In early May, fitness companies Peloton said their customer’s account data was exposed on the Internet. Anyone can access user account data from Peloton’s server – even if these users set their account to “Privacy”. The reason is that a problematic API license has a unauthenticated request.

The API can achieve a simple machine to communicate with the machine. The API uses a recent explosive growth. According to the survey of Akamai, the API interaction already accounts for 83% of all Internet traffic.

API also has led to a lot of security issues. In addition to Peloton, other companies involving API security issues include Equifax, Instagram, Facebook, Amazon, and PayPal.

The use and attacks of the API are increasing

According to the report released in February, 91% of companies have API-related security issues last year. Most of the security issues are vulnerabilities (54%), followed by certification (46%), BOTS automation threat (20%), and DOS attack (19%).

80% of organizations do not believe that their security tools can effectively prevent API attacks. SALTSECURITY has developed, two-thirds companies slow down the production speed of new applications, the reason is the safety of the API. And the customer of SaltSecurity, even if all companies deploy WAF and API gateways, they still experience several API attacks every month – means that API attacks have been bypassed these security tools. In fact, according to SALT’s research, WAF and API gateways will miss 90% of the Ten API security threats in the OWASP.

However, more than a quarter organization runs an API-based key application without security strategies. Take Peloton as an example, the first API will allow access to anyone without authentication through the API. TimmacKey, the Chief Security Officer of the Xinsi Security Research Center, said: “Peloton protects the first step in their API, is now the access to the person’s access, but this still means that other users can also access the information of other users ignore the privacy settings Into. These information includes user age, gender, avatar, and some activity data. “

The API that causes leaks is not rare. According to SaltSecurity report, 82% of organizations do not know if they know the API information; they cannot determine if these APIs include personal network information, protected health information, cardholder data, etc. Individual recognition information. At the same time, 22% of organizations means they don’t know how to find which APIs are exposed to sensitive data.

Traceable Security Research Engineer Roshanpiyush believes that Peloton’s problem is that they use unauthenticated APIs, resulting in an identification issue of the subject level. Other companies with the same problem include Panera, Fiserv, Lifelock and Kayjewelers, and this list is still increasing. ROSHAN believes that during development processes, certification and authorization protection tend to be ignored.

A history of a bank’s API growth

Jeff, the safety technical manager of a medium scale financial institution, said that their businesses have grown rapidly in the past few months. Today, API has been connected to more than 3,000 terminals, including internal applications of enterprises, belong to business partners, and facing customers’ websites and mobile devices.

And this is just the beginning. Jeff mentioned: “We are now in the second year of the five years, and in the next three years will further accelerate. We have been new CISO before 16 months, and he has a strong API development background, so he It is inevitable. “

Jeff said that they are still ready to work: “We must be on the right road. We are now eliminating all deployed data centers, and transferring to website service providers, using API to connect all things.”

Jeff mentioned that the API will call from four major URL addresses, each has different services and different parameters. This approach can form a layer of protection. Jeff said: “Due to the risk of API, we deliberately confuse some of our API terminal name, making horizontal attacks or sniffing more difficult to achieve.” The financial institution has also merged multiple API gateways to one in the past six months. Main gateway.

The company’s API gateway uses Apigee, which is acquired by Google in 2016.

Some companies will generate some concerns for all developers, such as worried about potential production bottlenecks, single-point faults, or DDoS attacks. However, Jeff believes that his organization will not have this question: “Our developers will bias the way to use the API gateway. The solution is provided through SaaS, itself can across multiple locations, thus giving developers better access experience Reduce the delay. Because SaaS can automatically extend, it is not like the traditional API gateway. “For example, if an AP interface is expected to be more than 100 million times, but the first two weeks of it online There is 200 million processing – in fact, the user does not feel any delay, or the performance of the degradation. Now, the production line will have 2 billion API calls every month, and only 80 million times two years ago.

In the authentication method, the company’s mobile and website applications use older Java technology. Jeff said that they are moving all of them through a software development tool group to a API-based authentication environment; this is now their key part, which is coordinated with multiple departments.

This new solution has changed the way companies guard against credit-based attacks. For external partners, the company is advancing the zero trust model called by the API. Jeff said: “Although we want to speed up this process, some partners are not ready.”

