Understanding your API attack surface: How to get started

We live in a world of cloud computing, mobile devices and microservices. Nearly every application we interact with is powered by APIs, often many, especially when dealing with the leading cloud service providers (CSPs), mobile applications and microservice environments. This makes APIs a critical part of an organization’s attack surface.

Akamai estimates that roughly 83% of internet traffic is API-based. Other studies such as those from Salt Security state that API attacks increased over 600% from 2021 to 2022, and Gartner predicts that 90% of web-enabled applications will have broader attack surfaces due to exposed API’s. The latest study from Imperva claims that vulnerable APIs are costing organizations between $40 and $70 billion annually.

Another critical part of the expanding API attack surface is the adoption of Kubernetes and microservices. A study recently found over 380,000 exposed Kubernetes API servers, which is concerning given that the Kubernetes API server is a core control plane component to container deployments. That said, very little attention is placed on API security, despite the reality that APIs act as the glue that powers the modern digital ecosystem.

APIs are used to access and query data as well as perform activities such as enrichment and data modifications as part of processes. This means the APIs themselves must be secured as well as the data that is flowing through them.

This reality emphasizes the need for both application and data security best practices when working with APIs. As with many other areas of technology, most organizations struggle with the simple task of making an inventory of their APIs. This means most lack visibility of what APIs they have, interact with, and are relevant to their attack surface.

Organizations such as Resurface Labs and Traceable AI have begun targeting this problem, but much more work needs to be done. Here’s where organizations should begin to understand their API attack surface and its potential vulnerabilities.

How to begin assessing the API attack surface

API security can be a daunting task for organizations just beginning, particularly for large enterprises with sprawling API inventories. That said, sound practices and methodologies can be taken to get a handle on this largely unaddressed attack vector. The approach requires a combination of governance, infrastructure security, and application-level best practices to drive down organizational risk.

A great place to start, aside from taking inventory of existing organizational APIs, is to identify and understand the most common API security concerns. Luckily, the always valuable OWASP community has produced an API Security Top 10 list. This includes items such as broken object and user authorization/authentication, excessive data exposure, and a lack of rate limiting.

Broken object level authorization is a code-level construct that ensures users have access only to objects that they are authorized to access. This comes back to the ever-present concept of least-privileged access control, which is also prevalent in the push for zero trust.

Broken user authentication manifests in various forms including weak authentication mechanisms, the presence of sensitive authentication information in URLs, and credential stuffing, where malicious actors used obtained authentication information to repeatedly try and exploit authentication interfaces. Addressing these vulnerabilities involves understanding authentication flows, mechanisms and using industry-based standards for authentication.

Excessive data exposure is an all-too-common problem. When it comes to APIs, this vulnerability generally occurs when an API returns sensitive data in response to user activities that it shouldn’t have exposed. Organizations can address these vulnerabilities by validating the data that API responses contain and ensuring sensitive data isn’t contained inadvertently. Organizations should also implement response validation mechanisms to ensure that sensitive data isn’t being exposed.

A lack of rate limiting controls is more tied to impacting the availability of systems rather than a compromise of confidentiality or integrity as mentioned with some of the other leading common vulnerabilities. Given that APIs are often functioning as the glue that binds modern microservices, clouds and mobile applications, all used to ultimately deliver value to customers and drive revenue, impacting availability is a significant concern. Business interruption can mean loss of revenue or customer trust. If you’re in the public sector or national security, it could have an impact on critical civic services and national security.

These problems may seem obvious to the seasoned security practitioner given authentication, authorization and denial of service (DoS) attacks are commonplace. That said, when you account for some of the metrics provided earlier regarding both the prevalence of APIs in organizations and on the internet, coupled with the rapidly increasing rate of attacks against APIs from malicious actors, the potential risk becomes compounded.

APIs enable lateral movement 

Given that APIs often serve as a front door to applications and digital environments, attacks against APIs are often used to move laterally across systems. APIs can serve an initial attack vector and then be used to access underlying systems, workloads and data. This makes securing them exponentially important. The primary attack vectors for APIs include object and user-level authentication and authorization. So, malicious actors aren’t after the APIs per se, but the data they have access to and transport as well as the underlying systems they often sit in front of.

More focus on API security

While many of the attack vectors may not seem unique to APIs, they become very concerning when you couple them with the pervasive presence of APIs in the modern digital ecosystem. Luckily, several trends are emerging including increased investment in API security startups and products, more guidance around API security, and an increased industry awareness of just how problematic insecure APIs can be.

If APIs have become the ties that bind the modern digital ecosystem, it’s imperative as an industry we ensure those ties are sound and we don’t have an ecosystem bound by bubblegum and shoestrings. While the legacy model of perimeter-based security may have fallen to the wayside, APIs still serve as a critical entry and pivot point for modern systems. This includes not just externally facing systems, but internally communicating systems as well.

We’re also seeing efforts to secure the software supply chain. That chain is bound together via APIs as the primary method of communication between software driven systems. This points API security as a core component of the broader software supply chain ecosystem that warrants security and rigor as well.

Related: 9 API security tools on the frontlines of cybersecurity