In a partnership with mobile security company Approov, Alissa Valentina Knight tested 30 mobile health apps to highlight threats to health care companies and their customers through vulnerabilities in application program interfaces (APIs). The findings were published in the report, “All That We Let In”
Knight, a cybersecurity marketing consultant, unearthed that 100% of the apps she tested had API endpoints that were susceptible to Broken Object Level Authorization (BOLA) attacks. The OWASP API Top 10 lists BOLA as the top security risk for APIs.
Gaining unauthorized access to full patient records, Knight was able to view protected health care Information (PHI) including lab results, X-rays, blood work results, and allergy reports. She could also access personally identifiable information (PII) including home addresses, family member data, birthdates, and Social Security numbers.
API Attacks on the Increase
APIs have become a foundational technology playing a crucial role in powering modern, microservices-based application architectures to develop robust and scalable enterprise applications. APIs connect partner and customer ecosystems and have helped increase the value of under-utilized data.
API attacks are on a steep rise. Gartner predicts that “By 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.”
Modern attack traffic like BOLA, Broken Function Level Authorization (BFLA), and Mass Assignment looks the same to digital defenses as usual business traffic, which gives hackers so much more flexibility about the things they can do. Traditional web application security is rendered helpless in many such cases. Enterprises need a modern application security solution.
With the global pandemic, the use of health care APIs is increasing. They ease data-sharing between medical professionals and patients safely and remotely. But this expanding attack surface is also gathering attention from criminals. In fact, PII and PHI are far more lucrative in dark web markets than credit card data.
As Knight says in her report” “Simply put, it’s a lot easier for a bank to send you a new card because it’s been compromised or refund any fraudulent charges, but it’s a lot harder for someone to send you a new identity or invalidate what was your past medical history that is now for sale on the dark web.“
How To Protect Your APIs
Because of these growing threats, API security is becoming a major worry among enterprises. The application security industry has responded with new API security guidance like OWASP API Security Top 10, and API-focused security solutions.
Awareness of vulnerabilities around APIs is the starting point to securing your applications. Identification and tracing of the flow of sensitive information needs to be simplified with varying laws and regulations globally.
As Gartner experts recommend:
- Discover your APIs before attackers discover them.
- Use a combination API management and web application firewalls to protect APIs, in conjunction with identity infrastructure.
- Adopt a continuous approach to API security.
- Use a distributed enforcement model to protect APIs across your entire architecture, not just at the perimeter.
Identifying API attacks requires contextual analysis of APIs and their usage patterns. Modern security solutions create a baseline around user behavior, roles, and access patterns for APIs, to flag advanced attacks like BOLA and protecting not just against traditional attacks but modern API attacks as well.
About the Author
Roshan Piyush is a security research engineer at Traceable AI.
To learn more about Traceable AI and how it can help you better protect your applications and APIs you can watch a recorded demo.