Issue 238: APIs used to target business, cloud-native for APIs, and APIs becoming attractive targets


This week, we have views from Forbes on how APIs are being used to target businesses and articles on the role of cloud-native for APIs and how APIs are becoming attractive targets. We also have a doubleheader from Dana Epp covering his predictions for 2024 and structured format injection attacks. We also have news of upcoming events from 42Crunch.

Article: Attackers are using APIs to target your business

his week’s first article is Forbes coverage on how attackers are using APIs to target businesses. The article cites the findings of the US Securities and Exchange Commission (SEC) into a major breach at a US telecommunications company where the PII of over 37 million user accounts was leaked in a breach. The root cause was found to be an attacker using an API to exfiltrate the data from their systems. The article also reminds us of the accuracy of the 2023 Gartner prediction, forecasting that APIs would become the top attack vector for cybercriminals. Despite improvements made with endpoint and identity security solutions, criminals increasingly find APIs offering an initial foothold. 

The Forbes analysis echoes my predictions for API security in 2024. Firstly, key theft (or key leakage) will become the top attack vector attackers use. Secondly, organizations will face challenges in determining the extent of data breaches when they occur. Customers will increasingly turn to third-party monitoring services to identify when their data has been leaked.

The article concludes with the recommendation that organizations pay careful attention to the security of their API keys, monitor the dark web for leakage, and then revoke and reissue compromised keys before they can be used in attacks.

Article: The role of cloud-native for APIs

Next, we have some top market research from Bill Doerrfeld over at NordicAPIs on the role of cloud-native in APIs. The article focuses on how the continued adoption of both API-first strategies and cloud-native architectures is changing the face of API management solutions. Bill’s research comes from interviews with various industry leaders at KubeCon 2023.

Most experts agree that we are moving from a model for standalone API gateways or management portals (such as the very popular NGINX) toward an architecture where the API management is incorporated directly into the Kubernetes fabric and controlled and configured as part of the deployment. Kong is cited as a product that originated as a standalone product to a solution that can be deployed directly in Kubernetes as an ingress controller. 

Idit Levine (founder and CEO of Solo.io) suggests that the main drivers towards this tighter integration are the need for greater ease of use and responsiveness to changing needs and requirements. Using technologies such as Envoy Proxy makes them much easier to combine with containerized deployments. Dave Sudia (director of Developer Relations at Ambassador Labs) suggests that the main drivers are enablement and speed, using the rise of GitOps as a modern way of operating where infrastructure can be deployed via code. 

Service mesh continues to promise a lot in terms of tightly coupled API security, but the experts suggest this will mainly dominate for east-west traffic (internal between services) rather than north-south, where the API management portals and gateways will still play a crucial role. 

The topic of how API management, cloud-native, and backstage intersect raised some interesting points. Most importantly, how are they to be managed? As API adoption and rollout grows, organizations will need catalogs or so-called API portals. Opinion is divided but the general consensus is that GUI-based management portals will always be necessary and are unlikely ever to be replaced by a GitOps approach. Levine suggested that platforms such as Backstage can be integrated with cloud-native tools such as Solo.io to provide this capability.

Finally, Bill covers the GA release of the Kubernetes Gateway API, which provides an interface for networking in Kubernetes and controls HTTP routing into clusters. While many cloud-native providers have already written integrations into Kubernetes, this new API provides a standardized way of controlling ingress traffic and routing.

 Thanks to Bill for this great research into a rapidly changing space. 

Article: APIs are becoming attractive targets

Helpnet Security covers how APIs are becoming attractive targets for attackers in the next article this week. Quoting Matthew Prince (CEO of Cloudflare), APIs offer a “rich, and relatively new, target for hackers.”  The article quotes some familiar statistics, such as the dominance of API traffic globally (57% according to Cloudflare), with the highest occurrence in 2023 in Africa and Asia. Correspondingly, there has been a marked increase in attack volume with HTTP anomaly, injection attacks, and file inclusion being the top three attacks seen by Cloudflare.

Machine learning is used to discover more API REST endpoints than customer-provided identifiers (such as catalogs or inventories), and 33% of mitigations applied to API threats were blocked by DDoS protections already in place.

In conclusion, the article emphasizes the importance of greater visibility of APIs and careful attention to using secure authentication and authorization techniques.

Article: Exploiting an API with structured format injection

That man Dana Epp is back; this time, he’s discussing how to attack APIs using structured format injection. For decades, web developers have been taught not to trust user input, and whilst that message has begun to resonate, APIs present a new vector for abusing input data. APIs, with their structured data inputs, provide great opportunities for wily attackers to abuse the input data to produce unexpected outcomes in the API backend. 

Dana’s article describes various approaches to tainting input data in JSON and YAML payloads, including how to manipulate parameters to trigger a Broken Object Property Level Authorization (formerly known as Mass Assignment) vulnerability. As Dana concludes: “try to taint all the things”

Article: Dana Epp’s predictions for 2024

Coming to the game slightly late (but still in January), let us look at Dana’s predictions for API security in 2024. 

In no particular order, here are Dana’s predictions:

  • Automated attacks against APIs will continue.
  • “Secrets Sprawl” will still be a thing – personally, this is likely to be the biggest issue in 2024.
  • AuthN and AuthZ issues will still exist – almost certainly.
  • Generative AI will be leveraged to attack APIs.
  • Security tools still won’t catch critical vulnerabilities.

Come for the predictions, and stay for the memes – thanks Dana for a fun read 🙂

On the topic of predictions, the API Futures project from Matthew Reinbold makes for some fantastic reading and is highly recommended to anyone working with APIs.

Event: 42Crunch at API Summit in Austin

The Austin API Summit 2024 is approaching fast! Don’t miss your chance to join us on March 12-13th in Austin, TX – to meet industry colleagues, get inspired, and gather knowledge about the technology, trends and best practices shaping today’s API economy.

The event includes a fantastic lineup of speakers who will discuss many different aspects and best practices of API design, security, documentation, management, and more.

Webinar: Top Things You Need to Know About API Security

Uncertain about the differences between BOLA, BFLA and BOPLA?  Want to know how to protect your APIs against these and other key threats? Then join our webinar as two of the industry’s leading experts, Philippe De Ryck and Isabelle Mauny, guide you through some real-world cases of API security attacks and also share some best practices for securing your APIs.

They dive into crucial vulnerabilities highlighted in the OWASP API Security Top 10, such as enforcing authorization, protecting authentication endpoints and preventing SSRF, a new entry in the 2023 version of the OWASP Top10 for APIs. They also bring the threats to life with several demos, providing a practical look at how these vulnerabilities can be exploited, but also how they can be prevented through a combination of design-time and run-time protection.

At the end of this session, you will have an actionable set of guidelines to assess and improve the security of your own APIs in the face of a number of identified threats.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy