Networking
APIs: an
urgent network security issue
Application programming interfaces (APIs) are essential for businesses to connect with customers and streamline workflows. However, APIs can also be a double-edged sword – they can open organisations’ networks up to a world of risk if not secured properly by Andy Hornegold, product lead at Intruder.
S
ome of the biggest recent attacks have been API-related, from Australian telecoms company Optus in 2022, to the recent
T-Mobile breach which affected 37 million customers. API abuses have become one of the most common attack vectors resulting in data breaches for enterprise web applications, meaning organisations have been forced to re-evaluate their approach to network security. Tis is why business owners and IT professionals
need to understand the risks associated with their APIs and take steps to prevent threat actors from compromising their systems and having an impact on their business.
Ways for organisations to best secure their APIs As is always the way with securing your network, there is no magic bullet, however, organisations can implement highly effective and preventative measures to reduce the risk of a successful attack against their APIs. Starting at the beginning, you have to know where your APIs
are if you’re going to try and protect them. It’s important to know where APIs are being deployed, where they’re accessed from and how they’re being used. Tis is because deploying APIs inevitably expands an organisation’s attack surface, and by expanding your
24 | July/August 2023
attack surface you increase the risk of an attacker finding an asset without the appropriate security controls and gaining access to your environment. Once you know where your APIs are within your environment and how they’re exposed you can start to include them in your vulnerability management processes. By doing so, they can proactively identify any lurking vulnerabilities within their system and effectively address these imminent threats. One of the appeals of APIs is how they facilitate
the potential for automation which can boost an organisation’s operational efficiency. However, the very convenience that automation provides can be exploited by malicious actors. If your APIs
are internet-facing then it’s essential to implement rate-limiting to control requests and enforce authentication for every API interaction so that you maintain a level of control over the type and volume of data that your APIs provide access to. Another measure businesses can take is to consider the cryptographic signing of requests - if you want to limit the number of users/systems that can use your API then prevent connections, and discard application requests, from everyone that doesn’t have access to a private key that you trust. Moreover, if businesses expose APIs that were previously limited to internal use and make them accessible to the Internet,
www.pcr-online.biz
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52
