The critical need for API security

The pandemic has been an eye-opener for many cybersecurity professionals. With an unprecedented rise in cyberattacks and data breaches, the fragility of traditional enterprise technology has come into the spotlight. It’s not surprising then that the Global Risks Report 2021 by the World Economic Forum (WEF) identifies cybersecurity failure as the 4th most critical threat in the world.

The World Economic Forum (WEF) identifies cybersecurity failure as the 4th most critical threat in the world.

Evolving security threats in the digital landscape

The pandemic radically transformed the nature of cybersecurity challenges by activating new variables, such as the shift to remote work and an exponential rise in connectivity. Hence, a wide range of business activities, services, and processes become dependent on remote access and connected devices.

To support this shift, the application programming interfaces (APIs) rose in prominence, becoming a crucial part of any future technological transformation. In fact, as per the latest trends, there are about 900 applications supporting an average business organization. As we’ve seen over the past year, the vulnerabilities of the digital economy threaten every aspect of a modern enterprise – and APIs are no exception.

Major API attack vectors and solution approaches

Gartner reported that by 2022, the application programming interfaces abuse would become the most common attack seen by security firms. As the API landscape has evolved over the years, there have been increasing concerns regarding security threats related to its widespread vulnerabilities. In particular, this is due to the numerous attack vectors that target APIs.

1. API key theft: Most APIs are protected by an API key or JWT (JSON Web Token). This protects and tracks APIs as API security tools detect abnormal behavior and block access immediately. However, hackers attempt to outsmart these mechanisms by generating a large pool of API keys to circumvent DDoS protection.
2. Reverse engineering to access private APIs: Private APIs are usually intended only for the developers internal to the service or product. However, using reverse engineering, hackers often attempt to access private APIs. But with advanced cybersecurity, most websites use JWT session tokens to prevent such cyberattacks.
3. DDoS: Most DDoS protection requires fingerprinting of HTTP requests to check against bot traffic. This is much harder for the API products as all traffic looks like bot traffic. However, almost every access requires an API key, and if a request doesn’t have an API key, you can immediately reject it.
4. Cross-site scripting: Also known as XSS, cross-site scripting is a client-side injection attack where the attacker injects malicious scripts into the website. The website then becomes the vehicle to deliver the malicious script when the user opens the web page or application. XSS vulnerabilities can be prevented by consistently using secure coding practices.
5. Session replay using bots: Session replay is a powerful tool that can modernize your digital experience monitoring (DEM) strategy and record all your customers’ interactions with your web app. However, fraudulent access incidents by bots, website scrapers, and attackers cannot be recorded without the server-side module. Tracking server-side data and choosing a hybrid approach can help with regulatory compliance.
6. Identity proofing and validation: Identity verification, combined with authentication procedures and identity proofing, helps establish that the accurate identity of the user. Each organization needs to decide its level of risk tolerance, match rate tolerance and the standard of technology it will adopt.
7. XML/JSON attack: A JSON / XML attack method is used by attackers to manipulate or compromise the XML request or service logic.
8. Phishing: Phishing is a type of social engineering attack where an attacker sends fraudulent messages to steal user data, including login credentials and credit card information. To secure your API, a token server is needed, end-users need to be authenticated, and access control rules need to be defined and enforced.
9. Brute force: Brute force attack is a password guessing attack with a high success rate. This attack can be dealt with by locking accounts, although it may not prove to be the best solution. Other countermeasures may include an option to allow login only from certain IP addresses, assign unique login URLs, use captcha, or place the user in lockdown mode with limited capacity.
10. Token harvesting: Token harvesting is an attack by which the attacker can take control over a user’s account once they have access to someone else’s access token. To state the example of Facebook, such breach in security can lead to disasters of catastrophic proportions. The best way to prevent such a breach is to integrate alert tools to detect the breach early.
11. Injection: Not only are APIs prone to code injections, third-party developer applications are not safe either. Such malicious code may initiate commands to erase data or harvest valuable private records. Such attacks can be prevented when users always use an API Gateway and do not allow SQL and untrusted data as accepted data formats. Unusual behavior from trusted parties should also be monitored. Another option is to temporarily suspend accounts that make strange requests.
12. Auto-disabling API due to multiple attempts: Attackers often take advantage of incorrectly applied mechanisms. They may compromise an authentication token or exploit flaws in implementation to pose as another user. If the system’s ability to identify the client/user is compromised, the entire API gateway system is also compromised.

Enabling enterprise resilience with HCLTech  Technologies’ cybersecurity

Faced with the myriad of attack vectors and systemic vulnerabilities, it’s critical that organizations adopt a holistic security solution for their APIs. This is where HCLTech’ layered approach can prove instrumental as it not only secures the API backend but also includes the UI layer, the business layer, and the transaction layer for 360-degree coverage.

HCLTech’ deploys its identity access management expertise to the entire API security landscape – from authentication to authorization. This, combined with our API security consulting approach, provides organizations with a high-level solutions roadmap that includes best practices, vulnerability analysis, implementation planning, user case and user stories, and optimized investment and effort estimations for business-aligned outcomes.

At HCLTech’, we have witnessed decades of paradigm shifts and continued to work with our customers and secure their future ambitions. As we look to the future, one thing is clear – the digital landscape has induced an irreversible change that reshapes industry boundaries and business models. These changes will continue to create new disruptions in and across business environments that are unpredictable, but our expertise and experience make us the ideal partner to help digital enterprises be prepared for any uncertainty.