Your dev team is probably working on an application right now that relies on at least one API. The interconnected nature of applications and APIs is only becoming more prominent in the new landscape of web app development.
This fundamentally changes how we approach cybersecurity. It’s no longer about external defense for an application. The threat landscape has changed, and we now need to approach the dynamic and rapidly evolving landscape of applications interconnected with APIs.
Let’s take a close look at web application security and how it should go hand in hand with API security.
The Old Approach to AppSec
The old-school approach to AppSec involved protecting applications from threats that came from the outside. These applications might have serviced dynamic content, but they were much more static and monolithic than they are today.
One way to think about this is the difference between securing a fortress versus securing a modern metropolitan city.
Modern web apps are more like today’s big cities. They have constant streams of information entering and exiting through complex networks of distribution. They require much more adaptive and responsive approaches to security that don’t interfere with the rapid transit of information.
Why AppSec and API Security Go Hand in Hand
There are a few important reasons why app security and API security now go hand-in-hand. The landscape of web applications and application development has become fundamentally interconnected with the API.
A single-page web application might utilize an API to consume its content. Also, the rising popularity of hybrid applications, progressive web applications, and applications that require steady API connections to fully function mean that your AppSec requires some amount of API security.
Plenty of web apps also rely on dynamic content that interconnects them with other apps, databases, and other software. These points of connection are often facilitated by an API. This means that major points of data entry and egress are maintained and managed by an API.
The threat to an API can quickly become a threat to the app itself. Whether the API is merely a vehicle for the hacker to get at the application or your application is collateral damage in a larger attack, AppSec and API security are fundamentally interwoven.
Approaches to App Security
The OWASP Top 10 represents the current biggest threats to your web app. One of the most interesting aspects of this list of cybersecurity threats is that there is plenty of overlap with API security threats.
Web apps face several serious security risks and a few of them overlap with API security risks. They are so closely tied together that it is difficult to split some of their security risks.
These are just a few of the biggest cybersecurity threats that applications face today.
- Broken Access Control—This is currently the most common security risk for apps. Broken access control occurs when app permissions allow users to act outside their intended roles
- Injection Attacks—An injection attack involves a hacker inserting a malicious code into an application. These attacks exploit areas of an application that accept user-supplied data, like username and password prompts, to insert lines of code
- Security Misconfiguration—Security Misconfiguration includes everything from failing to harden security across your application to simpler problems like a failure to update software
Securing Your API
The cornerstone of today’s applications is the API. The Application Programming Interface allows two separate pieces of software to communicate with each other. This creates a vital juncture that bridges mutually dependent applications.
This also creates the potential for a considerable security risk. From the perspective of a potential hacker, an API is a threat vector and an attack surface rolled into one.
Just like with applications, you’ll notice that a lot of the threats faced by an API are shared with applications. Many are the same threat and several are different variations on a theme.
- Broken Authentication—APIs also face similar issues when it comes to access control. Developers need to ensure that users are only authorized to interact at appropriate levels and that strong user authentication measures are taken to prevent comment attacks like credential stuffing
- Security Misconfiguration—The same security misconfiguration that our applications face are also issues for our APIs. APIs need to ensure appropriate security hardening has taken place, sensitive data is not exposed to the public, and that unnecessary features—such as unused ports—are disabled by default
- Injection—Just like with applications, APIs need to ensure that they use proper data validation and sanitization in order to prevent injection attacks
Responsive Security is The Best Security
So, what does all this mean on a practical, material level for application development teams?
This means that you need application and API security that can understand and evaluate this dynamic environment. You need security tools that can tell what’s an API, what’s an application, and how APIs and applications connect with each other and the outside world.
Modern, cloud-native security tools can identify the complex and fast-moving threats faced by both web applications and an API. This gives you a security option that is much more resilient to attack than traditional, static approaches to AppSec.
The landscape of web application security threats has changed, and that means our responses to AppSec and API security need to change as well.