What do smartphone apps, cloud services and today's newest automobiles have in common? They all utilize application programming interfaces to share data with other Internet-connected devices, a trend that has led to the creation of thousands of new APIs in recent years.
However, application programming interface (API) security experts warn that security is often an afterthought for API developers, meaning those APIs may be likely to leak sensitive data or serve as a tempting target for attackers. To that end, some believe API gateway security appliances are increasingly a must-have proposition for enterprises.
API growth creates opportunities, vulnerabilities
To get a grasp on the runaway growth of APIs, one needs only to look at statistics from ProgrammableWeb, which has been tracking publically exposed APIs since 2005. At that time, there were only around 100 APIs listed; today, there are more than 10,000 publically known APIs.
That growth is increasingly underpinning an economy that is reliant on treasure troves of user data. Salesforce.com reportedly generates more than 50% of its $3 billion in annual revenue through its APIs, and nearly 90% of Expedia's $2 billion in annual revenue.
Companies generate API revenue by metering access to APIs and the resources behind them in a variety of ways. For instance, Twitter, Facebook and others provide ads-based APIs that allow for targeted advertisements based on reporting and analytics, but ad agencies and other brands must pay for access to those APIs.
Two tech giants have recently engaged in a multi-year battle over APIs: Oracle Corp. filed a lawsuit against Google claiming the online search behemoth had infringed on the company's Java APIs, which Oracle acquired along with Java itself in its acquisition of Sun Microsystems. The situation has yet to be resolved.
Scott Morrison, senior vice president and distinguished engineer for Manhattan, New York-based CA Technologies, which acquired API gateway vendor Layer 7 Technologies last year, said the volume and usage of APIs will continue to grow because of their undeniable monetary value, and because they enable developers to utilize new and varied data sources for third-party applications and services.
Yet Morrison said API developers often forget to take basic precautions to secure them. In particular, he said many APIs are vulnerable to attacks commonly associated with the Web because APIs rely on Web-centric protocols, including their use of HTTP for data transport.
"So what hackers do is look at what works on the Web and they extend those ideas into the API space," Morrison said. "SQL injection is a great example. It's a way really of trying to sneak certain additional data into parameters that are sent to a server that then get put into a SQL template, and if the original developer didn't check the inputs properly, an attacker can basically make the server do arbitrary SQL on their behalf."
Mark Cheshire, chief operating officer of San Francisco-based API gateway vendor 3scale Inc., too noted some API security problems that can go overlooked by developers. For instance, Cheshire said one 3scale client originally planned to become a medical-focused search engine, but quickly realized outsiders were repeatedly taking the company's valuable information via its public API -- which lacked any access controls or pay wall capabilities – and were putting it into outside databases.
Unsecured APIs even played an indirect part in a recent data breach at mobile communication app Snapchat. Morrison said such incidents only serve to highlight why API developers need to offload security duties.
"The focus of developers is to build a compelling app, not to do security," Morrison said. "The idea behind an API gateway is to avoid fighting that battle, [and to] have a security professional that knows what they're doing build security for all APIs, and then let developers focus on doing what they do best."
API gateways: How do they work?
Essentially, an API gateway sits in front of an API -- whether it be from an on-premises location, in the cloud or elsewhere -- and filters traffic based on a variety of factors.
Morrison said API gateways bear some resemblance to Web application firewalls in the sense that they serve to apply security measures that were previously missed in the development process. He emphasized though that a Web application firewall's value is limited only to security, while API gateways provide extensive management and other capabilities that are enticing to enterprises.
The technology can help protect against various attacks that would bypass a traditional enterprise firewall, according to Morrison, including the aforementioned SQL injection attacks. He said attackers can also insert malicious attachments or other content inside of XML messages that could then be used against applications through an API, but a gateway can provide scanning technologies to mitigate such attempts.
Eve Maler, principal analyst for Cambridge, Massachusetts-based Forrester Research, too noted that attackers hide malware within malicious HTTP requests -- the base of many API calls – and highlighted how API gateways often play a key role in mitigating such exploits.
"You could battle this at a number of levels: First, by carefully vetting which client apps you give credentials to and by certifying the quality of the client apps," Maler said. "And second, by using an API gateway to trap apparently malicious calls."
API access control: A game-changer
All those features aside, both Morrison and Cheshire indicated the No. 1 security driver for API gateway technology is access control, serving as a governor of sorts so an organization can manage who can access an API and establish rules around how data requests are handled.
Cheshire said access control almost always extends to establish other policies, including rate limits on API calls from certain sources, or even payment requirements for accessing all or certain resources through an API.
An API gateway's access control capabilities usually start with authentication mechanisms to determine the actual source of any API calls, according to Cheshire.
Cheshire warned that API providers must take great care when enabling authentication on API gateways. If data is sensitive -- such as financial or healthcare data relevant to PCI DSS or HIPAA -- Cheshire advised organizations to always utilize OAuth -- which acts as an intermediary for accessing Web-based resources without exposing a password to the service -- with key-based authentication reserved for instances in which the business can afford to lose the data because it's difficult to guarantee the complete secrecy of the keys.
Using an API gateway, Cheshire explained how his client with the search engine for medical data actually changed its business model by charging for access to its API, which is now the company's main source of revenue.
"API gateways are particularly important when you consider the type of access that APIs enable," Cheshire said. "With an API … you're exposing more data that can be valuable to attackers that can break in, and so the risks are greater."
While access control and related capabilities are standard on most API gateways, API providers should focus on where a product is deployed when speaking with vendors.
For example, a financial services company concerned about the data being served up by an API may want to stick to an on-premises gateway or a hybrid model, Cheshire said; a cloud-based proxy usually needs to intercept all API traffic and process it through the third-party vendor's infrastructure, a move that both exposes the data to more risk and tends to carry a larger price tag because of the data-processing costs.
Maler agreed that highly regulated industries tend to stay away from cloud-based options, with virtual appliances serving as an attractive alternative because they help companies "achieve at least some of the elasticity benefits of the cloud."
Because the value of so many companies is heavily reliant on monetizing large amounts of data through APIs, Maler said API gateways should be considered a necessary part of many organizations' security infrastructures moving forward, especially as few options exist for securing APIs.
"Security is a must in all these cases, but the goal of access control goes way beyond just security," Maler said. "To monetize an API, you have to be able to throttle access to it, and that's where we see API management platforms coming in.
Maler said some organizations use SaaS-based offerings to secure and control their APIs -- the system hosting the API calls yet another set of vendor-hosted APIs to manage or monitor access -- but confirmed organizations in need of robust, on-premises API security have essentially one technology to turn to.
"API gateways are practically the only deployment footprint we see anymore," Maler said.