APIs change the way we need to think about IT security. Not long ago, an organization’s IT infrastructure would be enclosed, and a security boundary could be built around it. To protect the infrastructure, security would be thought of in zones:
- Untrusted Zone – The internet and the rest of the world
- Demilitarized Zone (DMZ) – The boundary between the rest of world and a company’s IT
- Trusted Zone – A safe space for the IT infrastructure to exist
Within a Trusted Zone, further Restricted Zones could be created for highly sensitive operations.
Security tools like firewalls and intrusion detection systems would be used to keep untrusted traffic from passing through the DMZ into the Trusted Zone.
Traditional Security Zones
The Rise of APIs
In today’s connected world, there is a trend – driven by the rise of smartphones and IoT – to move processing from the Trusted Zone out to devices that exist in the Untrusted Zone. We call these “clients” and you can see their adoption in many industries, from banking to entertainment and even healthcare:
- By 2021, there will be roughly 7 billion mobile banking users worldwide.
- Video streaming rose 85% in March 2020 as the pandemic confined people to their homes.
- Coronavirus has resulted in large numbers embracing telehealth services.
The clients communicate to backend servers by means of APIs (Application Programming Interfaces). These allow data to be sent back and forth; and through APIs, the client can ask the server to do tasks on its behalf.
Clients Accessing Backend Servers Through APIs
Since unsecure APIs can interact with corporate networks for reconnaissance, they are an especially attractive target to criminals. In the past few years, API vulnerabilities have exposed massive information loads at high profile companies like Facebook, USPS, and Venmo. According to Imperva, “API vulnerabilities are becoming more widespread as time goes by. The number of new API vulnerabilities in 2019 increased by 18.9%.”
The Need for API Protection
APIs change the structure of the traditional security model. Companies must take steps to adapt and protect their APIs in order to ensure that the data exchange is protected.
With the traditional security zone model, everything coming into the DMZ can be considered hostile by default. Only explicitly allowed traffic can pass through. With APIs, there can be millions of devices that are implicitly allowed to talk to the backend server. This immediately forces a change in the security model.
To illustrate this change, consider the differences between security at a house party (where you personally know all the guests) and security at a nightclub (where the bouncer is making entry decisions based on whether guests have the necessary ticket). At a nightclub, the whole security model is pinned on the bouncer’s ability to validate the authenticity of the entry ticket.
Weak API security can result in painful, damaging consequences. The recent Equifax breach resulted in the resignation of the company’s CEO, CIO and CSO after hackers gained access to the PII of more than 143 million people. Unfortunately, Equifax isn’t alone. Nearly 8 billion records were stolen through breaches in 2019.
API Security Best Practices
- Limit the Exposed Functionality – Developers should carefully consider client use cases and architect the APIs to support only those. Security testing of the APIs is critical to make sure they can’t be abused for unintended purposes. A common attack is to craft incoming data to run commands on a database – this is known as an SQL injection attack.
- Keep Private APIs Private - It is much harder to attack something if you do not understand it. To abuse an API, an attacker will first spend time learning how the API works and how to talk to it. This often involves reverse engineering the client software – typically a mobile app – in order to reveal how the client is communicating with the backend. An attacker can then use this information to craft their own messages. Application Shielding hardens the mobile app against reverse engineering and keeps the API private.
- Secure the Authentication Token - In software terms, the “ticket” is known as the “token”. API Security often comes down to validating the authenticity of the token: Is it genuine? Did it come from a trusted client? This can be difficult to determine. The token is an array of bytes so easy to copy; while the API can’t see the client, only the data it is sending.
Tokens can be either static – a fixed identifier – or dynamic. Static tokens are often called API Keys. Dynamic tokens typically involve some form of challenge-response with server. The advantage of dynamic tokens is that they defend against replay attacks.
By protecting an app against reverse engineering and encrypting static data, App Shielding can keep tokens safe; while Whitebox Cryptography provides a secure environment to generate dynamic responses.
How Can Verimatrix Help with API Security?
Verimatrix’s Shielding can protect clients, such as mobile apps, from reverse engineering. This keeps private APIs private; and secret data - like API Keys - secret. While Whitebox is the perfect technology for building secure challenge-response implementations.
Request a demo to see how easy it is to apply Verimatrix Shielding to your clients.