Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Defending APIs
  • Table Of Contents Toc
  • Feedback & Rating feedback
Defending APIs

Defending APIs

By : Colin Domoney
4.3 (10)
Buy this Book
close
close
Defending APIs

Defending APIs

4.3 (10)
By: Colin Domoney
Buy this Book

Overview of this book

Along with the exponential growth of API adoption comes a rise in security concerns about their implementation and inherent vulnerabilities. For those seeking comprehensive insights into building, deploying, and managing APIs as the first line of cyber defense, this book offers invaluable guidance. Written by a seasoned DevSecOps expert, Defending APIs addresses the imperative task of API security with innovative approaches and techniques designed to combat API-specific safety challenges. The initial chapters are dedicated to API building blocks, hacking APIs by exploiting vulnerabilities, and case studies of recent breaches, while the subsequent sections of the book focus on building the skills necessary for securing APIs in real-world scenarios. Guided by clear step-by-step instructions, you’ll explore offensive techniques for testing vulnerabilities, attacking, and exploiting APIs. Transitioning to defensive techniques, the book equips you with effective methods to guard against common attacks. There are plenty of case studies peppered throughout the book to help you apply the techniques you’re learning in practice, complemented by in-depth insights and a wealth of best practices for building better APIs from the ground up. By the end of this book, you’ll have the expertise to develop secure APIs and test them against various cyber threats targeting APIs.
Table of Contents (19 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Foundations of API Security
Part 1: Foundations of API Security
Free Chapter
2
Chapter 1: What Is API Security?
chevron up
Chapter 1: What Is API Security?
Why API security is important
Exploring API building blocks
Examining API data formats
Understanding the elements of API security
Setting API security goals
Summary
Further reading
3
Chapter 2: Understanding APIs
Chapter 2: Understanding APIs
Understanding HTTP fundamentals
Exploring the types of APIs
Access control
Using JWTs for claims and identity
Summary
Further reading
4
Chapter 3: Understanding Common API Vulnerabilities
Chapter 3: Understanding Common API Vulnerabilities
The importance of vulnerability classification
Exploring the Open Worldwide Application Security Project API Security Top 10
Vulnerabilities versus abuse cases
Business logic vulnerabilities
Preview of the Open Worldwide Application Security Project API Security Top 10 2023
Summary
Further reading
5
Chapter 4: Investigating Recent Breaches
Chapter 4: Investigating Recent Breaches
The importance of learning from mistakes
Examining 10 high-profile API breaches from 2022
Key takeaways and learning
Summary
Further reading
6
Part 2: Attacking APIs
Part 2: Attacking APIs
7
Chapter 5: Foundations of Attacking APIs
Chapter 5: Foundations of Attacking APIs
Technical requirements
Understanding API attackers and their methods
Mastering the tools of the trade
Learning the key skills of API attacking
Summary
Further reading
8
Chapter 6: Discovering APIs
Chapter 6: Discovering APIs
Technical requirements
Passive discovery
Active discovery
Implementation analysis
Summary
Further reading
9
Chapter 7: Attacking APIs
Chapter 7: Attacking APIs
Technical requirements
Authentication attacks
Authorization attacks
Data attacks
Injection attack
Other API attacks
Summary
Further reading
10
Part 3: Defending APIs
Part 3: Defending APIs
11
Chapter 8: Shift-Left for API Security
Chapter 8: Shift-Left for API Security
Technical requirements
Using the OpenAPI Specification
Leveraging the positive security model
Conducting threat modeling of APIs
Automating API security
Thinking like an attacker
Summary
Further reading
12
Chapter 9: Defending against Common Vulnerabilities
Chapter 9: Defending against Common Vulnerabilities
Technical requirements
Authentication vulnerabilities
Authorization vulnerabilities
Data vulnerabilities
Implementation vulnerabilities
Protecting against unrestricted resource consumption
Defending against API business-level attacks
Summary
Further reading
13
Chapter 10: Securing Your Frameworks and Languages
Chapter 10: Securing Your Frameworks and Languages
Technical requirements
Managing the design-first process in the real world
Using code-generation tools
Summary
Further reading
14
Chapter 11: Shield Right for APIs with Runtime Protection
Chapter 11: Shield Right for APIs with Runtime Protection
Technical requirements
Securing and hardening environments
Using WAFs
Using API gateways and API management
API monitoring and alerting
Selecting the correct protections for your APIs
Summary
Further reading
15
Chapter 12: Securing Microservices
Chapter 12: Securing Microservices
Technical requirements
Summary
Further reading
16
Chapter 13: Implementing an API Security Strategy
Chapter 13: Implementing an API Security Strategy
Ownership of API security
The 42Crunch maturity model
Planning your program
Running your program
Your personal API security journey
Summary
Further reading
17
Index
Index
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Why API security is important

