APIs present a growing risk to data security, according to David Moss, API security specialist – UK, Ireland and southern Africa at Akamai, and Ntando Mngomezulu, cloud security manager at Old Mutual.
Addressing attendees at the ITWeb Security Summit in Sandton last week, Moss and Mngomezulu highlighted the risks associated with APIs and approaches to mitigating them.
Moss noted: “APIs are now the single biggest attack vector facing an organisation. Simply put, they are the front door to data.”
Said Mngomezulu: “If data is the new oil, APIs are the pipeline. In traditional attacks, once the attacker breached the perimeter, they almost always set their sights on either the domain controller or the database – and the data is how they profit from their misdeeds. With modern-day APIs, you’ve got the data sitting right at the perimeter. You’re cutting out all the extra steps attackers have to take.
“From a developer’s perspective, if you think about the modern rapid release software culture, there's an entire ecosystem of supporting infrastructures and frameworks geared to making this possible – like microservices. These expose their functionality using APIs. And the containerisation microservices run on – like Kubernetes – have their control planes exposed via APIs. The entire stack is riddled with APIs.”
Mngomezulu said API attacks differed from many other attacks in that they exploit logical flaws, and with APIs, it is harder to detect malicious traffic. It also takes longer to address vulnerabilities, he said.
Mngomezulu recommended that organisations mitigate the risk across the design, development, deployment and decommission phases.
“In the design phase, you want to classify data as soon as possible to focus your attention on the most sensitive data. You also need to define and implement strong authentication and authorisation, and also define your API contract. In the develop and deploy phase, training should be taken seriously, and active and passive API testing should take place. In the decommissioning phase, it’s extremely important that you decommission outdated APIs.
"Companies need scale and visibility to manage the risks, so you can try to gain your visibility by using agents either upstream or downstream,” he said.
Share