APIs are very attractive to hackers, Paul Fremantle (co-founder of WSO2) said a couple of months ago. And he is right. APIs are the gateway to many of your organization's products and services. They are open and attractive by nature. Because the users of your APIs are often not only found inside the organization, but increasingly also outside.
I would like to state it even more strongly:
“An unsecured API is literally an ‘all you can eat buffet’ for hackers.”
But no one in the right mind would offer an unsecured API to the outside world, right? You might be right. I think most people are aware that you need security when you're offering services. It really doesn’t matter to who you offer to, the outside world or the organization itself. Not to mention that defining an API is easy, doing it right is a form of art.
Security can take many forms
We focus on security from an API perspective. There are also firewalls, virus scanners, malware detection and so on. Our Yenlo business is, among other things, around APIs, hence the focus. You could say that you would like your API users to register and work with a token. That will authorize the user and can be revoked. Without a token you don't have any access. The token can be used in conjunction with username and password by using the OAUTH2 grant type. You then need to supply a client ID and client secret, as well as a user's password and username to generate a token.
If you have to expire the token in a short period of time, it will give you a certain sense of security. But still, the token by itself, for the duration of the validity, is pretty much like the hotel key card. If you have the key card, you will get access to the room. No one will check if you are indeed the rightful occupant of that room. A token works in the same fashion.
But those are the simple things, let’s take a look at why we need security in the first place.
Why do we need security?
But why do we need security. Well, there are a number of reasons:
- Laws and directives
- Public relations
- Business reasons (for example: data integrity)
- Business continuity (DDOS, Ransomware)
GDPR, CCPA and others
The first category is of course the fact that there are data management laws such as the European GDPR to describe what you should and shouldn't do. With regard to data protection. The United States is getting laws to the same extent. The California Consumer Privacy Act being an example. In Europe this could mean a hefty fine when multiple violations occur. This can add up to $20 million (or Euros) or 4% of turnover, whichever is the higher. Multiple violations would mean that you were negligent that you didn't update or take precaution.
APIs are also used to offer services in the area of client data. For instance, the PSD2 directive where banks should allow third party providers to access data. Only of course when the client gives their consent for the use of the data. For instance, data related to their bank account and their transactions.
Shame on you
But don't forget that there is also a strong drive from a public relations perspective. Data breaches are often reported in the media. Online you will find lists of data breaches impacting millions of users at the reputable firms. (I won’t name and shame but when you google you will find them; the internet does not easily forget). This is all due to unsecured APIs? No, probably not. It does show that a data breach, or data leaked from an API, is news that news outlets are happy to cover. But even if people are unable to steal data from you, they might still be able to disrupt or interfere with your business or services.
Imagine an API that is not properly secured. For example, people can manipulate your inventory. Let’s say they set the number of items for sale considerably lower. Has anything been stolen right now? No, it won’t give you a headache. Because what's in the database is the truth. And if you have to challenge the truth it can be a laborious exercise to inventory the number of items in the warehouse.
It could also be that hackers are able to increase number of items in stocks. That doesn’t require a recount only, but also means the people who ordered the item are disappointed because the number of orders exceeds the number of items in stock.
In both cases, this is not something that you want.
You can imagine many more examples, such as changing the price. Or changing an image into something rude. That would be a real headache for the organization. As you can see, data changes are a nightmare.
And even the simple fact that someone gets access to data that he or she shouldn't. It's a PR nightmare. A database of people's height, so people can suddenly see other people’s height. Is this personal identifiable data? I think it would in some cases.
It doesn't seem like a big deal because when you look at a person, you can estimate the approximate height. But the simple fact that these people shouldn't have access to the database, and now have, that is the real problem.
DDOS and ransomware
But enough about this. Let's talk about some other security cases. You can think about the case of DDOS (distributed denial of service) flooding your APIs with requests that, if not managed properly (which is a big thing), will probably render your service unusable. Ransomware attacks twice as much and are a headache for security people. You lose money, you lose face, and some will lose their jobs.
Security is paramount
By now you understand that security is paramount. So, what can you do? The answer is quite simple. What you need is an API management solution in conjunction with an Identity Server that allows you to manage identity and access to your APIs. Preferably as a service, of course, because the benefit is that you then transfer the work and the burden of security / patches / uptime / monitoring to a third party. But what would the name of such a platform be and which products will be part of it? Well the answer is simple: the platform is called Yenlo’s Connext Platform (available as a Platform-as-a-Service concept) and built by Yenlo based on the award winning open source WSO2 API manager, WSO2 Enterprise Integrator and WSO2 Identity Server that allows you to start opening up your APIs securely. Combined with a fully integrated ELK-stack for monitoring and dashboarding, this is the ultimate platform solution for your APIs and Integrations. Including the 42Crunch API investigation done by Yenlo to see if the definition (for example: resources, context, and http verbs) is also secure.
So, you can have a better night’s rest not worrying about APIs. Feel free to contact us if you want to know more.
On Thursday 22 October 2020 at 9:00 a.m. (PDT) / 6:00 p.m. (CET) / 9:30 p.m. (IST), Yenlo organizes a webinar on the security aspects of exposing APIs, why we choose WSO2 API Manager, as well as a general overview of the product and a demo that will take the sample API to assess security level, discover security vulnerabilities and to show you how to improve it.