Application Programming Interface (API) Security in Cloud Applications

Farhan Qazi

doi:10.4108/eetcs.v7i23.3011

Authors

Farhan Qazi Capitol Technology University

DOI:

https://doi.org/10.4108/eetcs.v7i23.3011

Keywords:

Cloud API, Cybersecurity, zero trust., Cloud Security, API Security, Cloud/API Security

Abstract

Many cloud services utilize an API gateway, which enables them to be offered to users through API platforms such as Platform as a Service (PaaS), Software as a service (SaaS), Infrastructure as a Service (IaaS) and cross-platforms APIs. APIs are designed for functionality and speed by developers who write a small portion of code, which has visibility and is secure. The code that is created from third-party software or libraries has no visibility, which makes it insecure. APIs are the most vulnerable points of attack, and many users are not aware of their insecurity. This paper reviews API security in cloud applications and discusses details of API vulnerabilities, existing security tools for API security to mitigate API attacks. The author’s study showed that most users are unaware of API insecurity, organizations lack resources and training to educate users about APIs, and organizations depend on the overall security of the network instead of the security of standalone APIs.

References

Butler, B. (2015). The myth about how Amazon’s web service started just won’t die: How AWS got started and what its co-founder is doing now that he says could be bigger than cloud. Network world, URL https://www.networkworld.com/article/2891297/the-myth-about-how-amazon-s-web-service-started-just- won-t-die.html

Campbell, S. (2021) Postman’s 2021 State of API Report Finds APIs Key to Sparking Innovation During Pandemic, Ushering in API-First World, Business Wire. URL https://www.businesswire.com/news/home/20211028005033/en/Postman%E2%80%99s-2021-State-of-API-Report-Finds-APIs-Key-to-Sparking-Innovation-During-Pandemic-Ushering-in-API-First-World

Market Research Future Cloud (2022) API Market Is Anticipated Grow USD 3.71 Billion at a CAGR of 23.2% by 2030 - Report by Market Research Future (MRFR) URL https://www.globenewswire.com/news-release/2022/09/28/2524089/0/en/Cloud-API-Market-Is-Anticipated-Grow-USD-3-71-Billion-at-a-CAGR-of-23-2-by-2030-Report-by-Market-Research-Future-MRFR.html

Bettendorf, M. (2021) API growth continues to skyrocket in 2020 and into 2021. URL https://blog.postman.com/api-growth-rate/.

Salt Labs (2023) Salt State of API Security Report Q1 2023 https://content.salt.security/state-api-report.html

Salt Security. (2022) Salt Security State of API Security Report Reveals 94% of Companies Experienced Security Incidents in Production APIs in the Past Year. URL https://salt.security/press-releases/salt-security-state-of-api-security-report-reveals-94-of-companies-experienced-security-incidents-in-production-apis-in-the-past-year

Lemos, R. (2022) API Security Losses Total Billions, But It's Complicated,” Dark Reading, June 30, 2022. https://www.darkreading.com/application-security/api-security-losses-billions-complicated )

Qazi, F. and S. Miller, A Qualitative Study of Security in Application Programming Interfaces (APIs). In 20th International Conference on Security & Management (SAM'21), July 26-29, 2021, USA.

Bush, T. (2021) What is an API gateway? URL https://nordicapis.com/what-is-an-api gateway/

Sandoval, K. (2015). API Keys ≠ Security: Why API Keys Are Not Enough. URL https://nordicapis.com/why-api-keys-are-not-enough/.

Berlind, D. (2020) Understanding the realities of API security. URL https://www.programmableweb.com/apiuniversity/understanding-realities-api-security

Deahl, D. (2018) Panera bread leaked customer data on its website for eight months. The verge. URL https://www.theverge.com/2018/4/3/17192348/panera-bread-leaked-customer-data-breach-website,

Chinnasamy V. (2022) Bad bots are coming at APIs! How to beat the API bot attacks?” Help Net Security. URL https://www.helpnetsecurity.com/2022/09/12/api-bot-attacks/.

Psarris, S. (2022) API Security in the Cloud, Reblaze,. URL https://www.reblaze.com/blog/api-security/api-security-in-the-cloud/

Bavati. I (2020) Moving to the Cloud? How to Secure APIs on AWS, Azure, and GCP,” Nordic APIs URL https://nordicapis.com/moving-to-the-cloud-how-to-secure-apis-on-aws-azure-and-gcp/

Taylor, D., John Downs, J., Vic Vhorne V; Alex Buck, A. (2020) Azure Web Application Firewall on Azure Application Gateway bot protection overview. URL https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/bot-protection-overview/.

