APIs ARE INVALUABLE TOOLS for integrating applications. They can also be dangerously vulnerable back-door entrances to software containing sensitive information.
“It’s easy to leak data through APIs,” explains Sandy Carielli, principal analyst with Forrester Research. “Poor authentication, poor authorizations—you don’t always see the ways data is going in and coming out.”
For MSPs, keeping customers’ often-changing and highly integrated business systems safe is a challenge requiring vigilance. Identifying risk means knowing all the entry points out there, says Brian Weiss, CEO of San Luis Obispo, Calif.-based ITECH Solutions. “It’s knowing what your landscape looks like and how it’s being accessed,” he says. “Your API integrations need to be on that list.”
Weiss warns his SMB clients against operating with outdated APIs. “I still have clients with API connections out there that don’t support API keys,” he says.
Carielli, for her part, urges MSPs to take a holistic approach. “You need to be looking at APIs the same way you looked at applications 10 years ago,” she says. “There isn’t a single point in the lifecycle that will solve API security.”
Of course, a truly holistic approach starts with the vendor, including API gateways for authentication and authorization as well as pre-release API testing during development.
There are industry-standard API best practices today, Weiss says, “and I do see vendors holding themselves accountable.” When it comes to legacy APIs, however, “we’ve got a lot of catching up to do,” he adds.
On the deployment side, Carielli recommends API-specific security tools to manage and discover data transfers as well as web application firewalls that analyze traffic. “The thing about APIs is that there is a way to create a positive security model,” she says, pointing to API developer tools like Swagger for the OpenAPI Specification (OAS). “Swagger files, or spec files, can document and create a definition of the API that sets the parameter of each call and how that’s defined.” These specification files, Carielli explains, describe the data types that a given API can request, how it will return responses, and how the requests are authenticated. A well-documented spec file, therefore, can reign in unnecessary data access.
There are more API security tools appearing all the time, Carielli adds, some of which will even create specification files for you if you don’t have them.
Even so, Carielli doesn’t see API security issues subsiding overnight. “We’re going to continue to see a steady stream of flaws and issues, but also more protection over time.”