For consumers accessible through websites or mobile applications, there will be some persistence; this means that consumers do not have to verify multiple times. However, Jeff mentioned: “Our zero trust model means that we will not allow any dialogue to have persistence, or support any form of cookie maintenance status. Users need to verify each time. I use a one-base concept. : Safe, convenient, fast, you can achieve two, but you can’t do it. “

For the API in the company’s security border, there is another solution. “When the API is internally, we tend to use some more lightweight non-zero trust programs.” Jeff said, “We will use IP security, traffic-based target addresses, service accounts, will be based more based on activities Directory. “

Behavioral analysis is also used, interior and external suspicious behavior monitoring, and automated filtration of significant malicious information. “You can separate the wheat and grain shell in the front door, let us more focus on the ‘good’ call you see. Behavioral analysis itself is also a realistic interaction behavior. We will use all IP reputation, behavior analysis, users And the way of account portrait. “Jeff said,” If we have a user who has a $ 200 deposit every Friday, and now the deposit is $ 800 every Wednesday; we will start to observe this behavior. This is not just protection Our own assets are also ensuring that we can actively report potential money laundering and human trafficking behavior. “

Through automation capabilities, the company will reduce the number of events to achieve its SOC and security event response teams by 35%. In order to achieve this, the NOC and CSIRT team used SaltSecurity solutions for more than a year, and traffic together with the APIGEE API gateway.

“This solution can see all traffic reaching our highest level API, then learn, giving us potential attacker information, and recommendations for improving code.”

Other teams also have related platforms, including anti-fraud teams, development teams, and security architecture teams. Jeff said it also allowed them to accelerate the process of API migration.

Robot attacks for API

The API traffic is increasing, but the malicious API flow has grown faster. The monthly API call traffic of the Salt Security customer has increased by 51%, while malicious traffic has increased by 211%.

Based on Akamai’s monthly API data analysis for corporate customers including financial services, retail, media, and entertainment industries, it is found that there are 744 billion API calls, 12% come from known madness, 25% from non-website browser, Mobile devices, or terminal customers, meant that these traffic may also come from malicious people, not normal users.

RISHIPANDE, Director of Anyong Network Security, said that traditional front-end applications, such as websites and mobile applications, will have certain defense capabilities against attacks. These defense capabilities can prevent DDOS, hit the library, and some other automated attacks. “Your front end may be protected, but if the API gateway is not protected, there will be problems soon.” Pande said. This area evolved very quickly, but some customers will provide protection for related technologies, but in fact these tools are not fully ready.

The problem of hit the library is not just as the API occurs. In fact, according to Cequence Security’s attack and defense expert JasonKent’s attack is increasing, because this attack is more anonymous, and the API is not as good as the mobile app is like a website. Kent has a design problem of the Warehouse Gate Company API, successfully opened the warehouse gate. He mentioned: “In the standard website security, he will have an extra code on the client side, so that it is known that people still have a machine. But in the API use, we completely abandon this overview. We can frequently initiate the fastest attack you can imagine. “Kent believes that the situation of API security is just like 2009. His successful cracking the warehouse gate API is to view its mobile app. “The app downloaded from the app store is just a bunch of decompressed folders and files.” He said, “it will contain all the list of API terminals that communicate.”

Once the attacker gets mobile applications and understands how it interacts, the attacker can use the same API channel to send a request. Kent believes that artificial intelligence and machine learning can defense such an attack because the way API requests from robots and the way they use formal applications are different.

This left shifts

Postman’s 2020 API report has survived 13,500 developers, only 36% of companies do safety tests for their API – compared with 70% of companies, 67% make integrated tests. According to the 2020 API report according to SmartBear, usability is the maximum consideration of developers to the API, followed by function, and safety is only in the third.

Part of the reason is that the development team tends to separate and the network and the architecture team is also separated from the network and architecture team. “The solution to this problem is Devsecops.” CapGemini Northamerica’s Advanced Network Security Manager Albertwhale said, “We can now integrate test, then give this test ability to the application developer’s control. We can make everyone a safe One member of the team. “

Whale believes that the creation of a more secure application from the beginning is much more important than trying to protect the technology through API gateways. “I will treat the API gateway as a single point of failure.” He said, “it will reduce the speed of the application because it must collect all the information. This is not said that the API gateway is terrible, but they are like WAF. Function; but in addition to sometimes need to use them, sometimes it needs to be restricted. “

Whales mentioned that companies should pay attention to better architecture, security and API calls: “Enterprise will spend longer time to implement these, but the application with better code is the real needs. When you have a sufficient When applying to the application of the attack, it is clear that you don’t need additional factors to provide more security. “

Mikerothman, analyst and general manager of network security research firm, also agreed that developers are increasingly paying attention to safety. “We see that devsec is letting more people working together.” He said, “Do you always happen? Don’t you. But we are trying to break a lot of original curing thinking and communication barriers, let the team cooperate together “

Rothman mentioned that when it comes to API security, there are many hidden dangers. The first is business logic. “This is what I can’t tell you if we handle one of the right application security key areas.” When a monolithic application is divided into multiple small services by using an API connection, it is subject to a logical logic. The request is greatly improved. Applications may work like that, and the authentication mechanism is also perfect, and even the application itself may have no vulnerabilities, but there is a problem in the programming logic, still generates a leak event.

