We All Need API Security- Here’s Why

Ammune™ is a Revolutionary AI-Based Solution for API Security by L7 Defense. Its advanced Machine Learning solution is made to protect APIs from the most advanced attacks while hunting down “zero-day”​ attacks with no damage to normal traffic. In this interview, L7 Defense Co-founder and COO Biz Dev Yisrael Gross discusses emerging security risks as the world becomes ever more reliant on API communications.

Please describe your background and the story behind the company: What sparked the idea, and how has it evolved so far?

My two partners and I co-founded L7 Defense in 2015. Back then, our primary mission was to find new ways to keep internet traffic safe. We’ve come a long way since then, from an idea to a highly effective product that is installed across Europe, the United States, and the Far East. 

L7 Defense protects interfaces outside and inside organizations. When I say interfaces, I’m talking about APIs – Application Programming Interfaces that enable communication between internal and external traffic. 

These days, Web and app development is becoming much simpler and easier. You have endless function libraries with a database in the back, and you just connect the database with your APIs to the app or website, and that’s how you set up your platform. Everything is built with drag & drop elements, leaving hundreds of thousands of code lines hidden and compiled into small boxes that already contain those APIs. Since you want to connect your business to other businesses, you need links and APIs that communicate with those other businesses. This requires some major changes, not only in the way that websites are built but also the connectivity between them. 

Three significant shifts are occurring these days regarding APIs. Firstly, we are witnessing a Digital Transformation– everything is moving online, and more tasks are becoming possible to do remotely. Customers can connect to any business and get any functionality they want. Digital transformation allows a business to interact with other companies. Whether it’s a shipping company delivering products to the premises, a payment system for charging customers, or some other added value needed to strengthen and grow your business using APIs. 

The second shift is the use of IoT devices, which are becoming a lot more common these days. Any device that connects to the internet uses APIs. Such a device can be a heart monitor, a smartwatch, smart TV, or a microwave – all these devices communicate with each other via APIs. 

The third shift is to Open Banking, which means that banks share the data they have with other companies. More and more regulations globally are now covering data aggregation. This entails that any data they have on a customer is shared between them and can be pulled by any of them from one primary location, for example, credit scores. 

Open Banking allows bank customers to conduct transactions online without even logging into their bank accounts by connecting to a third-party company that handles the transactions.  With the sharp rise in mobile banking and more FinTech companies joining forces for accommodating their customers for giving their customers better service, it has become even more critical it becomes to secure it. 

To illustrate the omnipresence of APIs, Akamai research found that 87% of global internet traffic is channeled via APIs. In the case of mobile phones, this number is 100%. Every app you have on your phone is communicating via APIs. This makes them an attractive target for threat actors to go where the traffic and money are. 

Recent Gartner reports state that by 2021, API attacks will rise from 40% to 90% of all attacks. OWASP, an organization for web security, estimates that 9 out of 10 attacks abuse API vulnerabilities.

Critical assets cannot be protected by a Web Application Firewall (WAF), since APIs are built to be dynamic whereas WAFs are more standardized, stable, and static. Any change of rules has to be reviewed by the organization’s security team. As soon as a new API is added, vulnerabilities start creeping in. One of our customers, a large trading company, conducts 1,300 updates per month. This leaves the question: how to secure 1,300 updates a month?  A security team does not have the time and manpower to go over every single update, and relying on API management tools is not enough. That’s where L7 Defense comes into play.  

Below is a quick look at the Ammune™ Dashboard:

Let’s say I gave someone API access, what’s the worst that can happen?

There are generally six concerns that business owners have. 

First of all, you need to have visibility, which is what L7 Defense offers to its customers. Having visibility across all of your assets and knowing who is sharing private information and where it’s critical should be monitored all the time. If you could see all of the information that is being shared at any given time, and you wanted to secure that view, the data would need to be always available. Furthermore, you need to know the data is made available according to the Service Level Agreement (SLA) of each of those points. This will give you full visibility of all the information you share, and the time it takes to respond.

