sessions.
Cross-site request forgery (CSRF): Attackers trick users into making unwanted requests to APIs, causing unintended actions on behalf of authenticated users.
Credential stuffing: Attackers use stolen credentials to hijack user accounts.
API scraping: Cybercriminals extract large amounts of data, leading to data breaches or intellectual property theft.

API abuse

Attackers abuse APIs by exceeding rate limits, extracting excessive data, exploiting functionalities to degrade performance and bypass security controls, and manipulating exposed endpoints to access unsecured sensitive functions. This abuse often involves brute-force attacks or bot-driven scraping, where automated scripts continuously send API requests to overwhelm servers and steal valuable data.

These actions can lead to data breaches, denial of service (DoS), intellectual property theft and system slowdowns, compromising user trust and privacy.

API scraping

API scraping involves extracting large volumes of data from an API, often violating the provider’s terms of service. While scraping can help with legitimate purposes like gathering public data for research or improving business processes, malicious actors exploit it for intellectual property theft or data mining.

API scraping techniques include:

Bot-driven scraping: Automated scripts or botnets continuously send requests to an API, overwhelming the system to extract data. These bots mimic legitimate users to avoid detection and bypass security measures.
IP rotation: Attackers use IP rotation techniques to evade rate-limiting policies, making it harder for API owners to detect or block scraping activities.
Credential stuffing: Attackers use stolen credentials to log into APIs that require authentication and scrape sensitive data while staying under the radar, as they appear to be authorized users.
Reverse engineering: Attackers often reverse-engineer apps to find API endpoints to figure out how the app communicates with its backend and use that information to scrape sensitive data directly from the API.

API security testing

Security testing for APIs ensures that you can identify and mitigate vulnerabilities before attackers can exploit them. It is vital to maintaining robust API security and preventing data breaches or unauthorized access.

Static application security testing (SAST): SAST analyzes the API's source code before the app is executed to detect vulnerabilities within the codebase itself, like coding errors, insecure data handling, and logic flaws.
Dynamic application security testing (DAST): DAST inspects APIs in real-time during execution, simulating real-world attacks on the API to identify vulnerabilities that only appear during runtime like misconfigured endpoints, improper authentication mechanisms, and insecure communication channels.
Interactive application security testing (IAST): IAST blends the strengths of both SAST and DAST by analyzing the API during its execution, while also providing insights into the code structure.

API security testing helps to catch vulnerabilities before the API is deployed, saving time and resources by addressing issues early in the software development lifecycle. It also identifies runtime vulnerabilities that static testing might miss, making it valuable for modern DevSecOps environments where continuous integration and deployment (CI/CD) pipelines require constant security testing.

Cloud API security

Cloud-based APIs are vulnerable because they are accessible over the public internet, exposing them to a wider range of potential threats. Protecting these APIs requires implementing multiple layers of security to safeguard against external attacks, data breaches, and misuse. The dynamic and distributed nature of cloud environments makes it harder to monitor all API endpoints.

Attackers scan them for improperly secured endpoints, making these APIs a prime target for attacks. Cloud APIs often exist in shared environments, with multiple organizations sharing the same infrastructure. This increases the risk of cross-tenant attacks, where vulnerabilities in one tenant's API could potentially expose another tenant's data.

Key security measures for protecting cloud-based APIs include:

Securing endpoints with strong access controls (like OAuth 2.0).
Encrypting data both in transit and at rest.
Implementing strict authentication protocols, like multi-factor authentication (MFA).
Applying role-based access control so only authorized users access sensitive API functions.
Monitoring API usage through logging and anomaly detection tools to identify suspicious behavior.
Regular security assessments and following best practices from cloud providers like AWS, Azure, and Google Cloud.

How to secure REST API

REST (Representational State Transfer) is an architectural style used to design networked apps, particularly web services. RESTful services use HTTP requests to perform standard operations—like GET, POST, PUT, and DELETE—to create, read, update, or delete data. Securing a REST API requires a multi-layered approach to protect data and functionality:

Implement HTTPS: Ensure all communications between the client and server are encrypted to protect data in transit.
Use token-based authentication: Leverage protocols like OAuth 2.0 to authenticate users and restrict access to authorized parties.
Enforce rate limiting: Limit the number of requests per user or IP address to prevent abuse and potential denial-of-service (DoS) attacks.
Input validation: Validate all inputs to prevent injection attacks like SQL injection or XSS which can exploit vulnerabilities.
Log requests for auditing: Track all API requests to detect and investigate suspicious activity and create an audit trail for compliance.

How to store API keys securely

Storing API keys securely is critical to preventing unauthorized access. Incorporating these best practices strengthens API key security, reducing the risk of unauthorized access to your systems:

Avoid hardcoding API keys: Hardcoding keys into the app or code repositories exposes them to attackers if the source code is compromised. Embedding keys in publicly accessible places like GitHub repositories makes them an easy target as attackers can easily search for exposed keys.
Use key management tools: Use environment variables or secret management tools like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault to protect keys.
Rotate API keys regularly: Regularly change API keys to minimize the risk of exposure, especially after a breach or when key-sharing occurs.
Limit scope and permissions: By limiting the scope of each key, you reduce the potential damage if it is compromised.
Use multi-factor authentication (MFA): Enable MFA where applicable to provide an extra layer of security when accessing key management systems.
Monitor and audit API key usage: Implement logging and monitoring to track the use of API keys, alerting you to any unusual or unauthorized activity.

