What are APIs and API Security?

Application Programming Interfaces, also known as APIs, can be described as software intermediaries allowing applications to communicate. APIs have become a critical part of modern technology as they are found in modern SaaS, mobile, and web applications, including internal, customer-facing, and partner-facing applications. 

API security can be described as the strategies and solutions created to mitigate the risks that APIs create. Much of this risk can be attributed to the nature of APIs that expose sensitive data, specifically Personally Identifiable Information (PII).

Common API Security Risks

The Open Web Application Security Project (OWASP), a widely trusted non-profit best known for its yearly list of top web application vulnerabilities, has named the list below the most common API security vulnerabilities.

1. Broken Object-Level Authorization (BOLA)
A type of Insecure Direct Object Reference (IDOR) vulnerability where a hacker can use a user input functionality to gain direct access to sensitive information. 

2. Broken Function-Level Authorization
Another Insecure Direct Object Reference (IDOR) vulnerability, where the user permissions system is broken, allowing unauthorized access. More complex user hierarchical permissions systems are more prone to have vulnerabilities. 

3. Broken User Authentication
According to OWASP, because authentication mechanisms are often implemented incorrectly,  attackers can compromise authentication tokens or exploit implementation flaws to assume other users’ identities to gain access. 

4. Excessive Data Exposure
Inadvertently,  API requests may display and return more data than is necessary. Developers at times, will expose object properties without considering their individual sensitivity. 

5. Improper Asset Management
APIs will frequently expose more endpoints compared to traditional web applications, making proper documentation of assets critical. These documents are often skipped over in a rush to update or release newer APIs, leaving these endpoints exposed.

6. Lack of Resources and Rate Limiting
API endpoints are often left open to the internet. If there are no restrictions on the size or number of the requests made by the user, then these endpoints are open to the threat of a Denial of Service (DoS) attack or brute force attacks. 

7. Injection Flaws
With injection flaws, if data is not parsed or validated correctly, this can leave the door open for SQL injection attacks where hackers can access and/or execute unauthorized commands. 

8. Mass Assignment
A body of data can be inserted into a database with just one line of code, removing the need for endless lines of code. Although efficient, if a mass assignment is performed without specifying which data is acceptable, it can lead to many possible vulnerabilities. 

The Importance of API Security

As businesses continue to give access to their services through APIs, the number of attractive targets for cybercriminals looking to exploit API vulnerabilities also naturally grows. Unsecure APIs pose a great risk to the safety of a business’s sensitive data. For hackers, APIs are an easy way to access company data and can be an easier route to bypass security solutions, compared to other methods. 

According to a report by NoName Security, where they surveyed over 3,000 employees across 350 different countries’ businesses, the average organization leverages 15,546 APIs. To make matters worse, in the same report by NoName Security, it was found that 76% of the surveyed companies experienced an API-related security breach between September 2021 and September 2022.