The One Thing APIs and Serial Killers Have in Common

By Edward Roberts, VP Marketing at Neosec

It seems like there is a surprising number of shows and movies about serial killers these days. Oddly, while APIs and serial killers could not be less alike, they do share one commonality. So many accounts of real serial killers show neighbors, friends or acquaintances claiming that the perpetrator seemed so normal. From the outside, everything looked fine, with no indication that something could be terribly amiss.

API abuse and misuse are like that as well. From the “outside,” the API may appear well constructed and lacking any apparent vulnerabilities. However, within the API, unintentional or intentional activities may be occurring without any visible manifestations. It is also possible that damage might be “low and slow,” kept to undetectable levels, and done over an extended time period to avoid being discovered.

In today’s digital business world, APIs connect everything and empower new services to drive increased revenue or decreased costs. APIs integrate a company’s internal systems to external customers, partners, suppliers, and other third parties. The shipping of an order, for example, may involve connecting a vendor’s internal systems with partners, shippers, and customers to complete the process while providing real-time status data. Today, the use of APIs provides significant gains in speed, efficiency, and effectiveness.  

At the same time, the use of business APIs turn companies inside out. Systems that were once closely guarded and sequestered within a company’s network or data center are now being made accessible to customers, partners and suppliers. Use of these APIs is generally assumed safe because it is authenticated, where authorization and access are closely controlled. This assumption is wrong.

Despite good governance practices and security measures for those with access to an API, it is still possible for unauthorized parties to gain use of them by stealing credentials or API keys. The never-ending data breach sagas teach us that it is always possible to steal valid credentials and use them for nefarious purposes. Similarly, the famous Cambridge Analytica abuse of Facebook’s APIs illustrates that APIs have been successfully abused in unintended ways. From the “outside” the APIs and their usage may seem normal, but what occurs within APIs may be surprising. 

Through APIs, low and slow data scraping has become a new data breach technique, exposing not only PII but also the most valuable data a company owns. But data scraping is just the tip of the iceberg. With business processes now connected through the use of business APIs, fraud and other criminal activities are now imminently possible through the abuse of the business logic within APIs.

One researcher was able to produce $100,000 worth of credit from himself on the European electric scooter-sharing application, Voi, through abusing an API. API fraud could change customer orders and create new, unauthorized ones. Business APIs provide a potential mechanism for criminals or third parties to conduct financial transactions, alter accounts payable or accounts receivable balances and entries or create havoc to the supply chain.

What’s next? Gartner and other organizations have recognized API abuse and misuse as not only a growing threat vector but a seismic shift in cybercrime. At the same time, the attack surface is growing as organizations continue to open up systems and data to third parties through new APIs. Worryingly for security practitioners, many of these new APIs are initiated and used by business units or departments completely independent of the company’s security, risk or IT groups. These “shadow APIs” are subsequently impossible to protect. You have to discover it before you can govern it. The threat of abuse is not only within shadow APIs but within every business API a company has in use. Companies need to constantly be aware of all APIs in use, inventory and understand their usage and monitor behaviors within them for abuse or misuse.

Companies do not want to be in the position of explaining—after the fact of a highly damaging data breach or fraud — “the API seemed so normal… We thought we could trust it… We had no idea.”

Edward Roberts is the VP Marketing at Neosec. Prior to Neosec, Edward led marketing strategy for the application security portfolio at Imperva. Previously, he led marketing at two application security companies through acquisition, including Distil Networks (acquired by Imperva) and Mykonos Software (acquired by Juniper Networks).


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.