The second concern is automated attacks that are in the OWASP Top 20. They might originate from a botnet that runs one or two bot attacks a day, or it can be millions of bots in total. What those bots do is open user accounts online, and then use those accounts to test stolen credit cards. Once a card is validated, they can use it wherever and for whatever they want. 

API security is in the OWASP Top 10. It’s a new player in the market where we have to secure exactly the right authorization. For example, when someone is accessing the wrong data. 

Next, we have fraud for conducting, for example, credential stuffing, brute force, and other relatively simple attacks to try to take control of an account and then use it for online actions. Typically, these attacks will target financial institutions, where they can steal money from many different accounts, rather than privately held businesses where the pickings are slimmer.

The next concern is the classic type of attacks such as SQL injections and Cross-Site Scripting that any web app and API should be protected from. 

The last concern relates to Denial of Service (DDoS) attacks at the application level. These attacks target all types of organizations. If APIs enable your main channel of communication, you want it to always be available and respond on time, which means the SLA needs to be very fast. If an attacker runs a botnet on the system that will impact the login button, it would take significantly longer to log in. This frustrates the customers, so they go to a competitor website or app that’s more convenient. For example, if the service being attacked is a food ordering app, starting such an attack during lunchtime will give the competitor app an unfair advantage.

What makes these attacks so dangerous is that no large campaign attack is needed. Finding those small requests that are essential for the service to function is enough. Just a few of those requests can overwhelm the server while trying to respond, and that’s how servers are taken down. 

These are the six major risks for organizations that require automated security and support. We at L7 Defense make sure that your APIs are secure. It is our mission to provide standard security for all APIs.

Would you say the general public is aware of online privacy and security risks? Is there enough awareness in the corporate and business communities?

As customers, we’re starting to get used to seeing data breaches; it has become a fact of life. What happens is that the responsibility has moved to the insurance and credit card companies. As customers, we are insured by our credit card companies, so if you, as a customer, report that you did not perform a particular transaction, they will reimburse you automatically. Customers are not aware at all of what goes on behind the scenes, so they need to be made aware. 

Any app you, as a consumer, have on your phone requests a credit card. How many apps have you given your credit card details to? Even if you didn’t provide your credit card to a particular app, but you’re using third-party credentials to log into it, your credit card details can still be exposed. If that’s not enough, a lot of people save their credentials on their computer or browser, making them automatically available for online theft. 

We all know we need to secure ourselves by only visiting secure websites. But when we go to an app, we’re often required to give our credit card details, or just take a picture of it, before we can start using the service. This applies to individual consumers, but in the business sector, companies are held accountable for such actions. When someone says they didn’t ask for a particular payment, the insurance or credit card company requests the money back from the company. 

Service providers are very much aware of this risk because they know that if their systems are breached, it could result in a lot of collateral damage to the business. 

Any company that uses Personally Identifiable Information (PII) is exposed to lawsuits since the information it holds is a liability. Sometimes, the credit card information is stored by third-party payment gateways, so even though it’s outsourced, a company still has a lot of PII to worry about. PII regulation in Europe and other countries is now putting more pressure on companies to make sure this data will not leak out. 

You mentioned the trend of data aggregation where large amounts of PII are being collected into a central database. We also see a rise in experimental and somewhat intrusive applications of biometrics. What is your opinion on all this?

I won’t go into whether they should or shouldn’t be allowed to collect data, but if they are going to collect it, it has to be secured. You cannot have a fingerprints database hacked, which is what happened in India. 

The data transformation has given access to unauthorized parties to see PII via APIs. We have to secure all this information now, and make sure that such sensitive data cannot be accessed. 

COVID-19 has brought many changes, such as working from home (WFH). If we’re ill, we connect to a remote healthcare service to find out if we have COVID-19. We share very personal information and we give them permission to use it because we don’t want to visit the doctor when there’s a pandemic outside. All that has to be 100% secure.

Governments today are aggregating data from everywhere. It doesn’t make sense that you have to log in to many different government websites. It makes sense to have one access with one API that lets you access all the older systems where your private information is stored. You can’t tell the government what to do, but at the least, you can expect them to take the same security measures that regulations require from everybody else. 