Then a series of vulnerabilities needed to pay attention. The OWASP ten API vulnerabilities released in 2019 have not changed two years. Rothman said: “We have been repeating the same mistakes. Then we need to protect the environment from multiple layers – traditional network technology, as well as traditional application security technology.”

Finally, companies also need to pay attention to tools, automation, scanning technology, and telemetry monitoring, because there will never be enough person to manually monitor the API. “We need to weigh our resources, and people are obviously not.” Rothman said, “How to see how the API is called by monitoring, you can find abnormal behaviors that may be maliciously used.” Warehouse company get API security visualization ability

Developers are now very easy to enable a website service and set up the API. However, every new technology is generated, and safety is always lagging behind.

Even if all developers are equipped with letter security control, there may be the existence of an old system. These outdated zombie APIs have great risks because the API should be shorter but never stopped.

“You can’t protect what you don’t know.” TylerWarren, the security director of the Warehouse Company Prologis, “said” Looking at the existing API solution, you have to know what you have to protect it. This is not a novice task Because our first priority task is to find out what we have. “

As a person in charge of ProLogis’s API security project, it said that their company began to develop a customer-oriented system four years ago. “We have approximately 1 billion square feet of land, there are approximately 5,000 warehouses in 19 countries.” He said, “When people heard that you are a warehouse company, they will say: ‘What are you and high-tech? Contact? ‘But the management’s decision is, technology-driven business, not a cost of the cost. “

Therefore, ProLogis began to change. Four years ago, the warehouse thinking is: “This is your four-sided wall and roof. This is your key. After a few years, I will come to us when you want to renew.”

Now, there is a cloud-based ProLogiSSstial platform that allows customers to submit a service order or check the receipt; but more importantly, you can contact the local supplier, and get pest control, fork-shaped claws when someone is stationed in the new warehouse. Lighting other products and services.

Given this is a new service, there is no previous system can refer to, and Prologis starts using cloud-based unable server architectures. “We jumped directly through the container.” Warren said, “We almost completely unstartful, mainly using Amazon and its Lambda service.”

ProLogisesSSstials uses AWS API gateways with 15 API interface services 500 terminals, including internal connection and external partners. Last month, the system handled 529,000 API requests.

However, Warren found AWS did not provide too many API behavior information. “AWS itself will not give you information.” Warren said, “We tried some previous ways, but WAF could not achieve this effect. Although WAF can give you a little protection, but it’s just this.”

Warren tries to find technologies that are easy to deploy, and the technology will not cause trouble to the development team. “If you get the relationship, it is coming.” He said, “If you are the kind of security person who likes ‘not’, the developer will spare you. Therefore, the solution needs to match them. Workflow and will not give them additional work. “

Prologis also chose SaltSecurity. They originally planned to fully launch projects in 2021, but they finally started from 2020. “API attack surface is getting more and more attention.” Warren mentioned that “those bad people have discovered a lot of attacks.”

SaltSecurity spends approximately a month to embed your solution into the Essentials system. “Most of the work is test.” Warren said, “At the same time ensuring that developers agree to these changes, they will not affect performance.”

SALTSecurity tools are located in the AWS environment and get traffic, capture logs, metadata from the API gateway, and then transferred to SALT SaaS display panels for alarms and reports. “I start speculating that we have 100 API terminals.” Said Warren said, “But finally found that we have 500. Generally, I think I understand what happens on the Internet, but I obviously missed scores. It is a common problem in the industry – people always take a few things. “The system eventually runs online last fall. It can be connected to WAF and automated penalties. Now, it will send the report to the security personnel to read. “What I don’t want to do is to block legitimate traffic.” Warren mentioned.

The system also checks if there is potential personal information leakage. For example, Warren has a defending police because the AWS private key may cause leaks, although it is finally discovered that this is a false statement. Warren explanation: “We have some account numbers look like AWS private keys, but this is just a coincidence.”

This system also found that some APIs provide information other than necessary. “Although the combination of mailboxes and account numbers is not necessarily sensitive.” Warren said, “But I need it ‘If it is not absolute, don’t do’.” This suggestion should be an API. Enterprises need to follow.


When the application interface is increasing, the risk of the API will inevitably increase, and the attacker will start frequently using the API vulnerability. The security of the API will naturally pay attention to more people. This year’s ISC innovation unicorn sandbox contest also reflects this, the winner of the champion is the company dedicated to API security. It can be said that API security is one of the focus areas that manufacturers have begun attention.