OWASP API Security Top Ten

The OWASP API Security Top Ten outlines the most common and critical vulnerabilities found in APIs, providing a structured approach to API security. Key items include:

Broken object-level authorization (BOLA): APIs must enforce strict access controls to ensure users can only access the data they are authorized to view or modify. This is one of the most dangerous vulnerabilities because improper authorization checks can lead to data leakage or unauthorized data manipulation.
Mass assignment: APIs should avoid automatically binding incoming data to application objects without proper validation. Attackers can manipulate this feature to submit unexpected parameters, allowing them to modify or access data fields that should be restricted. Proper input validation and parameter whitelisting are essential to mitigate this risk.
Security misconfigurations: Improperly configured APIs can unintentionally expose sensitive data or critical functionalities. Misconfigurations may include overly permissive Cross-Origin Resource Sharing (CORS) settings, which control which external domains can access your API, incomplete or weak authentication setups, and unsecured endpoints. Following OWASP’s recommendations ensures these configurations are regularly audited and secured.
Excessive data exposure: APIs often return more data than necessary in their responses, such as personal identifiers or internal database information, without proper filtering. This can lead to sensitive data exposure, which can be exploited in attacks. Using data minimization practices by limiting responses to only essential data helps reduce exposure risks.
Injection flaws: APIs that fail to validate or sanitize inputs are vulnerable to injection attacks, such as SQL injection or command injection, where malicious input is used to manipulate backend servers. Strict input validation and parameterized queries can help mitigate these attacks.
Insufficient logging and monitoring: APIs that lack sufficient logging and monitoring may fail to detect and respond to attacks in a timely manner. Implementing real-time logging and monitoring tools helps identify anomalies or suspicious activities and enhances incident response.
Improper asset management: Organizations may fail to track all their API endpoints, especially older or deprecated ones, leaving them vulnerable to attacks. Regular auditing and mapping of all API assets ensures that outdated or unused APIs are secured or decommissioned.

API security checklist

An effective API security checklist should include:

Implement strong authentication and authorization mechanisms to ensure only authorized users can access the API with token-based systems like OAuth 2.0.
Encrypt data in transit and at rest to protect sensitive information from being intercepted or exposed during storage or transmission.
Validate all inputs rigorously to prevent injection attacks like SQL injection or XSS, which can exploit vulnerabilities in the API.
Enforce rate limiting to control the number of requests from users or apps, reducing the risk of abuse and denial-of-service (DoS) attacks.
Monitor and log API activity to track usage patterns and detect any abnormal or suspicious behavior that could signal an attack.
Conduct regular security testing using tools like SAST, DAST, and IAST to identify vulnerabilities early in the development lifecycle.
Follow OWASP API Security Top Ten guidelines to ensure compliance with industry best practices and address common vulnerabilities like broken authentication, excessive data exposure, and security misconfigurations.

Examples

NHS patient data exposure: In 2024, a ransomware attack on the UK's NHS exposed the personal medical data of nearly one million patients, including cancer diagnoses and other highly sensitive health information. The breach occurred through an API vulnerability in the NHS’s patient record system. After the NHS refused to pay the ransom, attackers released the data online, impacting patient trust and subjecting the NHS to legal scrutiny.
T-Mobile API breach: In early 2023, T-Mobile experienced a major API breach that exposed the personal data of 37 million customers. The attackers exploited an API vulnerability that lacked proper authentication, allowing them to siphon sensitive information like names, addresses, and phone numbers. This breach underscored the critical importance of securing API endpoints with robust access controls.
Twitter data scraping incident: In mid-2023, Twitter faced a massive data scraping incident where attackers bypassed the platform’s rate-limiting controls through API abuse. This allowed them to gather data on millions of users, including email addresses and phone numbers, which were then sold on the dark web. This highlights the need for stronger rate limiting and monitoring of API usage to prevent abuse.

History

APIs have been in use since the early days of computing, originally enabling software components on the same system to communicate. Before REST, Remote Procedure Calls (RPC) and Simple Object Access Protocol (SOAP) were common. But as web and mobile apps surged in the 2000s, APIs evolved and RESTful APIs became the standard for web communication because they were simple to use and easily scalable.

With the rapid adoption of APIs, security concerns intensified. Notably, Cross-Site Scripting (XSS) vulnerabilities were first identified in 2000, becoming a prevalent security issue in web apps, as attackers exploited client-side code injection. Similarly, SQL injection was flagged as early as the late 1990s, drawing attention to the risks of insecure data handling in apps. These challenges prompted security organizations to develop frameworks like the OWASP API Security Top Ten, which provides guidance on mitigating common API security risks.

Future

As cloud services, IoT, and mobile applications continue to grow, the use of APIs will expand, making API security more critical than ever. Emerging technologies like AI and machine learning will be leveraged to enhance API security by automatically detecting anomalies and potential attacks.

In 2024, Apple’s compliance with the EU’s Digital Markets Act (DMA) required significant changes to its API infrastructure, including allowing third-party app stores and sideloading. These regulatory mandates expand the API surface area, raising concerns about potential security vulnerabilities. With sideloading, users can install apps from outside the App Store, increasing the risk of malware, data theft, and API misuse by unverified apps. Balancing compliance with the DMA while maintaining platform integrity emphasizes stronger API security and permissions management to mitigate data breaches and unauthorized access.

Application programming interface (API)