Opinion: Gaping Holes in Security of APIs

APIs are a business accelerator. But, poorly designed, they can also empower cyber criminals and malicious actors, says Neeraj Khandelwal of Barracuda Networks.
APIs are a business accelerator. But, poorly designed, they can also empower cyber criminals and malicious actors, says Neeraj Khandelwal of Barracuda Networks.

In-brief: In this, the first in a three-part series on REST API, Neeraj Khandelwal of Barracuda Networks discusses the growing importance of application program interfaces to business success, and how API insecurity poses a significant and under-appreciated risk to businesses.

For a while now, application program interfaces (APIs) have been considered a tactical tool in driving a broader business strategy. Articles on popular websites like Forbes hail the advent of the “API Economy,” while influential consulting firms like McKinsey note the ways in which forward-looking firms like Salesforce.com have turned APIs into a reliable business driver and revenue generator. In the evolving digital landscape, APIs are increasingly considered a lynchpin of core business strategy in both the enterprise or consumer spaces. Today, everyone from hospitality, travel, content, media, health to finance and manufacturing is dabbling in APIs.

Neeraj Khandelwal is a  Senior Product Manager at Barracuda Networks
Neeraj Khandelwal is a
Senior Product Manager at Barracuda Networks

There are many factors that contributed to the growth of the “API economy.” First was a technology shift, as JavaScript Object Notation (JSON) supplanted earlier technologies like Extensible Markup Language (XML), Rich Site Summary (RSS), and Atom. At the same time Representational State Transfer (REST) eclipsed legacy service-oriented architecture (SOA).

While not complete, evidence for this shift is everywhere. Twitter abandoned their XML based API in favor of JSON and REST. Oracle, a traditional SOA player, has espoused REST for their big data, Non-structured Query Language (NoSQL), and relational database offerings. For example, the Netflix API has been optimized to overcome shortcomings in their RESTful APIs.

Traditional, website-only businesses are also jumping on the API bandwagon exploring new ways of doing business, engaging internal and external developers, driving business through affiliate partners and streamlining their own business processes. APIs, especially JSON/REST are also considered to increase business agility. Modern web application programming frameworks such as node.js and Angular JS have further spurred the adoption of JSON/REST with the developer community.

While “API strategy” is becoming an important business mantra, there is a gaping hole in API security. Just as an API can boost business, an API breach can bring it crashing down. Relaxed security in legacy internal-facing SOA services is ill-equipped to face the hostile environment that is the Internet. Even if security was built into the internal services it is often made obsolete by new threats. Furthermore, most enterprise backend systems comprise a dizzying array of incompatible legacy- and acquired technologies. Re-architecting or retro-fitting security in such systems is often not possible, especially given time-to-market pressures.

Irrespective of your goals, motivations, and technology or architectural preferences, APIs are just another front end to your core backend services. A majority of your users may already be reaching you through myriad apps exercising your APIs, rather than through browsers. However, the backend services and their security requirements remain the same.

The evolution of APIs has ushered new paradigms of interactions over Hypertext Transfer Protocol (HTTP), which traditional security technologies like SOA gateways, Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) and web application scanners struggle to deal with. As an example, the use of JSON in HTTP requests presents new conduits through which untrusted data can reach backend services or an end user’s browser, where it is consumed. Similarly, would-be attackers can pass user inputs within the URL path (rather than URL query) with REST, breaking legacy security tools.

Another challenge with APIs is service availability. APIs are exercised programmatically and can be extremely chatty. Unanticipated use, verbose applications or abusive partners can wreak havoc upon the API SLAs (Service Level Agreements), or even bring down the backend services, with severe financial implications.

This post has provided you with a bird’s-eye view of the security challenges facing REST APIs. In our next post we will get down to a worm’s-eye view to inspect some delicious details regarding API security.