The API ecosystem is evolving rapidly, allowing for faster innovation but also exposing many businesses to security risks. We talked about APIs and API-related vulnerabilities with Jeff Williams, the co-founder of and Chief Technology Officer at Contrast Security and a founding member and major contributor to OWASP, a nonprofit foundation dedicated to improving software security.

devmio: Why are we seeing such a fast, widespread adoption of APIs and an increase in API traffic?

Jeff Williams: APIs have grown so rapidly because they allow enterprises to innovate and interconnect more rapidly. When browsers became able to get data from APIs using Ajax, it kicked off an unstoppable market shift that is still playing out. Today, almost all websites use JavaScript in the browser to call APIs that populate the pages you see with data.

APIs often have direct access to sensitive data in backend systems.

devmio: A report from Gartner predicts that APIs will potentially cause the biggest security vulnerability in history. Do you think that is an overestimation, or are people simply not prepared for the scale of security breaches to come?

Jeff Williams: This is accurate. Most organisations are not prepared for the scale of security breaches to come because they include APIs in their regular security scans of software, relying on legacy web application security (AppSec) testing tools to scan lines of code for known vulnerabilities. However, traditional security tools don’t work on APIs: They were designed for web apps, not to test the security of an API. This leads to a false sense of security, and pride before a breach.

devmio: ow do most API attacks occur? What is the most common weak point?

Jeff Williams: APIs are not only the connective tissue that holds together the different parts of a piece of software, they are also often exposed directly to the internet and are easy for attackers to target. Further, APIs often have direct access to sensitive data in backend systems. This makes successful exploits more serious, as there aren't multiple layers of code between attackers and sensitive data.

devmio: What is API sprawl, and what problems can this cause?

Jeff Williams: APIs are relatively small compared to traditional web apps. So, you need a lot of them. Pretty soon you have version control problems, rogue APIs being stood up, several different API platforms… and you have a sprawling mess. This leads to difficulty ensuring that all of your APIs are getting the right security attention.

Threat modeling can help identify architectural weaknesses in API deployments

devmio: Where should teams begin when creating a security-focused API strategy? What should they focus on?

Jeff Williams: Ensure they deploy a modern, integrated API security platform that manages what traditional API or application security can’t do: namely, to secure APIs from the inside out.

• 1. API inventory: You can’t secure what you don’t know. You need an inventory process.
• 1. API security testing: You’ve got to write secure code, and that means finding unknown vulnerabilities in APIs, microservices and functions. After all, the OWASP Top 10 vulnerabilities are just as applicable with APIs as they are in traditional web apps.
• 1. Components: You have to secure your supply chain, including finding known vulnerabilities in active third-party libraries, frameworks and services.
• 1. API protection: In order to protect production, you’ve got to identify probes and attacks on both known and unknown vulnerabilities and prevent exploits.
• 1. API access: Strong authentication and authorization on functions at the API level as well as at the data layer are crucial.

devmio: What are the key steps in properly validating an API and ensuring proper user identity verification?

Jeff Williams: Authentication is straightforward. You should definitely use a product instead of implementing yourself. There are many subtle and tricky ways that you can implement authentication. Just like encryption, your mantra should be “don't build it yourself”.

devmio: How can threat modeling help teams improve their API security?

Jeff Williams: Threat modeling can help identify architectural weaknesses in API deployments, including APIs that aren’t protected by encryption, authentication, and authorization.

devmio: What tools would you recommend including in every team’s security stack?

Jeff Williams: Teams should look to deploy the following three tools:

• Interactive application security testing (IAST): Uses instrumentation to continuously monitor and analyze APIs from within as they run in development and test environments. This approach yields real-time analysis as software is being developed and tested. This makes them ideal for Agile, DevOps, and DevSecOps environments, as they enable IT to find and fix security flaws early in the SDLC when they are easiest and cheapest to remediate. IAST provides teams with the full context of what's going on inside the code of an API, enabling them to see API traffic, code, configuration, framework, libraries, backend connections, and much more. Using this context enables users to detect the behavior of vulnerable code and report detailed findings back to developers for remediation.
• Software Composition Analysis (SCA): Enables businesses to protect their software supply chain by identifying real threats from third-party components across the entire SDLC — from code through test and on through production. SCA uses instrumentation to identify vulnerable libraries and how APIs use them. With this context, developers receive actionable remediation guidance to help them fix and protect against API attacks.
• Runtime application self-protection (RASP): RASP provides two key API security capabilities: First, it creates visibility into exactly who is attacking you, what attack vectors they are using on your APIs, and which of your APIs is being targeted. Second, RASP prevents most of the major classes of vulnerabilities from being exploited, including both zero days and custom code flaws. RASP uses instrumentation to add lightweight security sensors to your API code and platforms. These sensors can directly measure the security-relevant behavior of your APIs and detect malicious events. Working from inside APIs themselves, RASP security is able to detect, block and mitigate attacks immediately, protecting as they run in real time by analyzing both their behavior and context.

Thank you for taking the time to share your expertise with our readers!