Application Programming Interfaces or APIs came into existence a couple of decades ago. It all started with the need for an interaction between two different software systems. APIs started gaining attention when web applications became popular. Today, a growing number of an organization’s business models and channels are based on secure access of functionality and exchange of their data. The enablement of turning an organization or business into a platform is referred to today as the API economy. The likes of Google, Microsoft, Facebook, Twitter, etc. built an interconnected world that created an explosion of data. In this age of the Internet, data is everything. Whoever owns the data can literally generate millions of dollars out of it. How? By exposing this data to consumers via APIs and charging for its usage. As a result, there is a need to protect APIs from unsolicited access.
The security of the APIs is important to protect the organization’s data that is exposed to consumers. As APIs have evolved, the security of it has also evolved. This article details the evolution of API security by covering the history of API security, current state of API security, modern API security threats and using Machine Learning techniques for the API security.
History of API Security
From 1960s, RPC, CORBA, Java RMI to recent APIs, we see the need of the API is eminent. The Modern APIs aka REST APIs came into existence with Roy Fielding’s dissertation. Soon they became the backbone of the world wide web in 2010s.
The data lying on the disc joined the movement and started flowing over the internet. As a public web, there was a need for confidentiality and security for the APIs. In 1994, Netscape Communications created HTTPS for its Netscape Navigator web browser which uses SSL protocol. HTTPS was formally specified in RFC-2818 in the year 2000. HTTPS helps to protect the data transmission over the wire. However, transport layer security was not enough to maintain the confidentiality, the end user identity was also important. With the layered architectural style mentioned in REST definitions, we can add a separate authentication security layer. Thus, various authentication mechanisms were implemented including basic authentication, SAML tokens, and plain username-password. Soon, with the ever-changing nature of the technology, these security & identity methods became obsolete.
Current State of API Security
The API economy grew in the last few years enormously. One catalyst of growth was mobile application development (apps). The growth of apps started with B2C and now we are seeing a massive growth in the B2B space as well. With this growth, there is a need to provide comprehensive API security. Due to the diversified portfolio of APIs, the security practices also need to evolve and consider unique needs of API usage across mobile, voice and other emerging applications. API management is playing a crucial role in bringing these diversified APIs on to a single platform.
The traditional security measures of APIs focus on API access through authorization, authentication, rate limiting and network security. Soon, all of them became the core security features of API management platforms. API management platforms started integrating with identity federation tools with proper transport layer security using TLS/SSL certificate verification by default. Today, API Management platforms are supporting advanced security measures like JWT/JWE verification, Oauthv2.0 and some previous ones including Oauthv1.0, Basic Authentication, and IP whitelisting. API management tools also bring the aspect of API security standardization through the enablement of API products. You can bundle APIs into an API product and apply the security policy on the API product.
There is another approach that industry has seen which includes WAFs(Web Application Firewall) sitting before the API gateway. WAFs can filter the API traffic even before it reaches the API gateway based on certain rules configured including IP intelligence, OWASP top 10, malicious bot detection.
API security is all about striking a balance between making valuable data, content, media, algorithms, and other digital assets accessible to authorized users, while preventing unauthorized users from gaining access. It isn’t just a handful of stops across an API Lifecycle.
Currently, at Fresh Gravity, with a 4+ year old strong partnership with Apigee, we are using Apigee’s robust security policies, and have built multiple accelerators which are reusable and extensible per the requirement. For our banking clients, we have a prebuilt encryption and decryption algorithms logic which can be readily integrated into the API flow. At the same time, a bunch of other security frameworks are created using shared flows feature of Apigee.
Modern Threats to APIs
There are traditional security mechanisms including authorization, authentication, rate limiting and network security which are powerful tools but not comprehensive solutions for addressing API specific denial of service (DoS), and application, data and log-in attacks. APIs face a myriad of threats today. API driven digital transformation is an attractive offer for black hat hackers to gain access to corporate data, sensitive information, and business applications.
Broken authentication is a type of attack in which hackers probe an environment and then execute attacks to bypass authentication or defeat login systems. APIs are typically created using off-the-shelf proxy software and published as is on the GitHub for disposal. This is a starting point for hackers as they can then predict different API endpoints and explore the environment. Hackers can even steal tokens and credentials using man-in-the-middle attacks.
API DDoS attacks are unlike volume-based DDoS attacks. They are often executed by multiple clients sending traffic to overload API service. Since each client is sending normal traffic volumes, these attacks are difficult to detect without analyzing the aggregate traffic rate on each unique API service. Sophisticated hackers can even learn allowed rates and keep the traffic within limits. The main aim of DDoS attacks is typically to make applications unserviceable or generate higher computation cost especially if the servers are in the cloud with a consumption-based model.
Application and data attacks include compromised security. Today, with open APIs and digital transformation initiatives, this often includes giving partners access to applications and data through APIs using their own corporate credentials. Less to no immediate knowledge of when employees leave one of these partner organizations imposes a great threat to data and applications. Since attackers with compromised credentials look like valid clients, API management tools have no way to filter legitimate requests from rogue ones.
Machine Learning and API Security
As discussed earlier, to tackle these intelligent cyber-attacks, there must be a comprehensive security solution which not only requires security capabilities, but also anomaly detection ability. Artificial Intelligence and Machine Learning are excellent tools for the development of such comprehensive and intelligent capabilities and can be used to manage challenging and emerging security threats. With the self-learning cognitive capabilities of AI and ML, security models can be developed for identifying and flagging anomalous behavior and malicious data trends. It will lead to a blocking of API attacks and abnormal behavioral patterns under various environments and circumstances. Thus, it adds continuous learning capability to APIs and anomalous behavior is flagged without prior knowledge of attacks and written policy.
With API management tools in-place, an API consumer’s behavior and resource utilization data are easily available. Organizations must understand real-time consumer behavior from existing information such as platform logging. There are machine learning capabilities which helps us to classify positive against negative patterns. Various Machine Learning models such as Naïve Bayes, Decision Tree, Random Forest and Support Vector Machine, Deep Learning and Neural Networks are recommended and are being used in API security. We must have proper tools and services in place to have these machine learning models. These models need to be trained on multiple APIs across different service providers.
Some platforms/tools used in application security incorporating machine learning that are currently available include Amazon AI, Wallarm, Google AI Cloud, COMBAT API, Castra, and Ping Intelligence. Numerous players in this domain, in addition to previously mentioned platforms, are striving hard to present versatile and secure application development models and infrastructure support.
With all these tools and technologies, enterprises are leveraging smart learning and cognitive capabilities to transform their business models. Along with traditional ways of securing APIs, API behavioral security needed for today’s rapidly changing technology world. We can conveniently conclude that API security is the utmost important need of today and ML/AI are being used as an effective and intelligent tool for achieving API security at various layers. However, more research and development efforts are required to tackle some of the compliance and standardization issues.