Risk and Reward of APIs and Third-Party Connectors in the Cloud

John P. Gormally, SR
7 min readJul 30, 2024

--

A Security Operations (#SecOps) and Engineering Commentary from industry insider Rohan Bafna , SecOps Engineer.

Third-party connectors through an Application Programming Interface (API) and other means remain essential for cloud expansion and functionality. As more organizations transform their businesses by moving their operations and applications to the cloud, there is a greater need for third-party integration to cloud infrastructures, security architectures, and applications.

As the world and technology industry continues to decode the effects of the CrowdStrike and Microsoft outage, the risk of human error configuring third-party connections and native integrations will always happen. Even with AI-assisted automated programming and machine learning, mistakes in design, testing, and configuration will happen.

That is the risk.

The cloud and its various forms of consumption have become too complex for one sole company or infrastructure to meet all the customers’ needs, manage all the different digital ecosystems, and provide comprehensive cybersecurity prevention strategies.

Security companies Cisco, CrowdStrike, and IBM develop cybersecurity products and services to integrate into Amazon Web Services, Google Cloud, and Microsoft Azure. By partnering with third-party connector developers, these cloud providers can speed up their time-to-market offerings.

That, ultimately, is the reward.

How Vulnerable Are APIs?

APIs are essential in software applications, but they are at risk because of misconfiguration, lack of security measures, or lack of awareness. This vulnerability can lead to hackers’ unauthorized access to sensitive data or systems.

  • APIs are at risk of attack from injected malicious code, leading to data exposure, system compromise, or takeovers.
  • Weak authentication, improper session handling, and inadequate access controls can make APIs vulnerable to attacks. Attackers may exploit these vulnerabilities to impersonate users, hijack sessions, or gain unauthorized access to sensitive data.
  • API can also be targeted with DoD attacks, causing service disruption, negative user experience, and financial losses. It is essential to assess APIs for security to protect data and prevent breaches.API security testing helps identify vulnerabilities and weaknesses in API implementations.

How To Test APIs for Security Vulnerabilities?

API testing is a necessary process that benefits developers, testers, and end-users. During early testing in the SDLC, developers can test APIs before the user interface is ready, allowing them to identify and resolve bugs at the server level before they appear in the UI layer. This testing helps prevent these issues from escalating.

Additionally, API testing enables testers to carry out requests that may not be recommended through the UI as it could expose security vulnerabilities. API testing is critical for catching bugs early to avoid delays in product releases.

UI Testing

UI testing is essential to confirm that the API functions appropriately within the application’s user interface. This testing guarantees that the UI accurately displays the API’s outcomes and that the API appropriately manages the UI’s inputs.

API Hacking

API hacking involves exploiting vulnerabilities in an API for security testing. Attackers can target API endpoints to gain data access, disrupt services, or take control of the system. Ethical hackers practice by attacking intentionally vulnerable APIs downloaded from the Internet. They can then test the organization’s APIs to identify weaknesses and assess resilience.

How to Protect APIs From Various Attacks?

API vulnerabilities are weaknesses in API security that bad people can use to do bad things. It can lead to data breaches, unauthorized access, and system crashes.

Stopping Excessive Data Exposure

Excessive Data Exposure happens when an API mistakenly discloses more data than required, which could aid potential attackers in future attacks.

To address this vulnerability, developers should only include essential data in their API responses. Engineers should enable this function by filtering data properly and controlling the quantity of data sent in each API response.

Rate Limiting

With rate limiting, an API can become overwhelmed with more requests, making it vulnerable to DoS attacks.

Limiting the requests can protect against attacks. To prevent DoS attacks, set a maximum number of requests in a timeframe.

Insecure Direct Object Reference (IDOR)

IDOR vulnerability lets attackers manipulate references to gain data access.

To mitigate this vulnerability, developers should avoid exposing direct references to internal objects in their APIs. Instead, they should utilize indirect references to increase the complexity for potential attackers seeking to manipulate the references and obtain unauthorized access.

Importance of Third-Party API Connectors in Cloud Environments

A well-designed API connection involves a three-layer architecture with system, process, and experience APIs. Adding layers of APIs can cause latency issues, especially with large data payloads. Maintaining latency in an API-led system requires dedicated IT resources.

Integration applications use connectors to link with systems through an API integration process, simplifying the process for creators by not needing direct programming. APIs enhance data transfer within systems by being integral parts of the systems.

