Issue 244: Threats to enterprises in the cloud, looming threats to APIs, API SDK generation tools

This week, we have articles on the threats to enterprises in the cloud and another on the looming threats to APIs. We also examine the challenges posed by API threats in the utility and energy sectors. We also have technical articles on using AI to hack the crAPI vulnerable API and how to generate SDKs from your API contracts. Finally, we have news on two upcoming events. 

Article: Security threats to enterprises in the cloud

In the first article this week, Forbes discusses the various security risks companies face when moving their operations and data to the cloud. While cloud service providers invest in security measures, businesses should avoid assuming their data is fully protected. The article presents insights from 20 members of the Forbes Technology Council on the top security threats and how to address them.

The article identifies several threats, such as image-based phishing, human error, added risks from homeworking, shadow IT, and insider threats, mostly attributed to human error or shortcomings. The most interesting revelation for me was that for the technical threats, most, if not all, impacted APIs. Firstly, API security itself is identified as a threat, namely:

API vulnerabilities present a growing threat. Regularly assess and secure APIs, implement proper authentication mechanisms, and conduct thorough security testing to identify and rectify potential vulnerabilities.

However, many of the ancillary threats impact the security of APIs, namely:

  • Misconfiguration: Although not specifically mentioned in the context of APIs, misconfigurations in cloud settings can lead to unauthorized access. Misconfigured APIs can expose sensitive data or allow unauthorized actions to be performed.
  • Unsecured Apps and Data in Development: Many cloud platforms also serve as development environments where users can build apps and automation. If these apps and their associated data are not properly secured, it can lead to vulnerabilities. This point implies that unsecured APIs in development environments can pose a risk.
  • Vulnerabilities In Third-Party Software: Supply chain attacks can target vulnerabilities in software and infrastructure, and APIs, as they are externally facing and visible, are particularly vulnerable to such attacks.
  • Secrets sprawl: API keys, encryption keys, and other secrets are often used to authenticate and authorize access to APIs. If these secrets are not managed securely, it can lead to unauthorized access and data breaches.

This is quite an eye-opening read for anyone operating modern infrastructure. 

Article: API security threats looming

We have another illuminating article on the threats to API security courtesy of Infosecurity Magazine. The article describes many of the findings in a recent Fastly survey of 235 key IT professionals, including the following statistics:

  • 79% of surveyed companies place a high importance on API security, as APIs have become crucial assets in multi-cloud environments.
  • 95% of respondents experienced API security problems in the last 12 months and 79% delayed application rollouts due to API security concerns.
  • However, 84% admitted to not having advanced API security in place, mainly due to insufficient budget and lack of expertise.
  • The study suggests that AI-powered cybersecurity systems could help secure APIs on a limited budget, but only 14% currently prioritize using AI for API security.
  • However, 58% anticipate that generative AI will significantly impact API security over the next 2-3 years.

As Fastly commented, too many organizations are doing too little to counter the threats posed to their APIs.

Article: Utilities and energy companies a prime target for API threats

Our third article is another thought-provoking read, this time on the impact of API security incidents on the utilities and energy industries. As companies in this sector strive to digitize and modernize their services using APIs, they face challenges such as aging technology stacks, lack of interoperability, and poor security hygiene, which create vulnerabilities and make them prime targets for cyber attacks.

Recent research surveyed over 100 CIOs, CISOs, and CTOs from the energy and utilities sector. The findings revealed that 78% of businesses were affected by API security incidents, and there are no signs of the issue abating. The impact of API security incidents can be substantial for energy and utility companies, including loss of employee goodwill and productivity and potential penalties and fines due to the sector’s highly regulated nature. Over half (57%) of global respondents in the energy and utilities sector have suffered a loss of employee goodwill, while 53% have cited a loss of productivity due to an API security incident.

Energy and utility companies should be increasingly concerned about the prevalence of API-related incidents, given their legacy infrastructure and systems and adversaries’ increased focus on attacking critical infrastructure.

Guide: Generating SDKs for your APIs

One of the biggest challenges for a design-first approach to API development is how to transition from well-designed and validated API contracts to well-formed and valid code in the form of SDKs or API server stubs that honour the API contract. In the real world (and in my experience), this translation is most often performed by hand, but this has obvious disadvantages, including:

  • Time-consuming: Even for a relatively simple API, getting a working implementation will require a lot of code to be generated, which will be time-consuming. 
  • Wasteful of developer resources: While code generation is time-consuming, it is also wasteful of valuable developer resources that would be better employed to write business functionality.
  • Error-prone: Any manual code translation process is going to be prone to errors being introduced.
  • Non-repeatable: Different developers will implement the same API definition differently, and this can lead to a very fragmented code base. It would be preferable to use a standard implementation pattern that can be easily understood by the entire team.

Most API developers are probably familiar with Swagger Codegen to perform automated client and server stubs for API contracts. Still, it may come as a surprise that Kristopher Sandoval was able to find at least another nine such tools covered in his excellent piece for Nordic APIs. Although I recently researched this space for my book, I was surprised at how many seemingly capable and powerful tools are available in this space — it bodes well for the future of design-first APIs. 

For my money, I’m a fan of OpenAPI Generator, with its open-source model and strong foundations via its roots in Swagger Codegen. I’ve used it with great success for .Net and Python code, and while it’s not always perfect, it can easily be customized to achieve the desired result.

Thanks to Kristopher for the great contribution.

Guide: crAPIs walkthrough using AI

We have previously shared Edward Lichtner’s views on using AI for API security testing, and this week, we again feature Edward discussing how to use AI to assist in a walkthrough of the crAPI vulnerable application.

I’ve seen quite a few write-ups about crAPI and the ever-popular vAPI vulnerable APIs, but I’m always struck by the diligence that Edward shows in capturing every nuance of detail, and this write-up is a great case in point. If you’re relatively new to API security, this would be my go-to recommendation to start your learning journey. If you’re unfamiliar with Postman or Burp Suite, he makes no prior assumptions about the reader’s ability and shows exactly how to use these as he takes you through all fifteen of the exercises.

Thanks for sharing this fantastic resource, Edward!

Event: “Building a rugged API security program”

I have the great pleasure of speaking at the upcoming APISec Conference on 22nd May 2024, where I will discuss “Building a Rugged API Security Program.” While the API security community is increasingly appreciative of and expert in securing their APIs using authorization and authentication or secure coding, they still face challenges in achieving real change at a program level. 

As a veteran of several large-scale AppSec programs at Fortune 500s and currently engaging with some of the world’s largest organizations, I am well-placed to bring my expertise and experience to the topic of securing APIs at scale. In this 20-minute session, I’ll discuss API security ownership (it’s more complex than you think), common anti-patterns, how to define a strategy, and how to take the first steps toward success. Join me on the 22nd of May.

EVENT: API Security Workshop  “DEFENDING APIs” – New York, May 1, 2024

42Crunch and their partner, EPAM Systems, will run a complimentary API security workshop on May 1 at the EPAM offices on 7th Avenue, New York City.

This 2-hour long workshop “Defending APIs” provides a mix of educational sessions on the latest API threats and vulnerabilities with practical hands-on tutorials and drills using the 42Crunch API Security platform testing and runtime protection tooling.

Topics covered include:

  • Introduction to API Security
  • API Security Testing
  • Securing APIs on GitHub
  • API Runtime Protection

Find out more and register

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy