Building and securing APIs: the new Shadow IT

By Keith Casey, API Problem Solver, Okta

Credit: ID 137699247 © Panuwat Sikham |

API adoption is fast accelerating across commercial and public sectors in Australia. Currently, the number of public APIs worldwide far exceeds 50,000 and this is expected to quadruple by 2020, according to an analysis by Forrester. Furthermore, there are at least as many privately managed internal APIs - many without documentation or security. 

With API development and adoption on the rise, it is vital we take the time to consider the impact of this technology on the security of organisations and information.

APIs represent a significant blind-spot for the security architects of many organisations. An analysis by Gartner singled out APIs to become the largest source of data breaches by 2022. APIs are the essentially the new Shadow IT: many developers build and expose APIs without involving  their IT and Security teams. This means there are unknown risks and potential vulnerabilities creating problems faster than security analysts can identify, let alone resolve.

To protect the integrity of corporate networks and develop an effective API security strategy, here are some recommendations for organisations and developers:

Put on your Black Hat

When designing the interface of an API, position yourself as a hacker and consider shortcuts and misuse that could lead to malicious activity. API designers thoroughly understand the design principles, however, in this fast-moving environment, the desire to churn out a greater volume of applications and features often outweighs security considerations. Developers invest time and care in securely designing the interface of an API as they would for a web interface.

Being selective about the data collected by the API is also an effective way to mitigate security risks. With data now a highly valuable commodity, it is important for security architects to build interfaces with this in mind. If you don’t have the data, it can’t be stolen.

In a data breach scandal, LandMark White Ltd alluded to an exposed API being behind for the leak of a dataset that included property valuation details and contact information of employees across the company. It was revealed that approximately 137,500 unique valuation records from January 2011 to January 2019 were compromised. In a statement, the company said the breach occurred because of “an exposed programming interface” on one of the platforms it utilises.

Adopting the mindset of a hacker, being more careful about elements like interface development and data collection, could help prevent breaches in the future.

Limit user access

Many API security vulnerabilities arise from neglecting to control levels of access. It is important for developers to think about API access in this way, granting the right level of access to the right users. By restricting user access, organisations can limit the exploitation of privileged credentials to reach sensitive data, applications and IT infrastructure.

Twitter recently revealed a bug in one of its APIs could have exposed users’ private messages to third-party developers. This mistake may have affected as many as three million active Twitter users. Incidents like this can be avoided by thinking through use cases and vulnerabilities from the beginning.

Promote developer security training from the start

There’s an old proverb where one executive says to another: “what happens if we train our people and they leave?” and the response, “what happens if we don’t and they stay?”

API security training for developers from the get-go should be a requirement. It is important for developers to understand that launching an API requires collaborative effort. Often developers will build a great API and move on to the next task. However, the continuous monitoring of each API to track and ensure its security is crucial.

In March 2019, research from North Carolina State University revealed that over 100,000 GitHub repositories contained 85,311 exposed unique Google API tokens – and this from a scan of just 13 percent of GitHub’s public repositories. Ensuring developers are informed, diligent, and proactive about API security from the start will help to ensure common security mistakes like this aren’t made.

With the rapid progression and advancement of technology, organisations must constantly adapt to changing standards. As API usage surges surge and developers are racing to create more and more, it is important for IT teams to bring API security out of the shadows.

Tags forresterAPIshadow ITblack hat

Show Comments