Application programming interfaces (APIs) have become indispensable to the modern enterprise. They're the glue that allows organizations to connect their partners and customers — and the go-to tool that empowers developers to produce innovative applications quickly and efficiently.
However, APIs have also provided threat actors with a new attack surface, and that has significant consequences for managing software supply chain risk. The latest API security report, The API Security Disconnect 2023, released by Noname Security in September, found that API attacks were escalating, with nearly eight in 10 organizations (78%) having experienced a security incident in the last 12 months. More than half of incidents (51%) resulted in the loss of customer goodwill and accounts.
APIs are an essential component of the software supply chain, which means that securing APIs is critical in hardening software supply chains from attack, said Joey Stanford, head of global security and privacy at Platform.sh.
"APIs are becoming more important and influential in supply chain security, as they enable data sharing, integration, and automation across different systems, partners, and processes. However, APIs also introduce new challenges and risks, such as unauthorized access, injection attacks, impersonation attacks, or dependency vulnerabilities."
Here are a five reasons why API security is critical to a mature software supply chain security approach — and key advances needed to move API security forward.
[ Learn more: Tools gap leaves orgs exposed to supply chain attacks | Get report: Software Supply Chain Security Risk Report ]
1. APIs have become essential to the software supply chain
When you develop an API, you typically rely on various third-party packages and libraries. These packages are distributed via package managers and depend on APIs for version control, updates, and distribution. That means a single vulnerability in any of these components can compromise supply chain security, said Scott Gerlach, co-founder and CSO of StackHawk.
"In short, you can't build an API without the supply chain, and you can't use supply chain packages without an API. That's why it's important for organizations to continuously monitor the third-party packages they rely on to build APIs, keep them up to date, and rigorously test them for vulnerabilities like the OWASP Top 10."
2. APIs handle sensitive data that can be used to exploit the supply chain
Data transmitted through an API, if not properly secured with techniques such as cryptography, can be stolen, modified, or removed to interrupt services downstream, said Michael J. Mehlberg, CEO of Dark Sky Technology.
"API data can contain sensitive information such as credit card numbers, personally identifiable information, or even proprietary information and code. If this information’s integrity or confidentiality cannot be guaranteed, services downstream in the software supply chain can be disrupted."
—Michael J. Mehlberg
3. APIs expand the risk landscape for a supply chain
Applications and software are not self-contained entities. APIs allow access to functionality and data that otherwise would not be available to development teams, said Matt Rose, field CISO for ReversingLabs.
"The problem is that you must trust the APIs that you are leveraging but not maintaining, so the software supply chain risk landscape is much larger than just a single self-contained application. Even if your application is free of supply chain risk, the application you are connecting to via API may be compromised with malware."
4. APIs can create authentication and authorization problems
Unauthorized access to an API can be used to compromise a supply chain by allowing an attacker to execute commands, manipulate data, or steal information from the API provider or consumer, Platform.sh's Stanford said. For example, unauthorized access to an API can be used to exfiltrate sensitive data from cloud services such as credentials, tokens, keys, configuration files, or personal information.
"That's how the Accellion FTA supply chain attack was carried out. The attackers used unauthorized access to the Accellion FTA API to download confidential files from the cloud storage."
Unauthorized access can also be used to bypass security controls and policies via an API that enforces security controls and policies. That's how a vulnerability in the SolarWinds Serv-U FTP server was exploited, Stanford said: "The attackers used unauthorized access to the Serv-U API to execute commands on the server."
Dark Sky's Mehlberg stressed the downstream effect on the supply chain.
"If the API is used to transmit code that will be run downstream on other platforms or systems in the supply chain, an unauthorized user could compromise downstream systems and software with malicious code."
—Michael J. Mehlberg
5. API vulnerabilities can mask supply chain attacks
An attacker could leverage one or more vulnerabilities to gain unauthorized access to an API, allowing the integrity or confidentiality of the data received and transmitted through the API to be compromised, Mehlberg said.
"A vulnerability may give the attacker access to the API, as an authorized user or software application would have access. It would allow them to masquerade as a valid endpoint and bypass normal security checks or leverage trust in the API to perform malicious actions."
—Michael J. Mehlberg
However, managing and being aware of increasing numbers of APIs is a daunting task, said Robert Hurlbut, principal application security architect at Aquia.
"The more APIs an organization is not aware they are hosting, the more likely supply chain vulnerabilities will occur through APIs that are unpatched because they're unknown."
ReversingLabs' Rose said rogue APIs are a direct threat to software supply chains.
"If you don't take into account the risks of unknown APIs you are wide open to potential attacks."
The problem can be aggravated in mobile apps, said Krishna Vishnubhotla, vice president of product strategy at Zimperium. "Due to the attack surface that the mobile app client exposes, securing APIs is insufficient."
"API security solutions primarily target the pipe that transmits data but overlook vulnerabilities inside mobile applications. Mobile apps are vulnerable to reverse engineering, which allows threat actors to see APIs and exfiltrate API keys. Due to the fact that a mobile device can easily spoof an identity, API security measures can be easily bypassed."
Better standards, more tools are coming
The latest version of OpenAPI, the spec for building APIs, gives developers some security guidance. Platform.sh's Stanford said security is an important aspect of API design and implementation, "and the OpenAPI specification provides several options and features to describe and enforce security for HTTP APIs."
"However, the security provisions in the OpenAPI specification are not exhaustive or prescriptive, and they depend on the choices and implementations of the API developers and consumers. The OpenAPI specification is a useful tool for documenting and communicating API security, but it is not a substitute for proper security design and testing."
Stanford said he foresees several ways API security needs advances to keep up with the growing risk of supply chain attacks:
- More standards and best practices for API security. As APIs become more ubiquitous and complex, there will be a need for more industry standards and best practices to guide API developers and consumers on how to design, implement, test, and monitor APIs securely.
- More tools and solutions for API security. As APIs become more diverse and dynamic, there will be a need for more tools and solutions to help API developers and consumers protect, manage, and optimize their APIs.
- More innovation and collaboration for API security. As APIs become more critical and valuable for business processes and outcomes, there will be a need for more innovation and collaboration to leverage the potential of APIs for supply chain security.
As APIs become more essential for connecting modern software systems and enabling innovation, they are also highlighting a weak link in your organization's supply chain security that needs to be singled out and secured.
"If you are just looking for risk in the supply chain for the applications you are either consuming or creating, you are not taking into account the risks that APIs introduce."