Microsoft, (2022) Protect APIs with Application Gateway and API Management. URL https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/apis/protect-apis

Liu , N. (2022) Google Cloud Combats API Misconfiguration, Bot Attacks. URL https://www.sdxcentral.com/articles/news/google-cloud-combats-api-misconfiguration-bot-attacks/2022/06/

Macy, J. (2018). Public cloud API security: How safe is our data?, URL https://www.itproportal.com/features/public-cloud-api-security-how-safe-is-our-data/.

Walker, A. (2021) API vs Web Service: What’s the Difference?, URL https://www.guru99.com/comparison-between-web-services.html.

Fitzgerald, A. (2021) SOAP vs REST APIs: The Key Differences Explained for Beginners. URL https://blog.hubspot.com/website/rest-vs-soap.

Sengupta, S. (2021) What is GraphQL Security? Best Practices for GraphQL Security. URL https://crashtest-security.com/graphql-security-vulnerabilities/.

Populi, N. (2018) How to Secure a GraphQL API (The Complete Vulnerability Checklist). URL https://leapgraph.com/graphql-api-security.

Wallarm, (2022) Q2-2022 API Vulnerability & Exploit full report, Wallarm Resource Library. URL https://www.wallarm.com/resources/q2-2022-api-vulnerability-exploit-full-report.

Vizard, M. (2021) Survey Finds API Security Incidents on the Rise URL https://securityboulevard.com/2021/08/survey-finds-api-security-incidents-on-the-rise/.

OWASP. (2021) OWASP Top Ten Web Application Security Risks. URL https://owasp.org/www-project-top-ten/#.

Schmidt, J.) OWASP OWASP Top 10 risks get update, highlighting insecure design — injection No longer on top. URL https://devclass.com/2021/09/28/owasp-top-10-2021/.

Madhani, P. (2021) “OWASP Working Group Releases Draft of Top 10 Web Application Risks for 2021. URL https://www.k2io.com/owasp-working-group-releases-draft-of-top-10-web-application-risks-for-2021/.

Writer, G. (2021) API Security: Protect your APIs from Attacks and Data Breaches. Insight, URL https://www.itsecurityguru.org/2021/10/21/protecting-your-apis-from-attacks-and-data-breaches/

L7Defence. (2021) API Security Attacks, How API attacks work and How to Identify and Prevent them. URL https://www.l7defense.com/solutions/api-attacks/.

GoldSky Security. (2023) Understanding API Attacks and How to Prevent Them https://www.goldskysecurity.com/understanding-api-attacks-and-how-to-prevent-them/

Akami.com. (2021) Akamai Finds API Vulnerabilities to be a High-Stakes Game for Companies and Individuals Worldwide. URL https://www.akamai.com/newsroom/press-release/akamai-finds-api-vulnerabilities-to-be-a-high-stakes- game-for-companies-and-individuals-worldwide.

Coble, S. (2021) Q1 2021 Sees 2.9 million DDoS Attacks Launched. URL https://infosecurity-magazine.com/news/q1-2021-sees-millions-ddos attacks#:~:text=Sarah%20Coble%20News%20Writer%20Approximately%202.9%20million%20Distributed,increase%20compared%20to%20the%20same%20period%20in%202020.

Constantin, L. (2020) APIs are becoming a major target for credential stuffing attacks. URL https://www.csoonline.com/article/3527858/apis-are-becoming-a-major-target-for-credential-stuffing-attacks.html.

Harguindeguy, B. (2018, January 17). API security: the past, present, and future [Video file]. Retrieved from https://www.brighttalk.com/webcast/288/297033/api-security-the-past-present-and-future

Perry, M. (2019, June 17). The dangerous connections that can damage your business: Why API security is critical to the digital business era [Web log post]. Retrieved fromhttps://www.csoonline.com/article/3502895/the-dangerous-connections-that-can-damage-your-business-why-api-security-is-critical-in-the-digital-.html

Simpson, J (May 2023). 8 Significant API Breaches of Recent Years. https://nordicapis.com/8-significant-api-breaches-of-recent- years/

Kerner, L. (2020) Critical API security risks: 10 best practices. URL https://techbeacon.com/security/critical-api- security-risks-10-best-practices.

