API Security at Risk

Leaky Secrets Place API Security at Risk

Rate this post

An API is a black box to the average person. If you’re not particularly invested in understanding the intricacies and minutiae of how exactly your Google account, for example, accesses your accounts on various websites, you may not know exactly what happens to your data. Alternatively, if you work in the security space, you may know what happens to the data, but you’re not completely sure where exactly those data are stored. Either way, you probably assume the developers of the APIs you use have you covered.

In fairness to APIs, they typically have functionality for monitoring suspicious events and protecting their security flaws. Unfortunately, you can’t rely on the API to keep all of your data safe. Many businesses are finding that they use more APIs than their security team can comfortably manage, which creates potential weak points an attacker can exploit. Many of the vectors an attacker might use are under your control, particularly credentials and other secrets, but you may not be managing and securing those secrets well enough to keep your business safe.

So, you should be securing APIs. There are steps you can take that will vastly improve your security and decrease your risk of attack, and the most important one is to track down your secrets and clean out your environment before an attacker does.

API Security Depends on Secrets

Suppose that you want to browse your favorite news website. Typically, you need to log in to be able to view the articles and other content, and there is almost always an option to log in with your Google or Facebook account. Many people find that a quick click on one of these is more convenient than remembering and typing in a password, and it may seem more secure than saving a password to the browser.

The API needs to store and secure your credentials so that it can efficiently authenticate your login. Ideally, those credentials will be well-secured and stored somewhere safe, but secrets management has proven difficult. Intricate code and loose protocols in private messaging can create security holes, and developers don’t always monitor security as well as perhaps they should. More than 42% of security teams do not differentiate access privileges, so in many cases if a user can access one part of the environment, that user can access anything in the environment. This creates a major problem in the event of a breach.

One of the primary security risks of APIs is leaked credentials. Source code leaks and impersonating superusers enable attackers to access user credentials, and sometimes, as happened in the LastPass breach last year, those credentials are found as plaintext. Put another way, credentials that haven’t been properly isolated and secured are sitting ducks. When users have wide access to the environment, those plaintext credentials can be easily found by an impersonator.

Do You Know Where Your Secrets Are?

To grant access to an application or website, the API must access your secrets, so API security is not a simple matter of locking down your environment. The better solution is to ensure that secrets are in a place that the API has permission to access, and that the secret repository is the only place where secrets are kept. Because secrets are often placed in insecure locations, any time an attacker accesses the environment, those secrets are exposed. So, it’s advisable to find those secrets and hide them before an attacker has the opportunity.

If you’re not sure where to start looking, here are some suggestions:

  • Source code: Many APIs are built on open-source code, so attackers may be familiar with flaws long before they invade your environment. It’s not difficult, much of the time, for an attacker to analyze your code and find credentials that may be floating around inside.
  • Employee devices and accounts: Employees are at risk of social engineering attacks, making it essential to adopt zero-trust and minimize the amount of information any employee may access. A need-to-know mentality can reduce the number of secrets that find their way to an employee’s device. In the meantime, it’s worth taking a look at any machine that accesses your network and scrubbing any saved credentials.
  • The cloud: APIs are heavily integrated with your cloud data, so check the cloud for files with credentials stored in plaintext (there’s probably at least one person who has at some point stored passwords in Excel). You might have documentation on password conventions or a database of employee information that isn’t secured well enough, for example.

Protecting APIs Against Compromised Credentials

Tracking down all of your secrets is no small task, but it’s only part of your defense strategy. You should also protect the APIs you use in case your credentials are compromised. Never store credentials in plaintext or send them in an unencrypted message. Implement comprehensive API discovery to identify and limit leaks. An automated classification solution can help developers maintain security while coding.

As API use becomes more prevalent, developers will struggle to keep up with the additional security needs. Secrets are likely to leak; however, improved credential hygiene and automated data classification can help you find the leaks and keep your credentials more secure.