Snapchat’s API Hack Requires a Hard Look at API Security and Lifecycle Practices
Your data is out there. While APIs are making access to data easier, they also make it extremely easy for people to come after your data. If enterprises do not take the appropriate steps to secure their APIs and lay down well-defined processes surrounding API development, their data is at risk. This holiday season presented some marquee security breaches, with Snapchat being the most interesting. While hackers only filched phone numbers, the incident reveals the risks when API providers are lax about addressing core security and governance issues in the race of being the first to provide innovative functionality and yes, often attractive eye-popping valuations. The frightening disregard for security and underestimating the importance of mature SDLC and governance processes is something that can come back to haunt these companies.
In August, the computer security research firm Gibson Security warned Snapchat about vulnerabilities that exposed them to the threat of a hack. Snapchat apparently did not heed this warning, and subsequently had hackers compromise its API security and use it to look up 4.6 million phone numbers and user names. Snapchat did implement some basic security, but it was not at a level that serious security professionals would recommend for such a high profile service. Their measures included some basic SSL and token hashing. They used a hardcoded shared secret key, which was a simple string constant in the app. Moreover, they did not have mechanisms in their infrastructure to prevent and detect anomalous behavior such as bulk queries for phone numbers and usernames originating from a single client or over a very short period of time. Moreover, from the looks of it, they did not institute a governance process to ensure mobile app development best practices were enforced and uniformly tested and deployed through the entire software development life cycle (SDLC) process in a consistent manner.
We are living in an age where computing and hacking resources are easily and cheaply available to people who can break into your valuable or seemingly invaluable data for either noble or savage reasons. Hackers can exploit the same big data techniques that enterprises use to find a needle in a haystack and pilfer valuable insights from what might seem like harmless data.
API Security and Threat Protection
In order to mitigate API security risks, enterprises can implement an enterprise-grade API Management platform that includes a hardened API Gateway. API Management platforms provide API security, protecting sensitive data while allowing access to authorized Apps and users. They provide capabilities like message encryption, OAuth, built-in PKI and key distribution, as well as first and last mile security. Not only do enterprise need to secure and encrypt their APIs, they also need to take measures to prevent and isolate messages that contain malware or scripts that could potentially compromise an enterprise backend infrastructure. The API Management solution should also provide threat and data protection by detecting and preventing denial of service (DoS) attacks, malformed messages or excessive XML/JSON depth and breadth. SOA Software has been providing API and SOA security for years to some of the largest institutions in the world and takes pride in facilitating billions of secure transactions every year.
API Rate Limiting
Simple steps like API rate limiting and API monitoring can be taken to prevent callers from bombarding the API. API Licensing mechanisms can be put in place to throttle the number of approved calls from a specific developer or app. In case of Snapchat, the compromising app did a bulk query on obtained access to 4.6 million phone numbers and user names. There were no rate limits placed on the Snapchat API. Also rate limiting should be imposed on all kind of APIs, public, private and test APIs, as you can never be certain as to where a hacker might find a hole. Implementing advanced API Licensing and rate limiting can provide granular level of controls wrt to knobs such as developer, app type, device type, geo-location, and other contexts. API Monitoring can be used to actively monitor APIs and provide alerts to API administrators.
API Lifecycle and Governance
No amount of security measures will be effective if they are not properly enforced, deployed and governed across the entire lifecycle of the API SDLC process. This last step is the one that is most often overlooked by start-ups (and enterprises) in the name of speed or agility. Managing the API Lifecycle and achieving security and compliance while realizing their agile business potential form a single subject. It’s all about making sure that lightweight APIs serve business needs are built right and run with controls that are compliant but not overly restrictive. Making this happen involves selecting the right API management solution. That solution needs to work across and connect each stage of the complete API Lifecycle. If it can’t, the organization risks working on compliance in an incoherent way that invites lapses in control. Stakeholders connected to the API have to be able to communicate with one another through the platform, including people and entities that are external to the organization that is publishing the API. API Lifecycle Management, as embraced by the complete organization, is inextricably linked to attaining the strategic outcomes promised by APIs while ensuring that compliance risks remain minimized.
SOA Software’s API Management Platform, API Gateway and Lifecycle Manager for APIs provide a comprehensive solution for managing, publishing, monetizing and securing APIs and services across their entire lifecycle, significantly eliminating the risks to an organizations business. With built in enterprise security, integration with identity management systems, message security, data and threat protection and a comprehensive API Lifecycle solution, you can confidently expose APIs, both internally and externally, while preventing the kind of vulnerabilities and SDLC process snafu’s that were experienced by some of the companies during the last holiday season.