Juviler, J. (2021) 8 API Security Best Practices to Protect Sensitive Data. URL https://blog.hubspot.com/website/api- Security.

Backer, S. (2020) Securing APIs:10 Ways to Keep Your Data and Infrastructure Safe. URL https://www.f5.com/labs/articles/education/securing-apis--10-best-practices-for-keeping-your-data-and-infra.

Chinnasamy, V. (2021) Top 6 API Security Best Practices for 2022. URL https://www.indusface.com/blog/top-6- api-security-best-practices for-2022.

Sandoval, K. (2020) Introducing the API security maturity model. URL https://nordicapis.com/introducing-the-api-security-maturity-model/.

Farrell, S. (2016, September 25). 28 tips for creating great qualitative surveys [Web log post]. Retrieved from https://www.nngroup.com/articles/qualitative-surveys

Castellani, S., & Dorairajan, A. (2020, April). What are the different types of apis?. APIfriends. Retrieved from https://apifriends.com/api-creation/different-types-apis/

Pompon, R. (2018, November 27). Reviewing recent api security incidents. [Web log post]. f5 labs. Retrieved from https://www.f5.com/labs/articles/threat-intelligence/reviewing-recent-api-security-incidents

Richer, J., & Sanso, A. (2016). Understanding API security. Shelter Island, NY: Manning Publications

Gerring, J. (2007) Case study research: Principles and practices. Cambridge University Press, Cambridge, England, U.K.

Silverman, D. (2000). Doing qualitative research: A practical handbook. Thousand Oaks, CA: Sage.

Kabir, S. M. S. (2016). Methods of data collection. In Basic guidelines for research: An introductory approach for all disciplines (pp.201–275). Retrieved from https://www.researchgate.net/publication/325846997_METHODS_OF_DATA_COLLECTION

Jansen, H. (2010). The logic of qualitative survey research and its position in the field of social research methods. Forum: Qualitative Social Research, 11(2), 1–21. Retrieved from https://www.qualitative research.net/index.php/fqs/article/view/1450/2947.

} Creswell, J. W. (2015). Educational research: Planning, conducting, and evaluating quantitative.and qualitative research (5th ed.). Lincoln, Nebraska: Pearson.

Stake, R. E. (1995). The art of case study research [DX Reader version]. Retrieved from https://books.google.com/books?id=ApGdBx76b9kC&pg=PA7&lpg=PA7&dq=the+case+study+is+the+study+of+particularity+and+complexity+of+a+case,+coming+to+understand+its+activity+within+important+circumstances&source=bl&ots=KvNMk6Mocu&sig=ACfU3U0621yLWdK_VaU8d446pIIN9ByfXg&hl=en&ppis=_e&sa=X&ved=2ahUKEwjfnqilmPzmAhUDhOAKHS6YBEgQ6AEwC3oECAgQAQ#v=onepage&q=nuance&f=false

Myers, M. D. (1997). Qualitative research in information systems. MIS quarterly, 21(2), 1–19. Retrieved from https://www.researchgate.net/publication/220260372_Qualitative_Research_in_Information_Systems

Braun, V., & Clarke, V. (2013). Successful qualitative research: A practical guide for beginners. London, U.K.: Sage

Meng, M., Schubert, A., & Steinhardt, S. (2017). Application programming interface documentation: What do software developers want? Journal of Technical Writing and Communication, 48(3), 295–330. Retrieved from https://journals.sagepub.com/doi/abs/10.1177/0047281617721853?journalCode=jtwa

Elliott, V. (2018). Thinking about the coding process in qualitative data analysis. The qualitative report, 23(11), 2850–2861. Retrieved from https://nsuworks.nova.edu/tqr/vol23/iss11/14

Creswell, J. W. (2013). Qualitative inquiry & research design: Choosing among five approaches (3rd ed.). Los Angeles, CA: SAGE Publications.

Creswell, J. W. (2013, November). Steps in conducting a scholarly mixed methods study. Discipline-Based Education Research Group. Retrieved from https://digitalcommons.unl.edu/cgi/viewcontent.cgi?article=1047&context=dberspeakers

DeCuir-Gunby, J. T., Marshall, P. L., & McCulloch, A. W. (2011). Developing and using a codebook for the analysis of interview

Saldaña, J. (2013). The coding manual for qualitative researchers (2nd ed.). Los Angeles, California: SAGE

Yin, R. K. (2014). Case study research design and methods (5th ed.). Thousand Oaks, CA: SAGE.