Which trends and technologies do you find to be particularly interesting these days?

The work from home (WFH) trend is interesting from two perspectives. Firstly, it’s the most extensive human experience in remote work. People used to drive to work, now they work from home, shop online, and get everything they need online. People can live in the middle of the desert and get everything they need remotely: food, healthcare, banking, shopping, learning, entertainment, and more. But when you work on your laptop at home, that’s another channel you need to secure. For instance, Wi-Fi at home has the general standard Wi-Fi security, which does not provide full security. You know that so you try to work through all of the encrypted traffic, but this is a very high risk. So the trend is to work from home, but the security is not increasing to accommodate this.

For example, a threat actor can connect a fake Wi-Fi outside with the same name using its phone and tell my device to connect to it. I assume that it’s my own Wi-Fi since it has the same name, but actually, it’s the threat actor’s phone connected to my Wi-Fi that is now stealing all my information. 

Now that everyone is working from home, all our data is exposed. Our kids might be downloading games on that same laptop or desktop computer. Those games introduce malware that will have power over millions of computers worldwide. 

But even if no one else can use their computer, many employees still have remote access to information, data, and transactions that are critical for the organizations they work for. The fallout of data breaches due to WFH might not show today, but it will make an impact for many years to come, as hackers will not only have access to all our data, they will be able to use it whichever way they want. 

If you were a policymaker, what would you do to make work from home safer?

Just last night, I was listening to a panel discussion regarding privacy regulations. US senators discussed if sharing information on Instagram or Facebook is OK,  but on TikTok is not since the latter is a Chinese company, that would be a cybersecurity risk. But would that make a difference API-security wise? There are a lot of questions lately about what’s going to happen with regulations regarding this type of information. 

Both GDPR and the recent CCPA regulations say that companies have to secure PII. Any company that wants to supply products or services to the EU and the US will need to comply with those regulations. Data privacy officers must make sure that also data on social media such as Instagram will not leak out, 

Regulations force all of us to be much more careful because, at the end of the day, it’s all about business data. We cannot tell companies not to use our data for their business, but it should be much more secure. We should be putting more people in charge of data leaks and defining dedicated rules for this purpose. People should have access to data they’ve exposed and they should be able to have it deleted if needed. 

All of this is now being discussed in public while the new regulation is coming into force. It’s easy to find out when you logged into the app and what you were looking for, which is too much private information that companies use to show you targeted ads based on everything they know about you. If you wanted to leave a platform, you should be able to get all your data back. This ability to manage and control the data is something that we see being incorporated in emerging global regulations.

This is fine when talking about commercial information, but what if the entity requiring the data is your government?

I’ll give an example of a government that, out of goodwill, displayed aggregated data from multiple sources about specific companies, so that potential customers and partners could check whether or not a specific company was active, paying tax, etc. We found that someone was using a bot to manipulate that system with an overload of requests, getting hold of a whole list of companies, and all of their information. What started as a government’s gesture of goodwill became a liability; the attackers were able to access the entire government database, and they now own it. 

In retrospect, the government should have been much more efficient and secure. Governments think they are immune, but since most of our critical data is in their hands, they are vulnerable. They have our financial data, our health data, and everything else – making them a central point for holding all our data. They have to be much more secure, which is not easy. Governments are vulnerable since they have to work with lower (cybersecurity) budgets than the private sector. They don’t make money, so they have fewer resources to invest. This in turn is the reason why companies bidding for government contracts will win tenders based on price, not on the quality of service. Personally, I would actually feel much more secure facing a private company handling my data than a government. 

Looking forward, how do you envision the future of API security?

All data will be connected via APIs. We need to make sure that there is standard security for all APIs. It cannot be the case that 87% of global web traffic runs on APIs with no security standards in place. If you think that because of privacy issues, people will stop using APIs, you’re wrong. The trend of people working from home will continue for many years, with companies letting people work from home and shutting down offices. The rules are changing, and the data continues to flow. We need to have standard security for all of it.