Something Wicked This Way Comes: Securing your APIs

Updated: Nov 30, 2020

The average number of Application Programming Interfaces (APIs) a company runs now is 420. According to Akamai, more than 83% of its traffic as a CDN is API traffic. The facts can no longer be ignored, more than half of the traffic on the Internet today is now no longer human to application traffic, but application-to-application traffic. With the rise of 5G becoming a reality and more Internet of Things (IoT) devices come online, this traffic will continue to grow, not ebb. The days of single monolithic apps are also gone as they usher in a new era of micro-services sitting behind APIs and hackers know it.

"If I were to advise a hostile nation state on how to incapacitate the United States, I'd tell them to go after the APIs first." -Anonymous

It isn't just APIs at small businesses getting breached either. Unfortunate members of the breached API club also include Verizon, Samsung, Google, Facebook, Apple, T-Mobile,Marriott, the list goes on and on. So if these multi-billion dollar, large cap companies who can afford to hire floors of developers and security engineers that span their entire campus can't seem to get it right, what chance do you have, right?

I'm here to tell you that you do. You just need to recognize that APIs are the new attack surface and that your Web Application Firewall (WAF) that you're trying to secure your APIs with is like trying to remove a nail with a screwdriver. It just doesn't work.

The problem is often a discrepancy between what the API server (API provider) supports and what the contract with the API client (API consumer) allows. The problem is further compounded by developers who are leaving keys in their source code and publishing it to source code control and repository sites like Gitlab and Github, such was the case just this week with Samsung.

These sorts of problems also extend to developers of mobile apps who are hard-coding API keys, tokens, and credentials into mobile apps not realizing the apps can be decompiled using freely available tools, as was evidenced in my own research report published last month with Arxan Technologies and subsequently released at Aite Group.

The fact is, until developers stop making mistakes lik