Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

4/3/2014
06:00 AM
Ravi Ithal
Ravi Ithal
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

API-First: 3 Steps For Building Secure Cloud Apps

When it comes to protecting data traveling to and from the cloud, today's choices are daunting. Here are three steps for making the application programming interface your new best friend.

What’s the best way to secure traffic to the cloud? It’s a question I get asked regularly by CEOs and technical founders of cloud startups. A typical observation: "First it was TCP. Then HTTP became the new TCP. Now APIs are the new HTTP." 

To be sure, today’s choices are confusing when it comes to security, cloud, and application programming interfaces (APIs). But, at the risk of making cloud security even more complicated,  I’d argue that the most secure way to manage traffic to the cloud is to take an "API-first" approach when building a new app. 

If you think about it, this is a pretty straightforward concept. Any interaction between a datacenter component (or any component for that matter) can be thought of as an API -- a web server talking to a database server, a web server's REST APIs talking to an API a client is using, or even a DNS protocol talking to the authoritative DNS server you’re hosting. 

From a security angle, pretty much any attack must happen over APIs, whether you’re talking about a database server compromised by a SQL injection attack, or a web server breached through a crafted REST request, or a DNS server DDoS'd by a concerted attack using the DNS protocol. If you don't know what those paths to interaction are, you will either underestimate or overestimate the threat. If you underestimate, you are wide open for an attack, and if you overestimate, you will just add more complexity to your security infrastructure, which can be both risky and costly.

To address this dilemma, I suggest three steps:

Step No. 1: Minimize the number of API end-points. This step will make securing end-points tractable in the long run. You will first need to identify and tabulate each API. Sometimes you can "normalize" end-points, which achieves the same goal of reducing them. For example, if a farm of web servers exposes the same REST API, you know they can all be secured the same way. Or, if a web server is exposed in REST API end-points that support the GET method, it’s easy to use a custom web application firewall to make sure that a POST call never gets through. In fact, whenever I hear a developer say, "That’s easy. We’ll just expose another API," the hair on the back of my neck starts to stand up!

It’s also important to keep in mind the security consequences of the end-points you’re exposing. Work closely with your network architect to make sure they’re indeed protectable. For example, using a syslog port to get data from a customer is a big no-no because, practically speaking, if you expose port 53 to the Internet, it is (practically) impossible to authenticate a sender. 

Step No. 2:  Isolate components with clearly defined APIs between them. Why is this important? Once APIs are defined, the threat surface is easier to define and protect. You could even go so far as to isolate at the network or OS level. This means separating VMs or containers to make sure all resources are isolated, VLANs to make sure other hosts are not discoverable, and firewall filters to make sure only expected traffic flows between hosts. And now for your "do not try this at home disclaimer:" Attempt the latter two only if you really know what you’re doing, as they can quickly become an operational nightmare.

Step No. 3: Come up with a security strategy at the application level first. Then, for each exposed API end-point, add network security infrastructure as needed. At one extreme, you can choose just to protect the Internet-facing APIs, which allows ease of ongoing operations. At the other, choose to isolate all components and protect all APIs. This allows resiliency of the security infrastructure; if one server is compromised, the attacker cannot immediately get access to all of the other hosts. S/he has to find another vulnerability in one of the exposed APIs before taking over another connected server. 

I’m not saying this approach is foolproof, but it certainly would require more than a credit card and Internet connection to get the number of zero-day vulnerabilities needed to break in and carry out the attack unnoticed. While the latter (protecting all APIs) is preferred, it's not very practical in many scenarios as it can create operational headaches as well as impact the scalability of the security infrastructure itself. 

The hardest part of all of this will be to come up with scaling strategies for the protection mechanisms themselves. But it’s the lesser of two evils and a much more manageable problem than having to repurpose existing infrastructure.

Now it’s your turn. What would you add to this list for protecting APIs? And what are your favorite strategies for scaling security?

Ravi Ithal helped build the world's first app- and user-aware next-generation firewall at Palo Alto Networks. He has held several key roles at Juniper Networks and Cisco Systems. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/7/2014 | 12:51:21 PM
Re: "API-first" -- how prevalent, how difficult?
If a team can overcome the obstacles, they can enjoy lower TCO (less equipment, fewer personnel for operations) and a much more pleasant workday (which all my NOC/SOC friends will appreciate).


That sounds like a "BIG IF," Ravi and Jason. Are there are any trends that you see that are pushing NOC/SOCs in that direction? Is it driven primarly by cloud adoption?
JasonSachowski
50%
50%
JasonSachowski,
User Rank: Author
4/4/2014 | 2:55:17 PM
Re: "API-first" -- how prevalent, how difficult?
There is definitely an advantage in focusing security controls at the application level first.  This goes back to the hard question of when will we determine that all network, and for that matter all devices, should be treated as hostile? 

Focusing on data-centric security models is a great way to reduce our attack-surface and be in a better position to protect critical assets.
RaviIthal
50%
50%
RaviIthal,
User Rank: Apprentice
4/3/2014 | 8:37:59 PM
Re: "API-first" -- how prevalent, how difficult?
Traditionally, securing networks has been either a brute-force approach or an afterthought. Newer cloud infrastructure as a service vendors are thinking along the API lines mentioned in the post. In practice, network security admins tend to err on the side of caution and end up deploying more big iron than necessary.

The practicality of API-first approach to network security boils down to how complex the APIs are. The more complex the APIs and interactions, the less likely it'll payoff to analyze. This Complexity is one of the biggest obstacles and hence the need to minimize APIs.

If a team can overcome the obstacles, they can enjoy lower TCO (less equipment, fewer personnel for operations) and a much more pleasant workday (which all my NOC/SOC friends will appreciate).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/3/2014 | 3:14:23 PM
"API-first" -- how prevalent, how difficult?
"API-first" is an interesting approach, Ravi. But how prevalent a strategy is it and how difficult and practial is it to implement. What d you think are the biggest obstacles and what are the biggest gains?
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.