We are living in the era of APIs that are widely used by companies to make their assets accessible for certain business purposes, the main of which is, of course, monetization. Sounds great. And where everything seems fine, there will always appear a ‘bad guy’ wanting to either spoil the show or use it for easy money-making. That is why the risk for intrusion attacks, data theft or denial-of-service (DoS) attacks always exists.
Despite the danger of being hacked, most development teams do not pay too much attention to API security vulnerability testing. And so is it often ignored by vendors, API providers, and its consumers too. There are a few possible reasons for that:
Ignorance. People tend to believe that bad things will never happen to them. Anybody, but not them. Unfortunately, conviction about one’s invulnerability or being sure that nobody would care to attack their app or API are simply wrong and do not always work.
Cool but beforehand improvement. As it has been already mentioned, very often developers do not care that much about assessing their code for security weaknesses. This goes for guys working with new components and frameworks as well. In fact, the risk is even higher here, as they concentrate on adding new features but not on making sure that their error messages do not give out the weak points of their APIs. And these are very informative of their vulnerability to injection attacks.
Ambiguity. The problem is that security does not mean the same for different people. They might think of authentication and authorization, SSL, encryption and signatures, VPNs, Firewalls or BYOD. And we have not even mentioned standards and acronyms such as WS-Security, SAML, OAuth, SSL, etc. The abundance of things to consider creates a possibility that only some of these areas will be minded during the development of a project.
One should also remember that, though being in trend, cloud data storage makes the information more accessible to others than it would be in a private data center. The same story is about the NoSQL database that is all about storing as much information as possible. There is a risk that the data could be misused. Plus, exposing assets and processes via APIs can be used by both potential business partners and hackers.
Here are some recommendations for those who are building a new application or API:
- Invest in security expertise and testing. Make sure that your techies are aware of common security pitfalls and know how to avoid them.
- Do testing and assessing security at early stages and do not put them off till right before production.
- Do not forget to monitor your apps for security vulnerabilities, especially if continuous deployment practices, new components, or changes take place. You may use some of free tools available at OWASP to overview and neutralize weaknesses.
To sum up, API security is important and should not be neglected. Of course, it takes time to master the ins and outs of how to make your Application Programming Interface attack-proof, but it will save you much more time and money if some ‘bad guy’ decides to cash in on your assets.