How Akamai can help mitigate the API security vulnerabilities

There has been significant advancements in the field of Application Programming Interfaces (APIs) over the past few years, resulting in enormous economic growth in the digital sector. With many advantages, such as allowing an application’s client to interact with its server, APIs can also provide a way for two applications to communicate with each other, such as machine-to-machine communication.

However, there is one downside to unprotected APIs: the risk of cyberattacks. Therefore, it is imperative to put in place strategies and procedures to mitigate vulnerabilities and security threats associated with it to ensure a robust security framework.

What is an API?
A clear understanding of what APIs are is crucial for preventing its vulnerabilities. In simple terms, APIs are used to enable communication between two applications. For example, you have probably used an API every time you booked an air ticket through travel platforms, checked the weather on your mobile phone or even used a social media app.

Rising attacks on APIs
With the growth of Internet usage and the surge in digital transformation, the number and nature of cyberattacks have increased over the last few years as cybercriminals have continued to exploit weak technology and systems in their attacks beyond traditional targets. The bad guys are now concentrating their operations on APIs because it can provide access to microservices and the cloud in addition to external applications.

Meanwhile, an integral part of API security is the implementation of strategies and practices to reduce vulnerabilities and security threats. Security APIs are developed to help manage various issues, such as access control, content validation and monitoring, among others.

The Future Market Insights report estimates that the API security market will grow at a compound annual growth rate of 26.3 per cent between 2022 and 2032. This will reach a valuation of $10,185.4bn by the end of 2032. A rise in cyberattacks and the adoption of APIs across diverse industries are some of the key factors underpinning this demand.

Addressing the concern
It is critical to properly secure APIs, whether they are a simple internal flow in a microservice application or a major B2B transaction worth millions. Managing API-related risks requires a thorough understanding of the programme and the role of leading security vendors in the field, such as Akamai.

With its edge security solutions, managed services, and intelligent edge platform, Akamai can contribute to the efforts of businesses in several areas in order to help them enhance their capabilities and actions.

Here are some of the critical areas where Akamai can help:

Broken object level authorisation – This vulnerability is present when a client’s authorisation is not adequately validated to access the object IDs. “Organisations can reduce this risk by not relying solely on object IDs passed in the request by a client or using a non-guessable random ID for objects. The objective is to validate authorisation for all accessed objects or mask the true ID of objects when appropriate to mitigate risk further. This is because attackers may try to request resources directly and not through the expected application flow. Akamai’s web application and API protection solution – App and API Protector — can partially identify these requests through the referer header validation.”

Broken user authentication – While organisations must fix their broken user authentication process to address this vulnerability fully, Akamai can help to detect and protect against many of the attack vectors that attempt to exploit it. Akamai’s API gateway capabilities support JSON Web Token validation for authentication on individual resources – with keys that check claims inside tokens and compute RSA digital signatures – to ensure tokens were not tampered with. Meanwhile, the company’s bot management solution can detect and manage the automation used in credential stuffing and brute-force authentication attacks.

Excessive data exposure – Looking forward to generic implementations, developers tend to expose all object properties without considering their sensitivity, relying on clients to perform data filtering before displaying it to the user. Without control over a client’s state, servers perform more filtering, which can be abused to gain access to sensitive data. While organisations reduce the unnecessary exposure of object properties and review them for sensitivity, various Akamai solutions can help address some aspects of this vulnerability. The company’s App and API Protector allows custom response actions so customers can define and serve HTML, XML, JSON-based, or other types of responses to mislead attackers.

Broken function level authorisation – Complex access control policies with different hierarchies, groups and roles and an unclear separation between administrative and regular functions tend to lead to authorisation flaws. By exploiting these issues, attackers gain access to users’ resources and administrative functions. While organisations must work to fix their access control models to address this vulnerability fully, Akamai can help detect and protect against some of the attack vectors that attempt to exploit broken function-level authorisation. The Akamai Enterprise Application Access enables a least-privilege access model for enterprise users, allowing only visibility and access to authorised applications by authenticated users. This helps create separation between administrative and regular user functions and mitigates the risk of authorisation flaws with a zero-trust security model.

Overview
Organisations and security vendors must collaborate to establish a solid defence against emerging security threats through processes, people and technology alignment. Akamai offers security solutions, experienced experts and an intelligent edge platform. The web application and API security solutions offered by Akamai assist in securing organisations against the most-advanced forms of web application, distributed denial-of-service and API-based attacks.

Read: How loyalty programmes can safeguard against sophisticated cyberattacks