Shulou(Shulou.com)05/31 Report--

This article mainly introduces "what are the security threats faced by API". In daily operation, I believe that many people have doubts about the security threats faced by API. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "what are the security threats faced by API?" Next, please follow the editor to study!

I. Preface

API powers most of today's digital experiences, and API security remains a top concern for most CXO. Although the digital transformation continues to promote the application of API in various industries, malicious threats are more targeted at API than ever before. There is a big gap between the current security status of API and the needs of organizations. Organizations are often trapped in incomprehensible attack surfaces and lack of correct strategies to build defenses.

II. Challenges to API Security

API is at the center of the digital experience, and the core functions of mobile applications, WEB websites and applications, micro-service architecture, regulatory requirements, and so on, are inseparable from the support of API. According to statistics from Akamai, API requests already account for 83% of all application requests, and the number of API requests is expected to reach 42 trillion in 2024. At the same time, attacks against API have become the first choice for malicious attackers. Compared with traditional WEB forms, API has higher performance and lower attack cost. Gartner predicts that API abuse will be the most common attack by 2022. The main reason why API security problems are so serious is that API security faces the following challenges:

(1) applications and logic migrate to the cloud to expose more attack surfaces

With the wide application of cloud computing technology, more and more Saas are migrated to the cloud, which not only provides services for more users, but also exposes API to the cloud. Compared with the single point of call of the traditional data center, east-west and north-south may become the attack surface of API.

(2) Innovation emphasizes speed and flexibility, ignoring the construction of API security.

Agile development mode is the mainstream development mode nowadays. Agile development emphasizes individual and interaction, working software, customer cooperation and response to change. Although it improves the speed and flexibility of innovation, there is a lack of appropriate methods for how to build API security, which makes it difficult to take API security into account in the process of software construction.

(3) the API interface is invisible to the outside world, giving rise to a variety of potential attacks

Because API is written by programmers, few people except programmers who write code are aware of the existence of these API, and the lack of maintenance of API is often ignored. However, malicious attackers can use various means such as network traffic, reverse code, security vulnerabilities and so on to find undefended API and carry out attacks.

(4) organizations often underestimate API risks, resulting in omissions of security measures

People usually assume that the program will follow the imaginary process, resulting in the possibility and impact of API attack being seriously underestimated, so that adequate protective measures are not taken. In addition, the API of third-party partner systems is also easy to be ignored by organizations.

III. Security threats faced by API

According to authoritative reports, attacks targeting API are three times as common as attacks targeting HTML applications, and some attacks cause serious business disruptions. It is still common for attackers to use weak identity authentication, authorization and injection vulnerabilities, while parser-based attacks such as Json and XML and third-party API integration are increasing. After comprehensive analysis, the types of API attacks include:

(1) credential attack

According to statistics, there were 100 billion certificate embezzlement attacks from 2018 to 2020, and the complexity and number of attacks continued to increase every year. The cost of certificate embezzlement attacks is as high as $22.8 million, with an average of one voucher embezzlement victim every 30 seconds. Attackers obtain API login credentials by purchasing, phishing and exploiting vulnerabilities, and then use botnets to access customer sites API to steal customer data or personal information.

(2) usability attack

When API endpoints are exposed, attackers can take advantage of DDOS or attack API parsers, resulting in API being unable to provide corresponding services. For DDOS, in addition to deploying regular Anti-DDOS devices, we should also pay attention to the DDOS attack tolerance of the partner API. If we only rely on the partner's security measures, the original API will not be protected. Attacks on API parsers are more targeted, which may cause hash conflicts or deserialization exceptions, thus rejecting API requests.

(3) exploit attack

Vulnerability exploitation is a security threat to all applications, and API is no exception. By embedding malicious code in the function parameters of API, Json, XML and other payloads, and implementing common API attacks such as directory conversion, command injection, SQL injection, XSS, bypassing identity authentication and authorization, sensitive data can be stolen or destroyed the system. Further, API attacks have been instrumented, allowing attackers to use tools to collect domain names and API lists for the attack, and then use other tools to find or delete sensitive data.

IV. Best practices for API security defense

API security defense is a systematic project. Compared with the traditional defense, which focuses on access control, signature, rate adjustment, encryption and other specific technical means, the new security practice puts more emphasis on API governance, new solutions and systematic measures of continuous API security inspection.

(1) API governance

First of all, to fully document all API, in order to avoid the difficulty of frequent API changes, it is recommended to use open source automatic management tools to add descriptive instructions when API changes, automatically generate the latest API documents, and automatically check traffic to find and analyze unknown or changed API, in order to quickly respond to API-based attacks. Secondly, comb the call chain between API, comb the call relationship between API, find out the zombie API, prevent the omission of security measures, this step can also be done through tools. Finally, contract testing and white-box testing are implemented on API to reduce the possibility of vulnerabilities.

(2) New solution

New solutions can be used to provide security protection against the security threats faced by API. It includes using advanced BOT detection, realizing pre-login verification, intercepting API unauthorized access, deploying API gateway to authenticate, authorize and access control API requests, using positive and negative security modes to verify the validity of API parameters, discovering API traffic behavior and providing tools for rapid integration with WAF/DDoS, and so on.

(3) continuous API security inspection

From the three dimensions of discovery, protection and analysis, make the API security inspection list, and continuously carry out the security inspection of API, so as to find the hidden dangers, formulate strategies and implement protection. Examine whether the security measures for API development, testing, and deployment are comprehensive in the discovery dimension. In the protection dimension, check whether the user ID, DDOS attack protection measures and data verification blacklist and whitelist are complete. In the analysis dimension, check whether the API risk assessment and API audit logs are adequate.

At this point, the study of "what are the security threats facing API" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.