In programming terms, an application programming interface or API is a set functions and protocols for building software.
API’s allow applications to more easily work together, for instance.
I want to build an application to allow my users to buy shopping online at the very cheapest price. So, I would need to identify whatever the user is looking for on all major supermarket stores and compare the prices in pretty real much real-time.
My life would be made a lot simpler if the supermarkets offered an API. This could possibly allow me to search all their products, get prices, or even make purchases of their products.
I could then utilise these API’s to interact with all the supermarkets in a well-documented and tested way. Comparing costs and showing my user exactly what they are after, at the cheapest possible price.
Transportation systems, Banks, retail, IoT and even autonomous vehicles, all use APIs.
APIs are a critical part of the modern world, mobile phones, SaaS (Software as a Service) and web applications all now utilise APIs. They are found in customer-facing applications, third party applications and most business’s internal applications.
A recent Akamai report (State of the Internet / Security: Retail Attacks and API Traffic) suggests that 83% of all web traffic is now API based.
Our daily lives are only growing more and more technological, every aspect of our lives is now online. Most of us do our shopping, our browsing, our socialising and even our finances online.
To be able to utilise all of this information systems need to be able to communicate with one another. This is achieved through “Web Application Programming Interfaces” (API’s). The modern application uses APIs to join systems and share information, ultimately creating a better experience for their users.
poorly protected application programming interfaces (APIs)
are rapidly increasing, and there is not a singular plug-and-play solution
to preventing such data breaches from happening,”
CHRIS KONRAD, global director of security strategy, https://www.wwt.com/about/partners
Todays’ businesses large and small are obligated now more than ever to provide a secure and safe online experience for their customers.
Many cybersecurity experts believe that it is not a case of ‘if’ you get attacked but rather ‘when’. In most instances these breaches could have been avoided, the damage to a brands reputation due to cyber incidents does not bode well for any business.
API’s are vulnerable to most of the same attack vectors as normal Web Applications and with the popularity of these services continuing to grow, they are becoming a popular attack vector.
Conducting a security assessment of your organisations API’s allows you to identify weaknesses that may be present and which could result in exploitation, data loss, brand damage or even regulatory fines.
Laneden can provide a thorough and independent examination of your API’s, identifying security concerns and advising on remediation actions.
A comprehensive report is collated, containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Along with enough detail to allow you to not only understand the potential attack vectors but also concise and clear guidance on how to carry out remediation works.
CANDACE FLYNN, PING IDENTITY, https://tinyurl.com/api-growth
Using a combination of automated and manual testing, our consultants will conduct a thorough assessment of your infrastructure, identifying vulnerabilities that may be exploitable by both authenticated and unauthenticated users across your network.
The use of automated tools and in-depth knowledge of manual testing allows us to accurately and effectively assess your infrastructure, maximising the time available.
Assessments are conducted in line with the current standards and methodologies utilised in the industry, such as those outlined in the Penetration Testing Execution Standard (PTES). Using PTES as guidance, Laneden defines our approach in six phases:
- Pre-engagement
- Intelligence Gathering
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Our consultants engage with the client to discuss the scope and make certain all is in order prior to the assessment beginning
Communications at the beginning and end of each assessment day, confirming either the assessment is starting or ending for the day.
On-going communications from the engaged engineer, highlighting any major issues as they come across them.
A comprehensive report is provided containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Clear and concise information describing each issue to hand.
Technical references will be provided when relevant, allowing you to gather more information on the vulnerability if required.
Each vulnerability will be put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk.
Simple remediation advice, advising what is required to remediate the relevant vulnerability.
FREQUENTLY ASKED QUESTIONS
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
The OWASP API Security Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks associated with API’s.
Businesses are encouraged to adopt this document and start ensuring that their applications minimize these top 10 risks.
Using the OWASP API Security Top 10 guidance is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
The document is comprised of 10 of the most prevalent concerns
Broken Object Level Authorisation
APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object-level authorization checks should be considered in every function that accesses a data source using input from the user.
Broken User Authentication
Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user compromises API security overall.
Excessive Data Exposure
Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.
Lack of Resources & Rate Limiting
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
Broken Function Level Authorization
Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.
Mass Assignment
The binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
Security Misconfiguration
Security misconfiguration is commonly a result of insecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Injection
Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Improper Assets Management
APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.
Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Assessment costs are priced based on the size of the particular API, to gain an understanding of the size of the engagement we can use parameters such as how many endpoints the API has and how many methods each endpoint has.
Our experienced consultants are then able to calculate the number of man-days it would take to complete the assessment and collate the findings into a concise simple report. Covering at very least the OWASP API Security Top 10.
The statement of works would be compiled describing the total man-days required to fulfil the engagement, priced per man day.
Conducting regular penetration tests is a component of a number of standards and compliance frameworks such as PCIDSS, GDPR, DPA and ISO 27001.
Security assessments can help a business understand the risks associated with their systems and how they process/store customer data.
They can help potentially avoid additional costs and reputation damage due to a breach. Providing evidence to compliance or regulatory bodies and provide assurance to customers and partners.
More and more people are aware of cybersecurity and the risks imposed by them, they want more now than ever to trust businesses are protecting them and their data by following good security practices.
Common vulnerability identification and management
Potentially avoid extra costs and reputation damage due to a breach via a commonly known vulnerability
Provide evidence of compliance with regulatory bodies
To provide assurance to customers and partners, proving you are taking measures to protect their data
Provide insight into potential risks associated with your applications
Provide critical input into your risk management programs
IoT put simply, is all things connected to the internet.
Yes, we know our phones and computers are on the internet we have got used to the idea and it makes sense to us.
IoT is looking to get everything on the internet to collect and share data. Your fridge, your wearable devices, your TV, your toaster, your backpack, your kettle, your dishwasher, yes even your baby monitor. The list goes on and on, the idea is to collect data and share it creating better efficiencies and better products in the future.
The idea is a great one and has benefits, the problems start to arise when cybersecurity is not taken into account. These systems tend to use API’s and the API’s have not gone through any security testing regime. Meaning malicious actors are potentially able to abuse these devices, using them as access points into your personal home or business networks.
Software as a Service, or SaaS, is a cloud-based service where instead of downloading software to your computer and installing it, having to update it constantly. You instead access an application via your browser, the software could be anything from the likes of office applications to unified communications among a wide range of other business solutions that are available.
This model offers a variety of advantages but also has its disadvantages. Key advantages of SaaS include accessibility, operational management and compatibility. Additionally, SaaS models tend to offer lower upfront costs than traditional software download and install solutions, making them more available to a wider range of businesses, and easier for smaller business to compete and disrupt existing markets while empowering suppliers.