Dowell, A., Roberts, K., & Nie, J. B. (2019). Attempting rigour and replicability in thematic analysis of qualitative research data; a case study of codebook development. BMC Medical Research Methodology, 19(66), 1–8. Retrieved from https://bmcmedresmethodol.biomedcentral.com/articles/10.1186/s12874-019-0707-y#citeas

Bowen, G. A. (2006). Grounded theory and sensitizing concepts. International Journal of Qualitative Methods, 5(3), 12–23. Retrieved from http://scholar.google.com/scholar_url url=https://journals.sagepub.com/doi/pdf/10.1177/160940690600500304&hl=en&sa=X&ei=TQ6YMKBNMbPmAGYsb6gDA&scisig=AAGBfm37Y2E4rSEPt3olmfOam9E-XH1BcA&nossl=1&oi=scholar

Lewins, A., & Silver, C. (2020). Using software in qualitative research: A step-by-step guide (2nd ed.). Thousand Oaks, California: SAGE.

Green, M., & Smith, M. (2016) Developers are not the enemy: The need for usable security APIs. URL http://mattsmith.de/pdfs/DevelopersAreNotTheEnemy.pdf.

Yin, R.K. (2014) Case study research design and methods (5th ed.), Thousand Oaks, CA: SAGE.

Patton, M.Q. (2014) Qualitative research & evaluation methods: Integrating theory and practice (4th ed.), Thousand Oaks, CA: Sage Publications.

O’Neill, M., S. Heidbrink, J. Whitehead, T. Perdue, L. Dickinson, T. Collett, N. Bonner, and D. Zappala, “The secure socket API: TLS as an operating system service.” 27th USENIX Security Symposium, 799–816, URL https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-o_neill.pdf.

National Institute of Standards and Technology. (2019) “Security strategies for microservices-based application systems,” (Special Publication 800-204), Gaithersburg, MD: U.S. Government Printing Office.

Swanner, N. (2017) Build: What ‘intelligent cloud, intelligent edge’ means. URL https://insights.dice.com/2017/05/11/build-intelligent-cloud-intelligent-edge/.

Dadhich., P. (2020) Top 10 cybersecurity incidents in 2020. URL https://www.znetlive.com/blog/top-10-cybersecurity-incidents-in-2020/.

Drake, N. & Turner, B. (2021) Best cloud log management services of 2021. URL https://www.techradar.com/best/best-cloud-logging-services.

Jon. (2021) Cyber-attacks and data breaches list from 2014 to 2021, 2021, URL https://www.51sec.org/2021/02/16/security-events-and-data-breaches-in-2018-2017-2016-2015-2014/,

Gaurav, S. (2017) Machine learning impact on cloud computing. URL https://www.botmetric.com/blog/machine- learning-impact-on-cloud-computing.

Gander, M., B. Katt, B. M. Felderer, A. Tolbaru, R. Breu, R., & A. Moschitti. (2012). Anomaly detection in the cloud: detecting security incidents via machine learning. URL http://disi.unitn.it/moschitti/articles/2012/JIMSE2012-UIBK.pdf.

Drinkwater, D. (2016) How to get more from your security budget. URL https://www.infoworld.com/article/3152153/how-to-get-more-from-your-security-budget.html.

Stoltzfus, J. (2019) How cloud computing is changing cybersecurity. URL https://www.techopedia.com/how-cloud-computing-is-changing-cybersecurity/2/3394.

Fiala, J. (2015) A Survey of Machine Learning Applications to Cloud Computing. URL https://www.cse.wustl.edu/~jain/cse570-15/ftp/cld_ml/index.html.

Hoadley, D.S. & N.J. Lucas, N.J. AI and national security,” 2018, Library of Congress Congressional Research Service, URL https://www.hsdl.org/?abstract&did=810166

Canner, B. (2018) Ping identity releases survey on the perils of enterprise APIs. URL https://solutionsreview.com/identity-management/ping-identity-releases- survey-on-the-perils-of-enterprise-apis/.

Jason Kent (March 2023) Using ChatGPT to Improve API Security: Open AI & Security , Security Boulevard https://securityboulevard.com/2023/03/using-chatgpt-to-improve-api-security-open-ai-security/)