Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

Cloud Security Threats - Insecure APIs

SimonLeech

This is the third blog in a series of 5 looking at some specific cloud security threats identified by the Cloud Security Alliance, available to download here. The other articles in the series can be accessed by searching the blog for the tag cloudsecthreats.

This blog will look at the challenges around insecure interfaces and specifically Application Programming Interfaces (API) in the cloud. In many cloud systems, these APIs are the only asset outside of the trusted organizational boundary with a public IP address, so they are very likely to be the first port of call for many attackers attempting to breach an organization.

APIs are used by cloud service providers and software developers to allow customers to interact, manage, and extract information from cloud services. APIs could be used, for example, to gather logs from an application, to provide integration with databases and storage components, or to control specific cloud resources. APIs are also often the way that a mobile application can interact with a website or back end services, and can provide the ability to authenticate users, as well as query information.

API.JPGHowever it is very important that the APIs have been designed with security in mind and take into consideration adequate authentication and access control methods together with encryption technologies to make sure that information isn’t leaked. A recent example of a breach that happened due to an insecure API took place at Moonpig, an online greeting card vendor. A mobile application, using static authentication, allowed attackers to gather customer information by simply trying all customer IDs sequentially.

So why are APIs a security challenge in the cloud? As mentioned above, they are the public front door to your application, and by default need to be accessible externally. For companies following a security by design approach to application development, they will hopefully understand the security requirements around publishing APIs, and will take appropriate steps to ensure sufficient authentication, authorization, and encryption is built in, as well as making sure the code itself doesn’t contain any obvious vulnerabilities. But unfortunately too many organizations have not yet embraced secure coding methodologies, and release code to production that is not adequately hardened.

There are luckily a couple of steps that can be taken to at least get a better understanding of the risks in software development, but an important first step is to educate the developers to think about security when they are writing code – involve security during the initial product requirements planning, introduce code analysis as a gate process before code is compiled, and perform regular application testing in the production environment.

There are a bunch of good resources out there, including software maturity models such as BSIMM and OpenSAMM, a good white paper from the SANS institute on the state of application security, open source tools such as Syntribos from the OpenStack project, as well as tools within the HPE Fortify portfolio.

0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
HPE at Worldwide IT Conferences and Events -  2017
Learn about IT conferences and events  where Hewlett Packard Enterprise has a presence
Read more
View all