The Open Web Application Security Project (OWASP) published its first OWASP API Security Top 10 list in December 2019, and since then, the API security community has grown rapidly, with API security start-ups attracting significant investment and increasing interest from developers and security practitioners alike to learn resources on the topic. Unfortunately, during this period, there has also been a marked rise in the number of security incidents relating to insecure APIs. Recent analysis suggests a 681% rise in API attacks and that nearly one in two organizations has experienced a security incident related to APIs.

In a way, APIs are a victim of their own success – because of their rapid proliferation and the high economic value of the data they protect, they are now the most popular target for attackers.

We’ll now have a look at the so-called API economy and how the near-exponential growth in the number of APIs creates challenges for organizations as they become the favorite vector for attackers.

The growth of the API economy

To fully appreciate the importance of API security, let us first consider the growth of the so-called API economy. Let’s understand a bit more about what is meant by this term – Forbes defines an API economy as “an enabler for turning a business or organization into a platform.” A platform can leverage APIs to do the following:

  • Provide services and data to consumers for a price
  • Consume services and data from other providers to enhance your business

What is the API economy?

The API revolution has led to the emergence of API-first businesses such as Twilio and has allowed other organizations to expose their core offerings via APIs (Google Maps is a good example). The disruptive nature of the API economy is best seen in the financial services industry – typically, this has been an industry resistant to innovation due to regulatory and compliance requirements. By using APIs to expose selected core services, banks can embrace new models without disrupting their core IT systems. By adopting open standards that can be certified – such as the Open Banking API – banks can achieve interoperability while ensuring transactional integrity. The online money transfer service Wise uses APIs to provide B2B and B2C services and offers banking-as-a-service (BaaS) to third parties by renting out their APIs.

Advantages of an API economy

There are several key benefits to an API economy:

  • Reduced time-to-market: Organizations can use APIs to consume services from third parties rather than having to create those services themselves, resulting in faster development life cycles.
  • Drive value: Organizations can expose new and innovative services using APIs and open new markets.
  • Competitive advantage: By getting to market faster and using APIs to drive innovation, adopters can increase their competitive advantage.
  • Improved efficiency: APIs allow IT teams to deliver immediate value by exposing APIs, rather than having to build and deploy mobile or web applications.
  • Security: Mobile and web applications expose a vast attack surface to adversaries. By focusing development on APIs, this attack surface can be reduced and focus given to the hardening and security of these APIs.

API adoption allows organizations to deliver more value and functionality while simultaneously reducing cost and time to market.

The scale of the API economy

It is difficult to provide an accurate estimation of the scale of an API economy, and even if it was possible, this estimate would soon be invalidated due to the nearly exponential growth of the space. The API community at Nordic APIs (https://nordicapis.com/20-impressive-api-economy-statistics/) has produced a survey on the scale of the API economy; the following are some headline figures:

  • Over 90% of developers use APIs
  • The popular API test platform Postman has over 46 million API collections
  • 83% of all internet traffic belongs to APIs
  • There are over 2 million API GitHub repositories
  • The API management market is valued at $5.1 billion in 2023
  • 93% of communication service providers use OpenAPI specifications
  • 91% of organizations have had an API security incident

On the back of a growing API economy, major capital investment has poured into the market for API tool vendors, management platforms, and security tools.

Challenges to an API economy

The rapid adoption of APIs brings with it several challenges in addition to the benefits. The first challenge is that of inventory — because APIs can be easily built and deployed and have a finite lifetime, organizations are struggling to keep track of their API inventory, resulting in shadow (hidden) and zombie (outdated) APIs.

The second challenge is that of governance — as APIs proliferate, organizations face challenges with governing the development and deployment process, ensuring that data and privacy requirements are met and that the API life cycle is managed from cradle to grave.

The biggest challenge, however, is that of security. As noted earlier in this section, APIs can reduce an organization’s overall attack surface; however, this comes at the cost of a new security paradigm – APIs are a new attack surface, and the threats are different. In the next section, we’ll explore these security challenges in more detail.

