How Risky are Your APIs?


Published on

The emergence of the Application Economy, where the application becomes the primary point of contact between the business and the customer, is made possible through the use of Application Programming Interfaces (APIs) to link front-end applications to back-end information systems. But many of the security threats that plague the web can be even more of a problem for APIs. This presentation explains the potential risks of APIs and highlights the three most common forms of attack.

The SlideShare is based on a recent eBooklet published by Scott Morrison of CA, Five Simple Strategies for Securing Your APIs, which not only goes into much greater detail on the threats but lays out five simple steps that organizations should be taking today to reduce their risk.

Published in: Technology

How Risky are Your APIs?

  1. 1. How Risky Are Your APIs?
  2. 2. Application Programming Interface (API) use is exploding! • 12,000 public APIs and growing • Companies are discovering how powerful APIs can be for integrating applications, especially in mobile apps. •
  3. 3. APIs are everywhere • It is APIs that enable people to share photos and other social updates between Instagram, to Foursquare, to Facebook, to Twitter
  4. 4. APIs are good for business • APIs drove $2 billion in business for Expedia by securely exposing valuable content to its affiliate network. • Companies across all industries are rushing to create APIs that leverage their own core applications, data, and content. • web-redefining-software/493a
  5. 5. APIs empower an ecosystem of third party developers • … who create new apps and revenue streams you might never have thought of.
  6. 6. But there are hidden dangers to using APIs • APIs share many of the same threats that plague the web… but APIs have a unique risk profile that must be managed.
  7. 7. It is a mistake to think we can secure APIs the same way we secure the web.
  8. 8. APIs are like windows into an application • … windows that allow legitimate developers and hackers a direct view into the core functionality and data residing in the heart of the app.
  9. 9. In the web world … • the website served as a barrier between the outside world and your inside systems. • People had to go through your web application to get what they needed, and they could only get what the website offered them.
  10. 10. With APIs, that barrier doesn’t exist.
  11. 11. Increased visibility isn’t the only risk from APIs • Increasing the number of potential calls also increases the attack surface, meaning that a hacker simply has more to exploit. • Risk increases with opportunity
  12. 12. There are three major attack vectors to watch for: • Parameter attacks • Identity attacks • Man-in-the-middle attacks
  13. 13. Parameter attacks exploit the data sent into an API • That is — URL, query parameters, HTTP headers, post content • SQL injections are among the most common parameter attack -- an old approach, but one that many systems are still vulnerable to.
  14. 14. Identity attacks exploit flaws in authentication, authorization, and session tracking • These flaws are often the result of migrating bad practices from the web world into API development.
  15. 15. Man-in-the-middle attacks involve an attacker sitting between the sender and receiver • APIs that are not properly configured using SSL/TLS are highly vulnerable to this form of attack.
  16. 16. Five Simple Strategies to Secure your APIs • Although APIs are susceptible to a broad range of attacks, applying just five simple mitigation strategies will allow you to securely publish APIs. • Download the white paper “Five Simple Strategies to Secure your APIs” for the five steps you should take now. • Download Now