Application Programming Interfaces (APIs)

Enabling the business securely

Dimitri Gavriilopoulos

Dimitri Gavriilopoulos

Manager Advisory, Cyber Security Services, KPMG US

+1 312-665-8544

Caleb Queern

Caleb Queern

Director, Cyber Security, KPMG US

+1 571-228-8011

An API (Application Programming Interface) is software that allows communication between two systems. APIs are increasingly popular building blocks of modern applications due to the flexibility they offer to businesses. Unfortunately, many organizations are still learning how to secure their portfolio of APIs, cyber criminals have noticed the opportunity to steal data made available by APIs, and more breaches appear in the headlines.

A common problem is the lack of visibility into active API deployments and their existence within a company’s ecosystem. Too often, development teams deploy APIs into production on the internet without the API being registered in their organization’s registry of hardware and software assets, commonly referred to as a “CMDB” or Configuration Management Database. When APIs aren’t visible to the broader organization, security controls may not be applied to protect the API from attackers.

Recognizing APIs’ growing importance, the application security industry’s thinktank OWASP recently produced its “Top 10” API vulnerabilities to describe how cyber criminals take advantage of vulnerable APIs. Two stand out:

  1. Broken Authentication lets attackers who have assumed the identity of other legitimate users use an API
  2. Object Level Authorization gives an attacker access to specific data meant for other users by poorly checking a user’s permissions

Organizations can, of course, reduce significant risk of APIs and take advantage of the innovation and speed they offer by performing a few foundational, preventative behaviors. The risk presented by putting APIs into production that are largely unknown by the broader organization and security teams can be overcome by hard coding a requirement in development teams’ backlogs to register their software into the CMDB early in the project. Use of classic static and dynamic application security testing early in the development process can be effective; however, more recent technologies offer the efficient approach of providing a thorough understanding of the inner workings of an API definition file, which provides a description of the API, its structure, data elements and limitations. Intimate understanding of such design early in the development process can prevent future attacks that might happen when the API is live. This focus on security earlier in the development process is often described as “shifting left” in Secure DevOps parlance.

Of course, once an API is in production the right monitoring at the network and webserver level goes a long way and bug bounty programs can provide visibility into vulnerabilities in your APIs you might have missed.

While APIs do present challenges – some novel, some not – to an organization’s security, there’s no denying their value in delivering innovation rapidly. Accelerating business outcomes using modern software patterns and staying secure is possible with forethought and a balance of security controls, behaviors, and capabilities.