Beyond Vulnerabilities: Why API Abuse Is a Critical Challenge
As application programming interfaces (APIs) grow in strategic importance, many organizations are initiating a gradual increase in the maturity and sophistication of their API security posture. These initiatives generally start with three primary activities:
- Implementing API discovery to create a complete and accurate inventory of all sanctioned and unsanctioned APIs
- Eliminating unsanctioned APIs
- Identifying and remediating software and implementation vulnerabilities that leave sanctioned APIs exposed to attacks
These are all essential practices, and there are some excellent resources — such as the OWASP API Security Top 10 — that provide a high-level roadmap for finding and eliminating API vulnerabilities. But discovering APIs and addressing API vulnerabilities is just the beginning of a robust API security strategy.
Even if you do a perfect job at cataloging your APIs and eliminating vulnerabilities, they may still be highly susceptible to abuse. And the business impact of API abuse can be just as devastating as vulnerability exploits.
API abuse is a different kind of problem
Early efforts at formal API security were concerned with protecting against attacks that exploit any vulnerabilities in how APIs are coded or configured.
API abuse, however, is a different kind of problem. Attackers are not exploiting any type of technical vulnerability. Instead, they are using APIs in ways not intended by the organization that created them.
Devastating and difficult to detect
The effects of API abuse can be devastating. After all, many organizations expose their core business logic and data through APIs. The only thing a threat actor needs to steal this intellectual property is the right API with the right credentials.
Further complicating matters is the fact that API abuse is very difficult to detect. Because threat actors are using valid credentials and interacting with APIs in ways that look similar to legitimate usage, many first-generation API security products aren’t able to detect them.
Every API has the potential to be abused
Every organization that exposes APIs should assume that every API has potential abuse case scenarios. For example, consider the online banking, budgeting, and financial planning applications and services that many of us now use every day. APIs are the key to making these types of conveniences work.
A threat actor with credentials in hand could easily take advantage of the inherent business logic and data accessible through these APIs to turn this intellectual property against the financial institution’s business interests and the account holder’s personal interests.
How to defend against the growing threat of API abuse
Don’t take your eyes off API vulnerabilities. It’s as important as ever to build an API security foundation that includes discovery, vulnerability assessment, and remediation.
But extending your API security posture across the complete array of API threats, including API abuse, will require three additional important strategies:
- Expand your thinking about API attacks
- Analyze significantly more data about APIs
- Harness APIs to spot abuse
Expand your thinking about what constitutes an API attack
TheOWASP API Security Top 10 is a good place to start to find and eliminate API vulnerabilities. But it doesn’t help us understand API abuse. Until industry frameworks for API abuse emerge, it’s important for your team to think more broadly about the nature of API attacks.
Analyze significantly more data about APIs and activity
Other API security solutions monitor individual API calls or, at best, short-term sessions. The problem is that, in addition to looking like legitimate activity, API abuse may unfold over minutes, hours, or days. Adopting an approach based on software as a system (SaaS) is the only way to capture and analyze datasets that are large enough to truly understand API usage in context — and to spot low-and-slow API abuse and anomalies from baseline behavior.
Harness API to spot instances of abuse
The speed and volume of API activity is too great for humans to monitor and understand actively. At the same time, many traditional API security techniques cannot understand the business impact of what they are observing.
This is an excellent application for machine learning and artificial learning (AI) techniques. Assuming that you follow the advice in this blog post and shift to SaaS: In addition to having more data to analyze, you’ll have access to the computing power necessary to perform big data analytics.
We will never be able to predict the future and completely anticipate the next novel way that threat actors will abuse an API. However, we can use AI to determine a baseline of behavior, understand the business entities involved, and spot anomalies that indicate possible abuse.
Sophisticated controls for today’s risks
Even perfect APIs can be abused. Identifying and mitigating API security risks requires security controls that are sophisticated enough to address this complex and fast-evolving threat landscape. Check out the Akamai API Security solution to make your APIs more secure.