APIs are crucial for modernizing systems and integrating applications, helping teams meet digital transformation goals for business and customer satisfaction.

Risks Associated with Third-Party API Connectors

Third-party APIs benefit users and can seamlessly integrate with business SaaS applications and cloud platforms. However, a notable issue arises when these apps and their providers access company data without adequate security.

Third-party APIs connecting to SaaS-to-SaaS platforms pose a supply chain risk. Providers’ weak security practices can put data at risk even with the enablement of known security protocols. Security teams need control over permissions for these apps, especially those with real-time integration risks and dependencies on third-party developers.

APIs become integrated into the various cloud-based applications and infrastructures and become part of the attack surface. Hackers look for third-party API connectors, expecting most of them to be vulnerable.

Similar to operational technology (OT) and industrial control systems (ICS), developers and security operations people choose to patch or update an API once it is deployed. This decision often leads to cyberattacks against API connectors, as hackers can access various websites and cloud instances looking for these connectors.

Security is a concern with integration security gaps in custom-built API integrations. This risk can lead to authorization problems, security misconfiguration, and insufficient logging. Without security reviews and data governance controls, there is an increased risk of security issues.

The Need for Continuous Assessment and Real-time Monitoring Third-Party API Connectors

Continuous security monitoring is a system that checks for security issues and alerts you if there’s a problem. Specifically, for APIs and other third-party connectors, ensuring the connectors have not become compromised is critical for all parties leveraging the tool.

Another critical task for developers is to perform assessments against APIs to validate and check exposed vulnerabilities that require immediate remediation. Developers will use Dynamic Application Security Testing (DAST) tools to test APIs and web applications. These tools become embedded within the DevOps and CI/CD development process.

The Future of SecOps and Third-Party Connections

Cyberattacks are a common threat in today’s world. Small businesses are not exempt from these attacks. Cybercriminals often target them because they lack the resources to recover quickly from security incidents. This targeting can cause data breaches, financial losses, and damage to their reputation.

Organizations must invest in security operations (SecOps) as more systems depend on the cloud, APIs, and third-party connectors. The complex world of interconnections between applications, cloud instances, legacy on-premise systems, and SaaS-based offerings will continue expanding the vulnerable attack surface.

Securing third-party APIs is essential for meeting GDPR and HIPAA regulations, preventing potential penalties from regulatory agencies.

Numerous organizations are required to meet security standards, such as ISO 27001. Implementing these frameworks can help establish a secure system and showcase dedication to security with clients. Ongoing monitoring is often necessary to comply with security standards like SOC 2 and ISO 27001.

Final Thoughts

The more interconnected we have become, the more likely we will see security like CrowdStrike and Microsoft. SecOps will continue to be critical in monitoring databases, APIs, cloud instances, user access, and ecosystem connections through the various supply chain portals and hosted systems.

Monitoring, reporting, and automation of API remediation will continue to gain momentum by heading into 2025.

Small businesses require a well-thought-out strategy to improve the security of their web applications and APIs. Investing in SecOps, either in-house or with a managed security service provider (MSSP), is essential for monitoring APIs and providing incident response functions.

About Rohan Bafna

Rohan is a WeWORK Incident Response and Threat Detection director based in New York City. He holds a master’s in computer science from Rochester Institute of Technology and an undergraduate degree from Thadomal Shahani Engineering College in Mumbai, India.

Rohan’s experience in security operations automation extends well into enabling artificial intelligence machine learning and developing next-generation security orchestration automation and response (SOAR) functions. Along with mastering SecOps automation, Rohan mentors many first-year engineers interested in learning more about modern security engineering, including deploying Cisco/Splunk for observability and better-automated notifications.

Rohan can be reached at rohbafna@gmail.com and on LinkedIn at https://www.linkedin.com/in/rohan-bafna-0911807b/.

#cybersecurityroadmap #roadmapofcybersecurity #cybersecuritycourse #cybersecurity2023 #roadmap #cybersecuritypodcast #scalability #business #cloud #cyber #podcast #podcast #management #innovation #emailsecurity #dlp #encryption #ransomwareprotection #malwareattacks #ciso Security, Privacy and Risk #privacy #security #email #compliance

--

--

John P. Gormally, SR
John P. Gormally, SR

Written by John P. Gormally, SR

John P. Gormally is a fictional and non-fictional cybersecurity blogger and writer based in Lake Forest California.