APIs in the Current World
With the advancement of SOA and new-age technologies coming door-to-door, we see how the Internet of Things is touching our everyday lives, be it from Apple Watch and Fitbit to building apps in automobiles, banking, the retail industry, etc.
I recently read somewhere that eCommerce for JC Penny is gaining more popularity, reducing the in-store presence of their customer base and leveraging online and mobile channels to better promote their products.
Risks Exposed by APIs
We all know that hacking has grown in frequency and seriousness. Just a few of the recent hacking attempts and attacks to customer-sensitive data are:
- 6 million Snapchat customer credentials were published
- Yahoo experienced breach of data over the internet
- API vulnerability exposed accounts of Delmarva power customers
- Nissan also came under scrutiny for a potential hack
There are different kinds of vulnerabilities and risks that lead to these hacks:
- Client Impersonation
A hacker is able to gain access to client apps by impersonating the client, thereby gaining access to client info.
Phishing is caused by a redirection-based handshake in OAuth 2.0. A hacker inserts his own URL as a callback and gets access to the token from OAuth server. This vulnerability could cause malicious entry of hackers into the systems that are not supposed to be accessed.
- Brute Force
When the hacker is trying this “exhaustive effort” to get into the system using certain patterns, it could open up the security aspects and allow entry into the DMZ and internal systems. This is a very common kind of attack often tried by malicious users.
Hackers are able to inject code snippets into the client call and hence is able to gain access. This can happen in the form of SQL, LDAP, Xpath, XQuery, and other code injections. For example:
Select * from Table where id=’12312’ or ‘1’=’1’. Here the second condition will always evaluate to true thereby allowing injections and getting all records from table back.
- Denial of Service
This is one of the most common forms of attack on network systems. In APIs, when a client has a certain predetermined number of calls (rate limited) for some APIs as part of their contract, if the hacker keeps calling these APIs and max out the number of API calls, it could potentially prevent the client from being able to make those calls again since the APIs would be monetized.
How to Mitigate Those Risks
APIs integrate data across multiple platforms by maintaining a common channel for data to move across mobile, portals, wearable, or other devices and require proper authentication techniques the for user to login and gain access to information via API gateways.
- APIs help to maintain core data and access using system-level code APIs in a secured zone. These core APIs sit in the secured zone and hence can ONLY be accessed using a call from the demilitarized zone (DMZ) layer.
- APIs configure a gateway in the DMZ zone for the process-layer, which is responsible for:
- Authentication of all users trying to access the system level information, including core data and backend systems
- Prevention of most code injection techniques by doing request pattern matching, schema validation, etc. and hence mitigating further risks of any sort on the trusted system layer
- Enabled access to control features, such as the number of calls per API during a specified time, restriction of certain sub-domains, and IP addresses from a core API, availability of certain services at certain specified times, etc.
- In addition to the system layer in the secured zone and process layer in DMZ layer, API management solutions can also provide an “experience layer” which is used to expose APIs, market APIs to third-party application developers, and monetize them.
This layer can be used more like an “explorer” layer where any interaction with outside work, businesses as well as some reports on advanced analytics of API traffic can be generated.
In conclusion, API management solves most of the security threats that can be potentially faced by organizations, businesses, and groups that are looking to leverage APIs for increased profits and future growth. Even though it may not be a sufficient condition to ensure security and success, it is definitely a necessary step toward ensuring the success of any business that requires use of more than just a monolithic-based architecture for its technology implementation and has external consumers, which is the case with most of the organizations.