Virtualization Technology News and Information
5 Things to Know About API Security and Compliance


By Ross Moore

Those who have worked with security policies have experienced one or both of the following frustrations: creating policies from scratch takes a lot of work, and reworking outdated policies takes a lot of work. One might think either one is easier, but it's not. The former takes intense wordsmithing to design proper documentation, and the latter requires scrutiny to ensure the concepts are updated and match actual practice.

Working with APIs is much the same: whether building new APIs or updating existing ones, it takes a great deal of effort.

Whatever the case, here are 5 recommendations to keep API secure and compliant.

Inventory your APIs

Zombie, Rogue, Shadow. Not only are these the creatures of our nightmares, they're also types of APIs - specifically the kinds we don't know about or have gotten out of date. You want to know about all your APIs! You need this info across both public-facing and internal APIs.

The adage, 'You can't protect what you can't see" applies. API sprawl happens quickly, making it necessary to catalog APIs, update those with security gaps, and decommission outdated ones.

Flashback to the 2014 Marriott Hotel data breach. Marriott had, at the time, recently acquired Starwood. Starwood had insecure technology and was already breached at the time of acquisition. We don't know exactly what caused it. Perhaps a faulty API? Phishing? Both? The fact remains that Marriott was held responsible for not vetting Starwood's security posture and being aware of the risks before acquisition. Knowing one's inventory is always the responsibility of the company acquiring and providing the service.

Inspect the attack surface

Once an inventory system is in place, an API security checklist is a good resource to continue with examining how to protect APIs. Clearing up an inventory is also necessary so that no resources are wasted in securing assets that should be removed.

BrewDog released an app version in early 2020 that contained hard-coded bearer tokens. This vulnerability remained for perhaps up to 18 months before it was discovered by security researchers.

This finding by the security consultants is an example of the first two vulnerabilities on the OWASP API Top 10 list - Broken Object Level Authorization and Broken User Authentication. A hard-coded token invalidates or bypasses authentication, and a lack of adequate randomness in the customer IDs gives too much leeway for attackers to figure out customer information.

BrewDog is both a good and a bad example. The API was known (good), but it was untested for a long time (bad). It was eventually discovered, and no evidence of malfeasance was present (good) but was unknown for long enough that one never knows if someone else found it first (bad).

A typical expectation in security and compliance is to have a penetration test performed after a major change (e.g., platform or infrastructure change). With the low barrier to entry in API development, creating and deploying APIs is easy. Knowing what to test and when is another, and more important, matter.

Identify the regulations

As regulations across the world increase in both number and scope, the need to secure APIs increases. While APIs are not yet always called out in a regulation, what is called out is the need to secure the channels over which PII is transferred. If a company's API in any way transfers PII (and that could be as simple as a person's first and last name, depending on the regulation, internal policies, or contract), then that transmission channel needs to be secured. An example of ensuring API compliance for Twilio APIs is following Twilio Bundles REST API documentation for evaluating regulatory guidelines.

In 2019, Facebook received a fine of $5 billion because Cambridge Analytica abused a Facebook API to collect millions of users' sensitive data. While CA abused the API, Facebook was fined because it demonstrated negligence by failing to monitor the application used. Companies need to approach APIs with an end-to-end perspective, including the legal factor called calculus of negligence, or the Hand rule.

Work with other stakeholders and business units, such as Compliance and Design (who may be considered irrelevant to API architecture), to set proper Targets, Tasks, and Metrics that will align with more than just customer and market desires. The sum of the costs of creating the app and the income generated can be dwarfed by the costs of a breach or regulatory fine.

Innovate the product

Balance risk aversion with innovation. Providing services is not an either/or game - either provide award-winning service or secure it. It's a both/and contest, and that contest involves ensuring that customers both have a positive experience and can rest assured that the company is protecting their identities and data. Innovation can go beyond just what customers see. Seek to impress the security and compliance departments of your customers!

Companies should consider if their approach to pushing the newest features to market in rapid fashion is worth more or less than taking what I call a craftsmanship approach to producing a release candidate that combines fewer features with fewer risks and break-fixes.

Take that step of customer-centricity. Customer-centric thinking focuses on the customer experience with using your service. While this is often viewed as just the UX and design, more customers want privacy and security included. This outside-in strategy of including privacy and security in the usefulness and beauty of a service creates extra complexity for a company, but it's necessary.

Improve the process

What's the next step in making your API implementations and architecture better? You've got options.  Consider deploying API fuzzing tools. Look at inserting SAST/DAST/IAST into your CI/CD pipeline. Perhaps your team needs to learn all of the risk factors in the OWASP API Top 10 list. Every company is different, so there's no one-size-fits-all. But creating a plan to improve API security is the next step. What improvement will you make?




Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company's BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2's SSCP and CompTIA's Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.

Published Thursday, March 10, 2022 7:33 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2022>