Why Web App Defense and API Security Go Hand in Hand

Securing web applications is getting more challenging as threats become more complex and aggressive. Today, these efforts involve far more than merely fending off viruses and other malware. There are numerous cyber attacks to deal with, including brute force attacks, credential stuffing, SQL injection, as well as Application Programming Interface (API) attacks.

Threats aimed at the APIs of web applications are particularly alarming, because these problems are relatively new, so many organizations are not adequately informed and equipped to address them. One recent survey of cybersecurity leaders shows that 95% of organizations encounter API security problems, while 84% do not have advanced API security solutions in place.

The increased reliance of organizations on APIs has resulted in increased risks of API problems. Unfortunately, organizations are not doing enough in response to this serious security concern. Despite the common knowledge that breaches cost more than the building defenses against them, it appears many organizations are still downplaying the API security problem.

The Web App and API Connection

Because they’re accessed through users’ browsers, web apps do not require users to install a client software or app on their devices. APIs, meanwhile, are sets of protocols and rules that enable different apps to communicate. APIs provide the specifics or definitions regarding the ways through which data or requests are transmitted between apps.

In this context, APIs come into play when the data generated and stored by web apps are accessed by other systems. For example, a mobile news aggregation app that syndicates content from a news outlet’s web app might require an API to source the content in an interoperable, reusable, and abstracted manner.

This relationship between web apps and APIs creates a dynamic that attracts the attention of threat actors. It can result in attack surfaces that provide opportunities for hackers to compromise the web app that supplies the content or the app that receives the content. It allows attackers to launch various forms of attacks that can result in data theft, denial of service, or the spread of malware.

To tackle this challenge, the WAAP cybersecurity approach, which stands for web application and API protection, was created. WAAP addresses the attacks that target web apps and APIs holistically, by integrating defenses that include bot mitigation, DDoS filtering, API protection, and Web Application Firewalls (WAF). Often, WAAP includes additional components to optimize network connections and app performance, since the addition of security layers tends to cause performance degradation when left unaddressed.

Shared Web App and API Responsibility

It is usually the owner of the web application that supports the interaction of its app with other apps via APIs. For example, a digital payment solution might release an API to allow ecommerce apps to interact with their service to facilitate checkout. Hence, the responsibility of ensuring the security of the web app and the API generally lies in the same organization. It only makes sense to address their security jointly and coherently.

Organizations that don’t want to take API security seriously are probably better off not releasing an API in the first place. APIs can be the keys hackers need to successfully breach the defenses of a formidably-defended app. An online bank’s API can become a backdoor if it is poorly secured – for example, if it fails to properly require authentication. The API may not validate tokens correctly, or it might skip multi-factor authentication, allowing threat actors to access accounts without having all the prerequisites.

APIs are also responsible internally for the constant exchange of data between web applications and backend services. They enable interoperation between web apps and apps or backend services that would otherwise not have any communication. Security vulnerabilities in them not only expose to threats the web apps but also the multitude of apps that connect to the web apps.

There are no specific laws or regulations that require APIs to conform to a list of rules or standards. However, there are plenty of existing regulations on data privacy and security that are applicable to how data is treated in APIs. These regulations like the EU GDPR should be taken into account to ensure user security and avoid legal entanglements.

The Burden of Interlinked Security

While relatively uncommon, it is possible for APIs to be developed by a third party. There are many “unofficial APIs” available online – GitHub offers many of them. These APIs, which are not officially provided or sanctioned by the original web app creator, are typically limited in their functions, but they do work. Also, so-called “proxy APIs” might operate between the official API and the end users to create a new experience or add new functions.

How can web app defense and API security be unified in cases where the two are not from the same organization? Is it necessary for them to be treated in a solitary fashion? Indeed, it would be difficult for a web app owner to be responsible for an unofficial or unsanctioned API. However, it is still important to address such a scenario with the security of end users in mind. Cyber attacks enabled by third-party APIs can also impact the main web app’s reputation.

Notably, there are cases when API defects do not appear serious. The vulnerabilities may allow threat actors to abuse legitimate API functionalities for malicious purposes. For example, they might be able to discover or extrapolate some sensitive customer information based on partly concealed but still publicly available data like customer and seller IDs and contacts.

As such, it is necessary to view the security of web apps and APIs as one, even in cases where APIs are not officially sanctioned. In the example above, upon discovering the vulnerability, the logical response is to make sure that the web app thoroughly scrambles or conceals data that may be discovered or reconstructed by relentless threat actors.

Web App and API Security Go Together

Web app and API security are connected, because APIs provide data access to web apps as they operate. Also, they are usually created by the same organization. In cases where the APIs are developed by third parties, it is also important to be mindful of the security of these unsanctioned or unofficial APIs, because their security issues can also impact the web apps they are connecting with, and, ultimately, the users of the web app.