APIs: Risks, Potential and Security Solutions

Application programming interfaces (APIs) are no longer just a developer tool. They are the foundation of a vast range of business applications and web services. APIs connect applications within companies, and share data between organizations. They also help employees to navigate the sometimes labyrinthine depths of corporate IT, through services such as single sign on.

Such is their business value that the consulting firm McKinsey expects the number of public APIs to triple during 2018.

However, APIs carry risks, too. Last year’s attack on Equifax could be one of the most expensive in corporate history. The data breach has been traced back to Apache Struts2 CVE-2017-5638, an open-source web development component.

Researchers have warned that over 3000 organizations could be vulnerable to the Struts exploit. APIs were also blamed for recent attacks against Instagram: in that case, a REST API used for password resets on the social media site’s mobile app.

Both CISOs and the security industry are starting to take notice of the risks around APIs. Speaking in September at an event sponsored by Forum Systems and hosted by Infosecurity on the topic of API security, Dinis Cruz, CISO of online retailer Photobox, said: “Every API needs to be protected. Are we validating data leakage, and are we doing XML validation? When it comes to APIs, trust no-one.”

Ease of deployment is one reason APIs are useful, and powerful. With more software vendors, web services and data providers publishing APIs, developers can build complex applications quickly.

Developers using APIs can pull together legacy applications and modern interfaces, and share information across supply chains, government departments or whole industries. Users, though, need to be more vigilant.

Look at APIs, suggested Cruz, and CISOs will have a much clearer picture of how data moves across their organizations. “APIs are the epicenter of security,” he added. “The best way to detect attacks is not at the outer edge, but within applications and their APIs.”

Unfortunately, for users of the technology, APIs are rarely designed with security in mind. Developers are becoming more security-conscious. However, APIs need to be treated as a potential risk, suggested Jason Macy, chief technology officer at Forum Systems. Forum’s Sentry system, for example, carries out deep content inspection of API data payloads – including every tax return sent in the United States.

In fact, government is a sector that already takes API security extremely seriously. Governments need APIs to connect together their vast numbers of IT systems and data stores, and to provide their workforces with modern user interfaces, and mobile access. Without APIs, the task would be impossibly expensive. Without API security, sharing data and connecting applications would be too risky.

“The best way to detect attacks is not at the outer edge, but within applications and their APIs”

Binding-Up Biometrics

The UK Biometrics Service typifies the type of deep integration possible through APIs.

The Home Office systems hold 120 million biometric records and supplies services to over 50 organizations and 45,000 users, in the UK and overseas. Each year the service handles four million visa applications, six million passport applications and six million border checks. That is in addition to providing fingerprint data to police forces.

Home Office Biometrics uses a gateway to connect service users to the ‘legacy’ Home Office biometric systems. “The gateway controls access to the end points and provides a common API to consumers which protects them from changes to the legacy system. The gateway is the first in a series of security controls that ensure access to biometric data is in line with policy and legislation,” said Graham Camm, chief biometric technical architect, Home Office Biometrics at the Forum Systems event.

The Biometric Services Gateway uses an active-active configuration across two, cloud-hosted, redundant installations. A pair of Forum Systems’ Sentry API gateways protect access to each installation. “The Biometric Services Gateway was built as the front door to the biometric services, and Sentry is the front door to the front door,” added Nick Grahame, also a technical specialist at Home Office Biometrics and event speaker.

The Biometric Services Gateway is designed to provide system-to-system authentication. At present, the agency does not authenticate end user devices, although this is a function that might be added in the future. For now, though, police forces and other agencies authenticate their users, and the Biometric Services Gateway controls the traffic from end user agencies’ systems.

Sentry simplifies the architecture consolidating multiple API’s for the core application which has a simpler, single, generic interface “to do biometric stuff,” said Grahame.

An example of this approach is mobile fingerprint scanning for police forces. “We had a siloed system with about 400 devices. It was very expensive to run, and police officers often had to carry four separate devices,” explained Camm.

“We now provide an API that integrates with police mobile application services. Most officers have a smartphone that can connect to a mobile fingerprint scanner. It provides a cost saving but also much greater capabilities. West Yorkshire Police [one of the first to switch] found they could have 500 devices rather than 12 for the same price.”

“We now provide an API that integrates with police mobile application services”

Rewiring Identity at Belden

Whilst the UK Biometrics Service’s approach centers on system to system authentication, other organizations are turning to APIs to simply stop user access to IT. This is a particular challenge for companies that have grown through acquisition, and have inherited dozens of IT systems in the process.

Belden is a US-based manufacturer that is perhaps best known for its speaker cables – but with business interests extending to transportation and broadcasting.

Belden wanted to streamline access to its business systems, and remove the need for employees to use multiple user names and passwords. Speaking at the Forum Systems event, Chad Matthews, IT manager for sales and marketing solutions, said: “We wanted to simplify user access and bypass the ‘maze’ of systems.” This included Active Directory, Salesforce.com and analytics package Tableau.

Matthews’ team examined a number of options for a single sign-on gateway to bring together the business’ 16 Active Directory instances as well as cloud technologies. Belden installed two instances of Sentry on virtual appliances, with load balancing and failover to the business’ global disaster recovery site.

Sentry acts as the gateway to Belden’s business-to-business portal and was productive from day one, said Matthews. “We created a simplified security model for the B2B portal, and we are now beta testing two factor authentication,” he added.

With the API gateway in place, Belden can install upgrades such as two-factor authentication simply, and without the need to modify the business’ core applications.

With information and data sharing an increasing priority for all organizations, APIs are becoming ever more important, and making sure those APIs stay secure is critical for both the public and commercial sectors.

What’s Hot on Infosecurity Magazine?