The importance of proactively identifying API vulnerabilities

After more than 20 years in development, the API is already used everywhere. In a 2021 survey, 73% of companies reported that they have published more than 50 APIs, and this number is constantly growing.

APIs have crucial functions that they perform in almost all of today’s industries, and their importance is steadily increasing as they move to the forefront of commercial strategies. This is due to the fact that APIs connect disparate applications and devices, providing synergies and commercial efficiencies never seen before.

However, APIs have vulnerabilities like any other software component. In addition, if they are not tested in a rigorous way from the point of view of security, they can also introduce a completely new range of attack surfaces and expose them to unprecedented risks. If production is expected to be rushed to discover API vulnerabilities, substantial delays can occur.

If you must keep in mind that APIs do more than simply connect applications, they change functionality in unpredictable ways. Many of the unique weaknesses that APIs can introduce are well known to hackers, who have developed different methods to attack their APIs in order to gain access to the underlying data and functionality.

According to OWASTOP API Top 10, it is not uncommon for legitimate and authentic users to exploit the API using calls that look legitimate but are actually intended to manipulate the API. It is a type of attack, whose objective is to manipulate the business logic and take advantage of the design flaws, which result in attractiveness for the attackers.

Each API is unique and proprietary. As such, the errors and vulnerabilities of the software are unique and also «unknown». The type of errors that lead to attacks at the level of the business logic or the business process result practically in making it difficult for the process to identify as a defender.

API security testing

The Shift-left security is already widely accepted in many organizations, which allows continuous testing throughout development. However, the security tests of API generally fail or they do not realize a sufficient understanding of the risks involved. There are some reasons for this:

• Existing application security testing tools are generic and target the vulnerabilities of traditional web applications, and cannot effectively handle the complexities of an API’s business logic.
• Because APIs do not have a user interface, it is common for companies to test the web, the application and mobile devices separately, but not the API itself.
• Test APIs can be manually intensive and are not scalable when there are hundreds of them.
• The relevant experience and knowledge can be scarce, since API tests are more complicated than other types of tests.
• With the legacy APIs, it is possible that you do not know the APIs already implemented or the documentation.

Therefore, although many organizations already value the security of displacement to the left, API security tests in general are already outside the general panorama of DevSecOps.

This is regrettable, since API vulnerabilities require more time to heal than traditional application vulnerabilities. In a recent survey, 63% of those surveyed reported that more time is needed to fix API vulnerabilities. It is also likely that this number will increase due to the rapid adoption and dependence of API applications.

Although most security leaders are aware of the importance of API security testing, less than half say they still do not have an API security testing solution completely integrated into their development channel.

As a first step towards an integral approach, it is important to examine the most common attitudes towards the security tests of current applications: static security tests and dynamic security tests.

Static security tests adopt a white box approach, creating tests based on the known functionality of the application by reviewing the design, architecture or code, including the many complex routes that the data can take as they pass through the application

Dynamic security tests adopt a black box approach, creating tests based on the expected performance of the application given a particular set of inputs, without taking into account internal processing or knowledge of the underlying code.

When it comes to APIs, developers and security teams often argue about which of the two methods is the most appropriate, with the main reasoning in favor of each:

• Static tests are the only method that makes sense: due to the fact that there is no user interface for the API, you must know what happens within the business logic.
• The dynamic tests are all that is needed, since the unitary tests use static models and have already been completed in a previous stage of the process.

API security tests “caja gris” pueden ofrecer una alternative interestinge. Due to the fact that there is no user interface, having knowledge of the internal functioning of the application can help you create efficient functional tests that focus on business logic.

In addition to their growing popularity, APIs also create a greater vulnerability for web applications. A large number of organizations do not even know what is the scope of their API and vulnerabilities. Hackers can easily test known and unknown weaknesses through the available APIs.

A combination of natural language processing and artificial intelligence (AI) offers a viable option of “caja gris” that automates, scales and simplifies the complex API security testing process.