APIs are popular with developers

Developers love APIs — nearly all developers work with APIs and nearly all modern architectures are API-centric. While containerization has driven the breakdown of the monolith and the emergence of microservices, it is APIs that form the connecting tissue between these services.

The benefit of APIs to developers are numerous, including the following:

  • They form an abstraction between services and allow encapsulation of functionality.
  • They define a clear interface via an OpenAPI specification that serves as a contract for the API.
  • They allow a truly polyglot environment where different APIs can be implemented in the most suitable programming language for the task at hand.
  • They simplify data exchange as APIs generally use JSON, XML, or YAML.
  • They facilitate ease of testing, using tools such as Postman or tools that can validate API functionality against the OpenAPI Specification.
  • They propel ease of development. The API development ecosystem is rich with powerful tooling for the development and testing of APIs. Moreover, fully featured API frameworks exist for most modern programming languages.

These factors have fueled the API-first paradigm where applications are built in a bottom-up approach, starting with the APIs, then the business logic, and the user interface (UI) last.

APIs are increasingly popular with attackers

While APIs are undoubtedly popular with developers, they are even more popular with attackers. Gartner reports that APIs are the number one attack vector for cybercriminals in 2022, and barely a week goes by without an API breach or vulnerability being disclosed.

There are several key reasons why APIs are a favored attack target:

  • APIs are likely to be publicly accessible: By their nature, APIs are intended to be interconnected with other systems, requiring them to be exposed on public networks. This facilitates easy discovery and attack by adversaries.
  • APIs are often well documented: To aid easy adoption and integration, good APIs should be documented using tools such as the Swagger UI. Unfortunately, such documentation can also be invaluable to attackers in understanding how the APIs work.
  • API attacks can be automated: API interaction is headless (not requiring a UI or human interaction) and can easily be automated with scripts or dedicated attack tools. APIs are, in many cases, easier to attack than mobile or web applications.
  • APIs expose valuable data: Most importantly, APIs are designed to allow access to key data assets (PII, financial, or market data), which are likely to be the highest prize for an attacker. Attackers increasingly attack APIs that inadvertently expose excessive data or allow mass exfiltration, which might not be the case with a well-crafted UI.

Your existing tools do not work well for APIs

The relatively recent emergence of APIs as the de facto conduit for application connectivity poses significant challenges to security teams and testers. Much of the existing application security (AppSec) tooling that exists was designed in an era when web applications were the primary asset to be protected. Common security tools such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) are far less effective in assessing APIs than they are with web or mobile applications.

Traditional perimeter protections such as network firewalls or web application firewalls (WAFs) are ineffective in protecting APIs, since they lack the context of the API interface and the expected request and response traffic. Such tools tend to be high in both false positives and false negatives.

More modern API technologies, such as API management portals (APIMs) and gateways, are essential for the operation of APIs at scale, but while they do provide security features, they do not address all attack vectors.

The key takeaway is that while tools are important as part of a defense strategy, they need to be augmented by solid defensive design and coding techniques — this is the focus of the final section of this book.

Developers often lack an understanding of API security

It is important to understand why insecure code exists in the first place if we want to address the problem.

Developers are, by nature, creative problem solvers who thrive on a challenge – unfortunately, this leads them to be over-optimistic, which can lead them to take shortcuts and optimizations, or perhaps work to unrealistic delivery schedules. This is so-called happy path coding, where developers do not fully appreciate how their code could fail or be misused by an attacker, sometimes with dire consequences.

Coupled with over-optimism is a sense of over-confidence – developers will assume they fully understand a problem but may be unaware that they are missing some crucial detail or subtlety, which again can have adverse effects. An example is the adoption of a new API framework and not carefully considering the default settings and deploying a vulnerable product.

Developers will often have a misplaced sense that bad things only happen to other people and not them. Despite witnessing examples of well-known breaches, many developers believe they will never fall victim to a similar misfortune. This general phenomenon is known as the schadenfreude effect.

The development process can be stressful with constant pressure to deliver to schedule, and this can result in compromising full implementation in favor of meeting deadlines. For example, this can include the omission of error handling code or data validation with the intent of coming back to implement them in later releases. With time pressures, this rarely happens, and code is often left in an incomplete state.

Often, developers inherit a code base to maintain that may contain significant technical debt or legacy code. Without a full understanding of the system and its complexities and foibles, developers may be disinclined to make changes to the code base in case they break functionality.

End of Section 2
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY