APIs – application program interfaces – are everywhere. Used to build software applications, these intermediaries facilitate communication between apps, trading essential information to enrich user and customer experiences. By improving the overall user experience, APIs can also enhance a company’s investment in mission-critical applications like Salesforce. According to a study by Imperva, the typical organization manages an average of 363 APIs, and more than two-thirds expose their application APIs to the public to allow partners and developers to leverage their software platforms and apps. This makes API security paramount for overall data security.
At the same time, APIs introduce a new vulnerability to many organizations. The endpoint could present an issue, but security problems are most likely to arise during the transmission of data between applications via an API call. The average web application or API has 26.7 serious vulnerabilities and 50% of security practitioners consider secure API access a top challenge. To further complicate matters, Gartner estimates that API abuse will become the most-frequent attack vector by 2022, causing data breaches in enterprise web applications.
In the past, massive breaches across industries have made headlines, showing the prevalence of API abuse:
- Panera, where an unauthenticated API endpoint led to an eight-month leak of the data of more than 37 million customers.
- Venmo, which was found to have exposed the details of hundreds of millions of transactions via a poorly secured API.
- Equifax, in which 143 million records were exposed due to a vulnerability in the framework used to create its APIs.
Fortunately, there are ways to identify API vulnerabilities to circumvent potential abuse and secure data to prevent breaches.
Is that API secure? 6 things to watch for with API security
So how can you leverage the power of APIs without encountering external attackers, insider threats, data breaches, and leaks? First, it’s important to understand the common API vulnerabilities – and how to determine whether they could be a problem in any of your third-party APIs. Six of the most common API security vulnerabilities are:
- Code injections: An injection occurs when an attacker “injects” a malicious piece of code into the API code. This can allow the attacker to extract information from your organization or a partner’s organization.
Ask: Did the API developer include threat protection measures to guard against injection attacks?
- Poorly authenticated API: A poorly authenticated API can leave sensitive data open to attackers. In fact, in an analysis of more than 413 million daily API login requests, Akamai found that 30% of the logins were fraudulent.
Ask: Did the API developer use industry-standard authentication and authorization measures like OAuth or OpenID Connect rather than only TLS (Transport Layer Security)?
- Denial of Service (DoS) attacks: These occur when attackers flood APIs with calls, causing the application to slow or shut down altogether.
Ask: Did the API developer follow best practices like rate-limiting, blocking malicious IPs, and enacting anti-scraping policies?
- Unsecured cardholder data or PHI: Data could be accessible in tools intended for debugging.
Ask: Did the API developer protect traffic with best practices like encryption and tokenization for cardholder information?
- Replay attacks: In replay attacks, or “transaction replays,” the attacker replays a legitimate user request to compromise authorized credentials.
Ask: Has the API developer enacted rate-limit policies to throttle requests — or do they monitor for potentially malicious traffic patterns?
- Sensitive data left in URI keys: Some APIs may send the access key as part of a Uniform Resource Identifier (URI), but URI details can appear in browser or system logs, revealing keys, passwords, and other sensitive data.
Ask: Does the API developer transmit the key using URI, or the preferred HTTP POST method?
Top measures for securing API access
In addition to ensuring any partners have done their due diligence with their APIs, there are a number of ways your organization can help prevent API security issues from laying bare your most sensitive data.
Create a dedicated integration user
First and foremost, remember that in Salesforce and other mission-critical cloud applications, an API is just as much of a user as an employee or third-party contractor. When enabling an application’s API access to Salesforce, consider creating a Salesforce user that’s only used for that unique integration. Set the user’s permissions to “API only” to specify that the user can only log in via the API. And make sure to avoid granting the permission “modify all data” to ensure the API cannot view all data stored in the database or edit any editable fields.
Set controls for the access and activity of an API user
According to Salesforce, organizations might also consider restricting the following for a more secure integration:
- User access: To minimize the amount of data that would become vulnerable in the event of a breach, grant the integration user access only to objects necessary for integration.
- IP address: Lock the integration user down by IP address or range to minimize the risk of injection and other attacks. This can be done in Salesforce by restricting IP access to only the partners’ servers – as well as on the partner side by allowing requests only from Salesforce’s IP ranges.
- Passwords: Ensure all passwords are strong, containing at least 20 random characters, a combination of uppercase and lowercase letters, both letters and numbers, etc.
Salesforce offers additional API integration security best practices to help round out your application data protection measures.
Monitoring API access for robust security
At the SANS Secure DevOps Summit, Elastic Beam CEO Dore Rosenblum shared an overview of the API security landscape. He posited that foundational API security measures like OAuth and throttling, while necessary, are no longer enough to constitute a strong API security posture. Monitoring API access and activity in that case can reveal vulnerabilities to an organization that may have otherwise gone undetected.
“A lot of apps — Salesforce itself, even – require access to an API to make a connection,” said Thomson Reuters’ Head of CRM and Business Information Andy Louca. “Unless you have API enabled, some of those even basic connected apps won’t work. You can, however, control and monitor those connected apps with reporting and event logs.”
When selecting a solution to monitor API access to Salesforce and similar cloud applications, make sure your vendor follows the best practices listed above if they use an API themselves. Also consider choosing a partner that allows for user behavior analytics to detect anomalous patterns in API activity, calls from specific IP ranges or geographic locations, and more.
Treat APIs like any other user in your cloud environment and practice the principle of least privilege to ensure it can’t access more than is necessary. By improving your API security, you’ll take strides toward improving your overall security posture and protect sensitive data from falling into the wrong hands.