Get ready to boost your API security! Did you know that every API you publish is like punching a hole in your company’s security blanket? With all that sensitive data now exposed to the internet, it’s more important than ever to nail down data flows, authenticate users, control access, and keep an audit trail.
This article with insights from 42Crunch co-founder and CTO Isabelle Mauny, explains to developers today’s API security woes and how to tackle them during development. Let’s level up your API game!
Common API cybersecurity issues
Data breaches through APIs are an increasingly serious problem, as evidenced by a recent report from apisecurity.io. The report highlights just how quickly this form of security breach is rising and how devastating the effect can be.
Furthermore, apisecurity.io notes that API breaches are both more frequent and potentially more damaging than website security breaches, since they are often hidden from view in plain sight.
Companies at risk of API-related data breaches must remain vigilant and have plan in place to mitigate any potential risks posed by the internet-connected systems utilized by their businesses.
These are the most frequent causes of API security breaches:
- Input validation issues
- Bad security configuration
- Data exception/leakage
Tips for improving API security
Here are some recommendations based on Isabelle Mauni’s talk (you can also watch the full video at the end of the article).
- Secure architecture: when designing an API architecture, it’s important to make sure that data is not exposed to any kind of user. Instead, add a controller layer for those who need it only. This will help ensure that only authorized users can access the data they need.
- Use tools: OWASP API Security can help expose your API’s problems. This tool helps you identify common vulnerabilities in your API and provides guidance on how to fix them.
- Control access tokens: avoid access token misuse by using short-lived access tokens, authenticating apps, and restricting token usage as much as possible. This will help prevent unauthorized users from accessing sensitive data or making changes without permission.
- Block unauthorized calls: block un-authorized calls by detecting non-specified verbs in the API contract and rejecting paths that are not described in the API contract. Additionally, validate users’ proper access rights before allowing them to make requests or changes.
- Avoid security misconfiguration: remember the famous Equifax breach of 2017? Make sure all configurations are up-to-date and secure before deploying an application or service with an API component.
By following these five points about API security, developers working on their company’s cybersecurity strategies can ensure their APIs are secure and protected against malicious actors trying to gain access to sensitive information or make unauthorized changes.
Watch the full video below!
The Equifax Breach: lessons learned
In 2017, Equifax, one of the three major credit reporting bureaus in the United States, suffered a data breach that exposed the personal information of 147 million people. This was one of the largest data breaches in history and it exposed a massive security flaw in Equifax’s systems.
The Equifax data breach happened on July 29th, 2017 and was not discovered until September 7th. During that time, attackers were able to gain access to personal information such as names, addresses, Social Security numbers, birth dates, driver’s license numbers and more.
The attack was made possible by an Apache Struts vulnerability which allowed attackers to exploit a flaw in Equifax’s systems.
What did we learn from Equifax
The most important lesson from this breach is that security vulnerabilities must be taken seriously. These can exist for years without being detected or addressed. Companies must make sure their systems are regularly monitored for any potential risks and that any discovered vulnerabilities are patched as soon as possible.
In addition to keeping systems updated with security patches, companies should also focus on developing robust authentication processes. Strong passwords and two-factor authentication can go a long way towards protecting sensitive data. Additionally, companies should consider using encryption to further secure their data from potential attackers.
Finally, it’s important for companies to have a comprehensive plan for responding to any potential breaches that may occur in the future. Such plans should include steps for quickly containing any breaches and notifying affected customers as soon as possible.
The Equifax data breach was one of the largest ever recorded and serves as an important reminder of how important it is for companies to keep their systems secure at all times.
More about Isabelle Mauny
Isabelle is the co-founder and CTO of 42Crunch, a company on a mission to make API security as easy as possible for developers and security teams. She has more than 25 years of experience in the development of large scale applications. After 15 years at IBM in various technical roles including product management, pre-sales, services and R&D, Isabelle joined a startup and decided in 2016 it was about time to start her own. At 42Crunch, Isabelle oversees product engineering and product marketing. Isabelle is a frequent speaker at technical conferences around the world.