Cybersecurity, Privacy, and APIs
Mitigating Security Risks of APIs for Business Organizations
Our personally identifiable information matters and cybersecurity is not a joke.
Introduction
APIs are fantastic, critical, and innovative tools for service providers, consumers, and partners. They are a vital part of mobile, Cloud, IoT, and web applications enriching internal applications, consumer-facing, and partner-facing services. Without APIs, we cannot produce and scale innovative solutions rapidly.
However, according to a recent investigation, 44% of enterprises face security risks related to the use of APIs (Application Programming Interfaces). This is a significant issue. APIs are critical for digital transformation, participating in digital ecosystems, and the global economy.
In this post, I introduce APIs and what we can do to reduce security risks without compromising functionality. Performance and security go hand in hand. We need both to survive and thrive in our businesses. The key issue with APIs relates to the concept of Personally Identifiable Information (PII). This type of information is the bread and butter of hackers.
The State of API Economy 2021 report (in a downloadable e-book format) by Google “explains why APIs are central to organizations’ needs and digital transformation efforts. This report is based on Google Cloud’s Apigee API Management Platform usage data, customer case studies, and analysis of several third-party surveys conducted with technology leaders from enterprises with 1,500 or more employees across the United States, United Kingdom, Germany, France, South Korea, Indonesia, Australia, and New Zealand.”
According to this Google report, 58% of global enterprise IT decision-makers found APIs expedited new application development. Additionally, 53% of respondents found APIs vital to building more effective products and creating digital experiences.
Common Security Concerns Related to APIs
There is much disappointing news related to the misuse of APIs and their consequences on consumers. Probably you read this news piece published last April titled Experian API Exposed Credit Scores of Most Americans.
As mentioned in the report, “Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.”
As this report titled “Experian’s Credit Freeze Security is Still a Joke” mentions “Dune Thomas is a software engineer from Sacramento, who put a freeze on his credit files last year at Experian, Equifax and TransUnion after thieves tried to open multiple new payment accounts in his name using an address in Washington state that was tied to a vacant home for sale.”
Another example that we heard in the news earlier this year was related to Facebook APIs. Bot Lets Hackers Easily Look Up Facebook Users’ Phone Numbers: The person selling access to the service claims it has data on 500 million Facebook users. This breach involved the use of an API that the developers did not intend. The vulnerability was exploited by hackers feeding phone numbers into the API.
This news on the Security Magazine informed us that “Peloton’s leaky API has allowed any hacker to obtain any user’s account data — even if that user had set their profile to private. The vulnerability, which security research firm Pen Test Partners discovered, allowed requests to go through for Peloton user account data without checking to make sure the request was authenticated. As a result, the exposed API could let anyone access any Peloton user’s age, gender, city, weight, workout stats, and birthday.”
Several platforms were affected by web-scraping making APIs vulnerable. For example, this article on CPO Magazine pointed out that “Hot on the heels of high-profile data scraping incidents at Facebook and LinkedIn that compromised hundreds of millions of accounts, the personal information of about 1.3 million users of social media darling Clubhouse has been found posted to a hacker forum.”
According to this report on Vice, a security researcher found two bugs that allowed him to find customers who had purchased John Deere tractors or equipment. However, there was no evidence that hackers exploited these flaws. These bugs could have doxed John Deere Tractor Owners
There are many more eye-opening examples in the security news. I assume you understand the magnitude of issues at the global scale. What can we do? Understanding risks, vulnerabilities, and issues are critical.
Understanding API Risks and Vulnerabilities
The Open Web Application Security Project® (OWASP) “is a nonprofit foundation that works to improve software security. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
Here are the top 10 API risks as identified by the OWASP Foundation.
Broken Object Level Authorization
Broken User Authentication
Excessive Data Exposure
Lack of Resources and Rate Limiting
Broken Function Level Authorization
Mass Assignment
Security Misconfiguration
Injection
Improper Assets Management
Insufficient Logging and Monitoring
You can download this comprehensive and valuable document at this link free of charge. I also highly recommend a review of this resource related to API security by the Australian Government. This resource points out that “applying the right level of security will allow your APIs to perform well without compromising on the security risk.”
In a nutshell, let’s keep in mind that APIs not only expose critical user information but also application data, logic, and more importantly increase attack surfaces for hackers.
So, in addition to using vulnerability scanning tools (cross-site scripting, SQL injection, command injection, path traversal and insecure server configuration) as pointed out by OWASP, we can also leverage API security gateways. These secure gateways allows us to restrict access to the use of APIs by establishing rules on how data requests must be handled.
Conclusions
APIs are critical and innovative tools for service providers, consumers, and partners. Without APIs, we cannot enjoy and benefit from the richness of online information. In addition, business organizations depend on APIs to disseminate information timely to their consumers. They also need to use APIs to collaborate with partners.
However, our personally identifiable information is critical for safety, security, and privacy. This type of information is sought after by hackers for various purposes. The key goal is to protect this information with rigor. Technology is a double-edged sword.
Technical precautions are only one aspect of essential measures. In addition, policies, processes, and procedures by business decisions makers are critical. Cybersecurity is not a joke. I shared my insights about the implications of ransomware on our economy and well-being in this article.
For example, privacy governance schemes such as GDPR in Europe, the Cybersecurity 202 in the US, and the Australia Privacy Act are essential for businesses to use in their practice. You can find other countries with GDPR-like data privacy laws at this link.
With the emergence of artificial super-intelligence systems, we must consider the risks factors posed by APIs for protecting our personally identifiable information. Misuse of deep fake technologies was a wake-up call for society. These eleven emerging technologies make it of paramount importance for considering APIs and protecting our private information.
Thank you for reading my perspectives.
Here is a valuable and short video shedding lights on API security. The video provides insights from Stan Wisseman, Chief Security Strategist at Micro Focus Fortify.
About the Author
I am a technologist, postdoctoral researcher, author of several books, editor, and digital marketing strategist with four decades of industry experience.
I write articles on Medium, NewsBreak, and Vocal Media. On Medium, I established ILLUMINATION, ILLUMINATION-Curated, ILLUMINATION’ S MIRROR, ILLUMINATION Book Chapters, Technology Hits, SYNERGY, and Readers Hope publications supporting 12,000+ writers on Medium. You can join my publications requesting access here. You may subscribe to my account to be notified when I post on Medium. I share my health and well-being stories on my publication, Euphoria.
If you are new to Medium, you may join by following this link. A small part of your membership fee will not only support my writing but your reading times can support many great writers on this platform. Opportunities for readers and writers are endless on this platform.
