Home / Advisory / Are mis-configured and mis-managed APIs a trouble for the CISOs

Are mis-configured and mis-managed APIs a trouble for the CISOs

Posted on
Cyber Secure India
APIs are CISOs’ Greatest Threat to Secure Operations.

The Concept of API (Application Programming Interface) has been around in the IT industry for over a decade now. The programmers across the globe and across platforms have been able to address the problems of multi-platform and multi-client integration through the API build. Enterprises who run Applications as ‘in-house’ developed solutions, have for many reasons not been able to allow third-party applications and third-party developers/ business partners within their enterprises in the erstwhile era; which is now possible through APIs which allows sharing and access to their applications’, data and functionality. Over the years, the ‘API’ has been described as the generic connectivity interface to an application for any form of Application and Database management while ensuring the flow of business.

Recent shifts in the IT landscape have resulted from the dramatic escalation of remote work, cloud adoption, BYOD and changing development practices, through the use of APIs in all of the different solutions that are in use today. The security impacts of those changes are thus the cause of concern to the Chief Information Security Officer’s (CISOs) who have identified the need to strengthen their defences when configuring and managing APIs in the ecosystem. With the number of vulnerabilities that surround the APIs, the CISOs now see them as the biggest risk in their technology stack.

What is an API (Application Programming Interface)?

The Application Programming Interface (API), is a software intermediary that allows two applications or an application and a browser or an application and query, that is enabled to talk to among them. In other words: APIs are a set of functions and procedures that allow for the creation of applications, they access the data and features of other applications, services, or operating systems.

When you use an application on your mobile phone, the application connects to the Internet and sends data to a server. The server then retrieves that data, interprets it, performs the necessary actions and sends it back to your phone. The application then interprets that data and presents you with the information you wanted in a readable way.  This is done using an API.

Types of APIs

Designing, implementing, and maintaining APIs for the Web is critical to many companies and to the business models. Also, one API does not fit all the requirements in an enterprise. There are four main types of APIs that are often used (of course, there are more):

  1. Open APIs (also called Public APIs) are publicly available for everyone to use. (Example: Google Search APIs placed on other websites)
  2. Partner APIs are custom designed by enterprises to offer access to business partners to reserve or buy specific items, such as tickets or vouchers. (Example: UdChalo being provided an API for allowing booking on Vistara Airline Server)
  3. Private (or Internal) APIs are not for public consumption but used for internal processes. (Example: SBI providing an IFSC Search on the YONO App)
  4. Composite APIs: are those combine diverse data and service APIs. They help speed up the course of implementation by essentially bundling multiple API calls together. (Example: DGCA providing Flight Status across Airline and Across Airports)

CISOs Risk Forecast while referring to APIs

The API Technology, has provide multi-fold benefits due to the shift to component-based microservices architecture used extensively in modern applications. The APIs based access to Applications and Databases across industries along Web Based application users, are also susceptible to a wide variety of attacks. Moreover, this form pf API based interactions are also a concern to the CISOs based on recent statistics have rated the threat vectors and of the heading below, with the percentage showing the need for improvement:

  • First: Data discovery and classification – 38%
  • Second: Data backup and recovery, as well as vulnerability remediation – 36% each
  • Third: Development security operations (DevSecOps) – 35%

What next for the CISOs to ensure least interference of APIs for Enterprises?

On the evaluation of methodology to ensure the pro-active insights of API Security, CISOs have to focus on the Three Broad Aspects that can be contemplated upon to arrive at the Security Strategy, while ensuring Best Management of APIs in Enterprise Solutions: (a) API Visibility, (b) Active API Protection, and (c) Corrective Actions

API Visibility

If CISOs don’t have visibility into their APIs, they can’t understand their full business exposure or adequately prioritize their risk management. Hence, CISOs have to be aware of the deployment, test result and also the functions of the API in production environment.

Active API Protection

Security leaders must have the ability to see their APIs in action in order to spot trouble areas. APIs are not just straight code. You need to see APIs being exercised to identify logic flaws. This requires continuously monitoring of APIs to identify any patterns and to understand what’s normal versus abnormal behaviour.

Corrective Actions

APIs are designed to be reviewed ‘on the go’. Also, the flexibility of the code being re-written or re-configured, assists in ensuring the quick change-over. Corrective Actions are also important to bring, your API security learnings back to the development team, so that they can take those learnings and apply them to harden APIs as they are building them.

%d bloggers like this: