API-based data transfers are so fast, there’s very little time to stop bad things happening fast
In a hurry to integrate, these lightly secured computer-to-computer portals allow you to quickly transfer data across systems to enrich and display data across your digital fabric. But the lightly defended part can create huge data emptiness by turning on the siphon by reverse engineering the API details. Since an API-based data transfer is very fast, there is very little time to prevent very bad things from happening fast.
Here it is RSA ConferenceSeveral sessions and vendors have tried to convince us about how to plug these often ill-protected digital holes.
To protect your APIs, you need to find out their vulnerabilities before committing to bad ones. Again, the same tools are used by attackers and defenders alike. The difference is that your web app is more likely to report security issues than your public-facing API, although the latter can be at least as damaging.
While there are some overlaps with traditional web application testing, APIs work differently and expect a variety of questions and responses to be present in machine-to-machine applications that are so common these days.
For example, APIs expect structured data blocks that fit some interoperable standards that can be easily digested by other computer systems. They expect structural handshake authentication or sometimes even little authentication into the computer.
A later thought
There is a room full of RSA presence with lots of APIs, when asked how many people know they have fully protected them, there is a general security team knocking on the door to call. That’s the way it goes.
Towards the equation “fix and check as soon as you create it”, one The seller The API recommends baking in dynamic testing before installing anything during the software development cycle. With a Nifty Docker container you can roll out seeing that your developers are working on every API iteration and checking them as you go, this is a good way to be confident you are not inadvertently creating the next best backdoor.
How do bad people find insecure APIs? Often just read the documentation. A file baked in the standard API interface that creates a directory service, outlining all the places where you can find hidden things. In this way, scanners can perform repeated searches to automatically slap data.
APIs not only face public networks – they often sit at the core of a business, silently trading “trusted” information such as HVAC system statistics for building, but also allowing sideways movement after bad people enter your network. Vendors understand that their product is a part of an organization’s digital landscape and must be able to integrate it with others, so they create an API to communicate nicely with the rest of the technology being installed.
This means that internal security teams naturally look at this type of traffic with confidence. But that’s exactly the kind of access ransomware writers would love to get.
Also, since a swarm of IoT devices is scattered around the enterprise these days, those devices open up APIs for things like software updates, data feeds, and reporting functions on other nodes. Thus, a foothold can be kept through a vulnerability that allows bad actors to start hopping from device to device.
The rapid proliferation of API calls from the swarm of enterprise products introduces a whole new way of thinking about what needs to be protected and the very real, often unnoticed attack surface that carries a large amount of data at risk of being pumped into the rear trackload, front, or side door. For a little time and less time to respond.
