Being careful about 3rd party APIs

Over the past couple of years, we’ve seen a marked shift in the nature of API traffic from being largely driven by human actions to be increasingly machine-driven. While it used to take a human to click something on a website to trigger an API call and response, there are now sites and apps where upwards of 98% of total traffic is the result of bots -- some legitimate, but vastly malicious.

The growing dependence on APIs within applications and the rise in malicious machine-driven traffic must be evaluated, as it can have a material impact on your bottom line. Malicious bot traffic can result in losses due to fraud from account takeovers which in turn puts increased pressure on your support teams who need to respond to customers whose accounts have been locked or breached. Bot attacks can also significantly increase your cloud resource expenditures and can cost you revenue when customer experience is negatively by unexpectedly high loads or when content is scraped by competitors.

Fortunately (or unfortunately) a great number of these fraud incidents could have been avoided with better API hygiene and security. Too often, developers moving fast deploy APIs that have not gone through security review, with gaps in security that make it easier for breaches and fraud to occur. For example, APIs may not conform to OpenAPI specs, or the API error codes may be too verbose which gives attackers clues as to what to try next. These shadow APIs, loaded with vulnerabilities, can create some real headaches.

Fast-forward to 2020, where COVID-19 quickly changed how we work, shop, dine, learn, entertain, and seek medical attention—really all parts of our lives. We’ve all encountered some new app or feature that didn’t exist in February, from new food or shopping apps to contact tracing apps and unemployment assistance apps to new apps just for the purpose of entertaining ourselves (and our families) while stuck inside for months.

This makes me wonder how many apps, rushed to market to accommodate the reality of shelter-in-place and quarantine, are leaving our data or the businesses exposed? Even before COVID, were you and your teams taking the necessary steps to review, assess and secure APIs used in your web and mobile apps?

Most apps these days leverage easy-to-build and easy-to-consume APIs to speed development further. When secured, the APIs are a smart way to deliver critical features and functionality and pass data between systems (both internally and to third parties). But, when left unprotected or misconfigured, they make it easier for attackers to wreak havoc and commit fraud with speed and at scale. Targeting the API instead of scripting a form fill allows a bad actor to leverage the same benefits of ease of use, efficiency, and flexibility that APIs bring to the development community.

Many enterprises are rapidly moving towards consolidating all their business logic behind APIs, where the web and mobile applications are just user-interface shims around those APIs. This rapid movement shift in development indicates that organizations should turn their attention to APIs to validate that they are being coded and deployed with security and privacy in mind. You can start by asking some simple questions that many organizations find it difficult to answer, such as:

• Do you know all the APIs in use across your organization, including shadow APIs?
   
• Can the security team assess API risk across both cloud and on-premises environments?
   
• Can you protect your APIs from automated attacks and malicious activity?
   
• Have the APIs drifted from their original specification and has that increased your risk?
   
• Are the APIs accidentally, even in the form of error responses, leaking sensitive information?

While I applaud all the companies that are able to respond to market needs and deploy apps and functionality quickly, I worry about the effect it has on the security and privacy of our data. If your organization hasn’t already done so, it’s important to review your API landscape (including all those shadow APIs) and your API security policies to make sure you’re not making it unnecessarily easy for the bad actors. With the right guardrails in places, you can take advantage of the benefits of APIs while improving protections against the malicious bots.