APIs (application programming interfaces) play a crucial role across various industries, spanning social media, finance, healthcare, and telecommunications. They enable effective data exchange between different systems and services.
However, the growing reliance on APIs opens the door for attackers who look to exploit potential vulnerabilities in their design and implementation.
Recent high-profile security breaches involving APIs have raised alarming concerns, including:
- In Dell’s Partner Portal API, vulnerabilities related to inadequate authentication and lack of rate limiting were exploited, resulting in the theft of personal information for 49 million customers.
- A misconfigured Trello API exposed personal data for over 15 million users due to poor security measures, leading to a major incident of data exposure.
- Kia’s Web Portal API had vulnerabilities that allowed hackers to remotely track, unlock and start customers’ vehicles, highlighting serious security issues in the automotive industry.
- In the telecommunications sector, the Optus data breach stemmed from a forgotten poorly secured API that stayed active for years.
In light of these challenges, the NCSC has issued new guidelines for securing HTTP-based APIs. These guidelines are aimed at empowering technical teams to create or build secure applications that offer HTTP APIs.
Outdated security protocols, such as basic authentication with base64-encoded usernames and passwords, are increasingly inadequate. The issued guidance also addresses several bad practices, including:
- Lack of rate limiting or user throttling
- Endpoints that are vulnerable to denial of service or brute-force attacks
- Storing sensitive credentials directly in the code
- Transmitting sensitive information via URLs
- Poor input validation mechanisms
- Neglecting to encrypt API traffic with HTTPS
- Exposing APIs unnecessarily to the internet
- Inadequate logging and monitoring practices
Traditionally, API keys have been a common method for authenticating and authorizing API requests, functioning as shared credentials between clients and servers. However, they pose significant security risks:
- API keys can be stolen through various means such as phishing or exposure in leaked source code.
- Without a built-in expiration feature, compromised keys can be exploited indefinitely until they are manually revoked or rotated.
- API keys often lack granular control, leading to unrestricted access rather than tailored permissions, which can be problematic when combined with the absence of rate limiting.
For these reasons, relying exclusively on API keys is no longer deemed best practice. The guidance now emphasizes more robust authentication frameworks, such as OAuth 2.0 or token-based authentication.
The ramifications of a compromised API can be severe, resulting in disruptions to operations, damage to your organization’s reputation, and potential fines from regulatory bodies. Strengthening API security should be viewed not only as a defensive strategy but also as a way to enhance agility, simplicity, and overall productivity.
We encourage you to utilize the new guidance to secure your APIs, fostering trust with your customers and partners while reducing the risk of financial and reputational harm.
For illustrative purposes, here is an image that visually represents the importance of API security:
James H
Telecoms Security Consultant
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/new-guidance-on-securing-http-based-apis
