The proliferation of cloud services in recent years has ushered in an unprecedented demand for integration, but the failure to secure the application programming interfaces (APIs) that allow web programs to communicate may be putting applications and data at risk. A recent study from researchers at the University of Texas and Stanford University examined a number of high-profile services and found that the APIs they offered for third-party developer use contained extensive vulnerabilities, Dark Reading reported. To address these issues, developers need to build more security practices into the coding process, experts said.
The research, which was presented at the 19th ACM Conference on Computer and Communications Security, found that applications such as PayPal’s payment service and the Chase mobile banking service have flaws in their implementation of the secure sockets layer (SSL) protocol, which can allow attackers to access some customer data through the API. According to the researchers, poor design is at the root of many of these vulnerabilities. Christopher Barber, a threat analyst with Solutionary’s Security Engineering Research Team (SERT), agreed with this assessment, explaining that developers need to adopt greater attention to detail and better coding practices.
“The implementation is not really on the level that we need it to be – it’s very spotty,” he told Dark Reading. “In software development, you have a deadline for certain functionality, and security always takes a backseat.”
APIs open applications up to a much greater risk of attack than is present even in the standard web environment, K. Scott Morrison, chief technology officer for web security company Layer 7, told Dark Reading. The hacker-like attitude common among web developers needs to be replaced with more standardized controls, he said. Tools such as source code analysis can help vendors catch errors automatically and eliminate many of the API security flaws that arise from inconsistent coding approaches.
Strengthening development practices around APIs
In addition to the Texas/Stanford paper, a number of other recent studies have looked at the vulnerabilities arising from unsecured APIs and have addressed how this problem might be handled. An April 2012 paper from Microsoft Research identified a number of exploits related to single sign-on (SSO) services, one common API-reliant application type. The report noted that the protocols offered by many SSO services generally serve only as loose guidelines. As a result, reliant parties tend to use individualized methods of integrating the APIs, SDKs and sample code they are provided with.
The researchers recommended both a more consistent approach to integration – through the use of templates provided to web developers – and more in-depth security analysis of the SSO system. They noted that “a desired tool should direct the analyst to grasp key details of the system” and recommended performing analysis in an iterative fashion, since the complexity of such systems make it difficult to carry out comprehensive automatic testing.
Such practices can be extrapolated to a variety of services with APIs. The Texas and Stanford researchers recommended developers make proper use guidelines for their APIs and SLL libraries more explicit and that cloud services perform regular black-box testing to gauge performance in the face of an actual attack.
According to a 2005 paper by Stanford researchers Benjamin Livshits and Monica S. Lam, one effective method of preventing attacks, such as SQL injections, that take advantage of APIs is static analysis. Their report showed that a properly configured static analysis program could find vulnerabilities matching the conditions of such problems. In addition to catching faulty APIs, the approach can also help identify other unvalidated input and injection issues.
“These vulnerabilities stem from unchecked input, which is widely recognized as the most common source of security vulnerabilities in Web applications,” they wrote. “We propose a static analysis approach based on a scalable and precise points-to analysis.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.