The hacker's backdoor

Is your application programming interface the backdoor through which hackers can break in?

Read time 4min 20sec

I don't think anybody would disagree with me when I say mobility and the Internet of things (IOT) are two of the trends that will define business and the economy over the next three to five years.

Because APIs are re-used in the name of speed, a compromised API multiplies the pain.

I would even go further, and say both of them are on the verge of creating distinct types of economy. Both of them are premised on leveraging the power of the Internet to allow apps to connect with various devices. Both the mobile and IOT economies rely heavily on application programming interfaces (APIs) to provide the rapid, seamless connection with devices, and herein lies the challenge - particularly as the mobile economy connects with the IOT.

In the mobile economy, customers, employees and business partners need to be given rapid and intuitive access to the backend corporate systems - all in the name of a better customer experience and competitive advantage. Apps are used to achieve this by connecting to smart mobile devices. The name of the game is speed and ease of connection in order to allow data and/or services to be exchanged, and APIs are the most commonly used protocol to allow this to occur.

With the IOT, the primary types of devices connected are much less smart, from sensors and SCADA systems to refrigerators and security systems. Mobile devices are also increasingly used. Again, the name of the game is to make the connection and transfer of information quick and easy - APIs are typically also used.

Early birds

An important characteristic of both the mobile and IOT economies is that they are developing extremely rapidly, and companies wanting to gain an early advantage across these widening ecosystems are driven by the imperative to be first to market. This means existing APIs are being re-used, and API development generally is not receiving the attention it needs to keep up with the risks - because that's the flipside, of course. The more activity there is in an area and the greater the pressure, the more attractive it is to hackers, and the more vulnerable it is likely to be.

In fact, APIs are typically programmed using representational state transfer (REST), the basic software architectural style of the whole Web. RESTful programming concentrates on enabling the smooth transaction between devices, not on authenticating who is using the device in question. Also, most devices in the IOT do not have specific users anyway, which means authentication is not possible in traditional terms. Developers try to get around this by building some sort of identity authentication into the API, but because so many of the devices do not have users, as noted, they publish to developers the identity and password for the API.

Of course, hackers know this and subscribe to the appropriate services to receive this information. And because APIs are re-used in the name of speed, a compromised API multiplies the pain.

Bringing APIs under control

Until developers are able to devote the time to rethinking how APIs work, they constitute a major security vulnerability. Unsurprisingly, the solution requires the same sort of systematic, strategic approach that characterises security in the open, connected world of today. A comprehensive API security strategy needs to be developed and implemented, sooner rather than later.

Here are three key steps:

* Manage the whole API life cycle, including the developer and business partner community. The company needs to monitor and manage how the API is used, and monitor traffic using the API. A key element will be to develop a community portal where business partners and developers can be engaged. It will also help the company to understand how the API is used, and how it affects its business and systems.

* Develop and implement an API security policy. The policy should be used to ensure apps that use the API follow the appropriate security and regulatory policies. Compliance should be built into the policy.

* Set up an API gateway. This will provide the only way for developers to access the API, and will enable the company to dictate the authentication schemes, encryption standards and security token types to validate legitimate users and applications. The gateway will also enable the company to use analytics to monitor API performance on a variety of criteria, creating a virtuous cycle of continuous improvement.

These are common sense, practical ways to ensure a company can continue to benefit from the API's ability to link apps into the mobile and IOT economies - without putting its data at risk.

Godfrey Kutumela
leader of the cyber crime and security division at IndigoCube.

Godfrey Kutumela has over 16 years’ experience in security consulting and engineering, having conducted high-end security consulting engagements, and designed and delivered technical solutions on three continents. Driven by his passion for securing online and mobile applications in this new era of the Internet of things, he made a strategic move to join the newly formed IBM Security Systems Division in 2012. His role at IBM was as leader and evangelist of IBM’s application security, security and threat intelligence portfolio for the Middle East and Africa market. Kutumela joined IndigoCube in June 2015 as the leader of the cyber crime and security division. His responsibilities include bringing application security integration practices to the local market and helping organisations protect their critical applications and generated data. He has also served as membership chair for the (ISC) 2 Gauteng Chapter since May 2015.

Have your say