Vulnerabilities in Production APIs and Open Source Security
What are APIs and Why Do They Matter?
“API” stands for Application Programming Interface. An Application Programming Interface is a set of related functions or named entry points into software used by programmers to allow software applications to issue specific calls to communicate with an operating system1.
Of an uninterrupted nature, APIs are seamless services that link different services together using a set of definitions and protocols. As one could imagine, the use of APIs has increased significantly. According to Salt Security, the number of API calls increased by 82% year-over-year in 2022 connecting people to more services than ever before2. Salt Security customer data shows the average number of APIs per customer grew 82% over last year, up from 89% in July 2021 to more than 162% in July 2022.
During the same period and taken as a whole, API traffic per customer grew 168%, indicating that API usage is also exponentially growing. This been said, the amount of malicious traffic over APIs skyrocketed 121% year-over-year during the course of the above-mentioned period. This brought the malevolent traffic to 2.1% of all API traffic for Salt Security customers, thereby signifying that cyberattack activities continue to keep pace with this dramatic expansion in API usage. With malicious API traffic outpacing the increase of all API traffic, there is an evolving need for organizations to invest in cybersecurity tools that prevent production APIs from calling malicious sources while maintaining the availability of core services.
 Robinson, Michael (2004) : Dictionnaire de technologie numérique : anglais-français, français-anglais = Dictionary of Digital Technology : English-French, French-English, Paris, Ellipses, 809 p.
What is Open Source Security and Why Does it Matter?
Commonly referred to as Software Composition Analysis (SCA), Open Source Security is a methodology providing users better visibility into the Open Source inventory of their applications3. This is achieved by examining components via binary fingerprints, utilizing professionally curated and proprietary research, matching accurate scans against that proprietary intelligence as well as demonstrating and verifying for software developers that proprietary intelligence inside their favourite tools. Furthermore, Open Source Security refers to the measure of assurance or guarantee in the freedom from danger and risk inherent to an Open Source Software system4.
What is Open Source Software and Why Does It Matter?
Open Source Software (OSS) is a decentralized development model that distributes source code publicly for open collaboration and peer production known as the “open source way”5. Open Source Software is software that is freely usable, modifiable, and distributable. Open Source Software relies on an online community of users who are loyal and engaged to the brand to provide customer service and troubleshooting benefits. Open Source Software is inherently community driven and requires the expertise and contribution of staff within the Open Source Initiative environment. As a California public benefit nonprofit corporation founded in 1998 with 501(c)3 tax-exempt status, and as the steward of the Open Source Definition, the Open Source Initiative (OSI) refers to the collection of rules that define Open Source Software6.
Produced by the Open Source Initiative (OSI), the Open Source Definition is a document that is published to determine whether a software license can be labelled with the Open Source certification mark7.
Despite the possibility of vulnerabilities being created by the contributions of numerous different people, Open Source Software can be very secure. Cyber-attackers may take advantage of these flaws to break into systems or steal confidential information. The multiple users of Open Source Software should be aware of updates and promptly apply them to address any known vulnerabilities. Additionally, it is a good idea to employ security tools to check Open Source Software for weaknesses and to adhere to secure coding best practices while creating such Open Source Software.
What Can be Done to Secure Open Source Software?
Open Source Software Developers can adhere to a variety of secured and recommended practices to provide assistance to users and guarantee that the code they conceive is protected and safe. Some of the most important practices include among others:
Validating user input can help to prevent cyber-attackers from injecting malicious code into your application.
Encoding output can help to prevent cross-site scripting (XSS) cyberattacks, in which a cyber-attacker injects malicious code into your application that is executed by the user’s browser.
Implementing strong authentication mechanisms, such as multi-factor authentication, can help to prevent unauthorized access to your application.
Carefully controlling what actions users are allowed to perform can help to prevent unauthorized access to sensitive data or functions.
Protecting data in transit
Using encryption to protect data as it is transmitted between systems can help to prevent eavesdropping or tampering.
Protecting data at rest
Encrypting data that is stored on disks or other removable media can help to prevent unauthorized access to sensitive data.
Securing coding practices
Following secure coding practices, such as avoiding the use of hard-coded passwords and avoiding the use of vulnerable libraries, can help to prevent vulnerabilities from being introduced into your code.
Testing for vulnerabilities
Regularly testing your code for weaknesses can help to identify and fix problems before they are exploited by cyber-attackers.
Who Can Help?
Vulnerability identification and management can be tedious and challenging in the realm of Open Source technologies due to the dependency on community contributions. As a result, it is difficult to find qualified and experienced professionals to provide assistance. There are also additional challenges besides the changing cybersecurity and development landscapes. Even though there are many well-reputed tools in the market with drastically varying price points, it is judicious for cybersecurity leaders to perform due diligence to endorse which is the best tool suitable for their respective organizations.
Organizations should strive to seek guidance from their penetration testing partners to recommend tools that are adequate with their budgets and requirements. Specifically, application penetration testers are skillful at identifying and exploiting vulnerabilities using common toolsets. Moreover, application penetration testers can deliver valuable insights about Open Source SDKs and code frameworks for Software Development Kits to rapidly identify vulnerabilities
De plus, les testeurs de pénétration des applications peuvent fournir des informations précieuses sur les SDK Open Source et les cadres de code pour les trousses de développement logiciel afin de déceler rapidement les vulnérabilités.
Resources Available in the Market
Fortunately, there are excellent resources available for organizations to learn about software development secure practices. Frameworks such as NIST Secure Software Development, OWASP or the Mitre Att&ck Framework are excellent starting points to educate software developers about adversary methodologies. Thanks to that knowledge, individuals developing applications can put into practice those considerations to their usage of Open Source libraries and SDKs.
There are several useful tools in the market with a wide range of prices. This is why it is critical for cybersecurity managers to administer due diligence in order to validate which of the tools is the most appropriate for their organizations. Some of them include:
OWASP Zed Attack Proxy (ZAP)
This is a free and open-source security tool that can be used to test web applications for vulnerabilities. It can be used to identify and exploit vulnerabilities such as cross-site scripting and SQL injection.
It is an SSL-capable man-in-the-middle proxy for HTTP. It provides a console interface that allows traffic flows to be inspected and edited on the fly. It also features mitmdump, a commandline tool that provides a tcpdump-like interface for saving, viewing and manipulating HTTP traffic.
This is a tool that can be employed to automatically identify and fix vulnerabilities in Open Source dependencies. It can also be operated to keep Open Source dependencies up-to-date and secure.
This Canadian product delivers a broader range of functionality, including license checks, remediation guidance, OSS governance and policy enforcement.It provides a software supply chain protection with a full-featured, developer-oriented SCA. The platform has a complete DevOps coverage from coding, building to deployment and run-time.
Food for Thoughts
As with anything in the realm of cybersecurity, it is ultimately up to organizations to define their risk tolerance and adhere to best practices that fit their vision. It is critical for leaders to conduct risk assessments and determine the correct approach that is right sized for their organizations.
As it will be increasingly difficult to avoid using API-enabled services or Open Source tools, it is therefore critical to plan for rapid growth in this sector. Wherever possible, organizations should strive to get guidance from experienced external parties to ensure that subject matter expertise is considered throughout strategic cybersecurity processes.