Pierluigi Paganini November 21, 2023

Organizations need to govern and control the API ecosystem, this governance is the role of API management.

Uber uses APIs (Application Programming Interfaces) to connect with third-party services such as Google Maps and Twilio, which helps to improve the user experience; Salesforce provides APIs that allow developers to build custom applications on top of their platform, which has helped to drive innovation and collaboration; and Stripe provides APIs that enable businesses to accept payments online, which has helped to drive revenue growth.

Because APIs are pieces of software that allow different software applications to communicate, interact, and share data with each other, companies everywhere can take advantage of them to quickly prototype and create new products (increasing productivity), enable companies to introduce new products and technologies with fewer resources and less time (driving innovation), and allow companies to extract their data from software, web pages, and cloud storage (improving business intelligence).

While the entire API environment is complex, here’s a simplified explanation of how an API works:

– Request to API endpoint: A client sends a request to a server’s API endpoint, a specific resource exposed for client requests.

– Processing: The server processes the request, which may involve data retrieval or operations.

– Response and Status Code: The server generates a response with requested data or operation outcomes, and the response includes an HTTP status code indicating success or error.

– Delivery to Client for Processing: The server sends the response back to the client, and the client receives and processes the response.

– Error Handling: Error messages are provided in the response for issue resolution.

– Authentication and Security: APIs may require authentication for access control.

The Importance of API management

In the midst of all the technologies present (sometimes, it can be a chaotic array!), organizations need to govern and control the API ecosystem. APIs – like any other technical resource – won’t manage themselves. This governance is the role of API management.

What happens if APIs are not managed and maintained? A litany of issues and problems occur, actually. Here are a few:

• Security Vulnerabilities: Unmanaged APIs may have security vulnerabilities that can be exploited by malicious actors. Without proper authentication, authorization, and security measures, sensitive data can be exposed, leading to data breaches and privacy violations.
  • Check out the OWASP Top Ten APIs for a good overview of the primary identified risks to APIs.

• Downtime and Unreliability: Unmaintained APIs will likely experience downtime and instability, causing inconvenience to users and potential revenue loss for businesses.
• Performance Issues: Without optimization and monitoring, APIs may suffer from poor performance, slow response times, and bottlenecks.
• Increased Technical Debt: Neglected APIs accumulate tech debt, making it more difficult and costly to address issues or implement necessary changes in the future.
• Lack of Scalability: As usage of an API grows, it may not be able to handle increased traffic and demand if it is not properly managed and scaled.
• Compliance and Legal Risks: In regulated industries, failure to maintain APIs in compliance with industry standards and legal requirements can result in legal and regulatory risks, including fines and legal actions.
• Cost Inefficiencies: Inefficient APIs that are not optimized can lead to increased operational costs, especially when it comes to server infrastructure and bandwidth.

Many of these are just like any other technology vulnerabilities and dangers, such as web apps, business risks, virtual environments. But APIs are in rather a different class.

API security – why it’s different

A typical view of attacking web apps is a quick, one-time attack that exploits known vulns. But many API attacks are logic-based and not always susceptible to the usual attacks. Because each API endpoint is different, “each attack rarely stems from a single API call, every API attack is essentially a zero-day attack, with traditional tools being unable to detect them via their rule-based and signature approaches.” This unique vulnerability makes detection hard because the attack can very much appear as usual traffic.

Here are some other key differences that make API security distinct from web application security:

1. Attack Surface:
   • APIs typically have a hidden or non-user-facing attack surface, as they are designed for machine-to-machine communication. APIs have endpoints that may not be as readily visible to users but are accessible to authorized clients, making them a target for attackers.
2. Authentication and Authorization:
   • APIs frequently employ token-based authentication (e.g., OAuth tokens or API keys) to grant access to clients. Fine-grained authorization mechanisms are crucial for specifying what actions each client can perform.
3. Rate Limiting and Throttling:
   • APIs commonly implement rate limiting and throttling mechanisms to prevent abuse and protect against denial-of-service attacks. Web applications may not have the same level of rate limiting requirements.
4. Discovery and Documentation:
   • Inadequate documentation can lead to security issues because developers may not fully understand the intended usage and security considerations of the API.
5. Versioning:
   • Versioning can impact security, as deprecated versions may have vulnerabilities that need mitigation.

API management platform

To keep it all together and manageable, one needs an API management platform. These offer several benefits to organizations that use APIs. Here are 5 top reasons to use an API management platform:

1. Increased agility: API management platforms allow organizations to create, share, and adjust APIs more easily, without unnecessary costs or loss of productivity. This increased agility enables organizations to respond to changing market conditions and customer needs more quickly.

2. Workflow automation and customization: API management platforms enable organizations to create custom workflows and integrate with other business ventures, promoting innovation and collaboration.

3. Strategic decision-making: API management platforms provide organizations with data and analytics on API usage, enabling them to make informed decisions about their API strategy. This data can help organizations identify areas for improvement and optimize their API usage.

4. Security: API management platforms provide security features such as authentication, authorization, and encryption to protect APIs and the data they transmit. This security is crucial for protecting sensitive data and preventing unauthorized access.

5. Cost savings: API management platforms can help organizations save costs by reducing the time and resources required to manage APIs. They can also help organizations avoid costly mistakes such as overloading APIs or exposing sensitive data.

API management platforms provide a centralized and unified way to a) wrangle all of the moving parts involved in APIs, and b) deploy, reuse, and manage APIs, enabling organizations to share documentation, keep their services safe, and analyze API usage.

About the author Ross Moore: Moore is the Cyber Security Support Analyst with Passageways. He has experience with ISO 27001 and SOC 2 Type 2 implementation and maintenance. Over the course of his 20+ years of IT and Security, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP along with CompTIA’s Pentest+ and Security+ certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University. He is also a regular writer at Bora. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, API management)