USE CASE
Sensitive Data Exposure Remediation
In today’s organizations, sensitive data is constantly moving through applications built on APIs. API use has become the common language of web app development, a move that has had both positive and negative consequences for businesses.
While an API-first development methodology makes it easier for companies to create consistent, high-quality and fully featured applications, it also presents a potential new attack surface, especially if organizations don’t take the time to specifically safeguard their APIs. Designed for machine-to-machine interaction, APIs include all necessary commands, payload and data to produce engaging user interactions.
And because API often includes sensitive data, a recurring issue is its inadvertent exposure. This type of error puts companies at risk of regulatory non-compliance and may lead to costly and damaging data loss incidents.
Given the vast amount of API use at organizations today, it’s more important than ever for IT security teams to look closely at the information sent and received, ensuring that encryption and masking best practices are applied as needed. In addition, close attention should be paid to API authentication features in place to keep that data safe.
APIs and Sensitive Data Exposure Risk Today
When API-based applications are used to transmit sensitive data — Social Security numbers, credit card information, personally identifiable details or more proprietary forms of data — there must be safeguards in place. In some cases, however, attackers can simply take advantage of lax cryptography, or coding errors that allow them to break in, elevate their access and exfiltrate the data.
No organization should take this category of risk for granted. Attackers have learned to crawl companies’ potential attack surfaces to find any sign of weakness. The threat of inadvertent data exposure was highlighted when researchers determined that the briefly-viral chat app Clubhouse contained plain-text personal data transmitted via API.
Such flaws in web and API app architecture are unfortunately common. Everything from login credentials to health records may be stored or transmitted without adequate cryptographic and authentication measures in place. Detecting and remediating these issues wherever they appear should be top priorities for IT security teams across industries.
A Top Security Risk Factor
The Open Web Application Security Project (OWASP) maintains a list of the most pressing threats to companies’ web apps, APIs and the data being exchanged by these solutions. On the current OWASP API Security Top 10 list, excessive data exposure ranks No. 3 behind common authentication and authorization errors.
In the latest update to the OWASP Web Application Top 10 list, sensitive data exposure was reclassified as the cryptographic failure category because sensitive data exposure is more an effect than a cause. When companies fail to include adequate protective features for their software components such as APIs, there is an elevated risk of data becoming accessible to threat actors or the public at large.
The Theory Behind Stopping Sensitive Data Exposure
IT security teams becoming serious about preventing sensitive data exposure need to ensure data is not being either stored or transmitted in insecure ways. According to OWASP, the highest-priority data to check on is the kind of personal information regulated by privacy laws, from the Payment Card Industry Data Security Standard (PCI DSS) to the wide-ranging EU General Data Protection Regulation (GDPR).
A number of cryptographic failures could be occurring to put that sensitive information at risk. This includes the continuing use of older and deprecated cryptographic functions or even a lack of protocols. OWASP noted that sometimes data is being transmitted in clear text, or the application may not be enforcing encryption.
Companies without a clear view of their API landscape are naturally at elevated risk of suffering this type of everyday security failure — it’s hard to protect something when the IT security team doesn’t even know it’s there. Companies must make sure they have a clear view of both internal and outward-facing APIs, as well as the sensitive information being exchanged.
API Governance and Data Risk
API governance failures are closely related to sensitive data exposure risk. API use must be carried out within the bounds of regulations and according to consistent, standardized API specifications. Organizations with numerous APIs that are misaligned with specifications, or that don’t conform to them at all, may be putting their information at risk.
Another major risk factor where sensitive data exposure is concerned is the existence of shadow API, hidden API and deprecated API infrastructure. APIs that have become outdated, or that IT security teams don’t know exist, can easily become targets for threat actors. In these cases, attackers know more about companies’ APIs than those businesses do, leading to immediate danger.
In some cases, even if APIs have been developed with security in mind, they simply contain coding mistakes. Human error is a risk factor where sensitive data exposure is concerned. Even the smallest error could result in insecure activity. Every new version of an API-based application represents a chance for such an error to enter the system, meaning companies must maintain constant monitoring for risk.
An API governance failure can be as simple as one data field becoming unmasked — this is all it takes for a company to fall out of compliance, and potentially all that’s necessary for an attacker to exfiltrate data as part of a sensitive data breach. Defending against such a simple, everyday type of risk requires solutions that are comprehensive and always on, viewing data movement and storage from all angles in real time.
Minimize Compliance Risks with Sensitive Data Assessment
How Cequence Security Addresses API Data Exposure Challenges
The unique Cequence Security approach to keeping APIs safe from top risk factors involves a truly comprehensive approach to threat detection and data defense. This is Unified API Protection, in contrast to API security methods that only focus on one aspect, whether that is discovery, detection or defense.
The objectives of Unified API Protection, as they apply to sensitive data exposure include:
Identifying any and all cases in which sensitive data is being exposed:
From public-facing APIs powering major applications to shadow API infrastructure or even internal APIs that have accidentally been made public, every potential point of data transmission should be inspected closely.
Detecting and addressing potential compliance violations:
Companies across industries have to conform to standards such as PCI DSS, GDPR and HIPAA. Ensuring that APIs are in line with these rules is only possible when IT security teams can determine what kind of data is being transmitted.
Receiving detailed information about potential threats:
Security personnel need timely information about data exposure risk — but they also need details. It’s important to know which API is creating the risk, what type of data is being exposed, and granular details such as the IP addresses of the servers involved.
Remediating issues quickly and effectively:
Quick and clear alerts around compliance violations or other security weaknesses allow IT security teams to act in a hurry. The sooner that security and dev teams are made aware of a potential incident, as well as the best path to remediation, the less chance a threat actor will exploit the issue.
Cequence Unified API Protection Solution
True Unified API Protection goes beyond limited API security approaches because it consists of discovery, detection and prevention steps — the whole spectrum of threat defense and response. The six-step process to achieving data and API protection consists of:
Discovering the
Attack Surface
By using outside-in discovery, security teams can see their data storage and movement from an attacker's perspective.
Taking Effective
API Inventory
Maintaining a comprehensive and up-to-date API inventory via inside-out discovery methodologies allows organizations to truly understand their API landscapes.
Ongoing Compliance
Monitoring
Ensuring that APIs are aligned with common standards such as the OpenAPI Specification is a way to keep a strong handle on API governance and regulatory issues.
Real-time Threat
Detection
Finding active threats in progress is a major component of API protection — timely alerts let IT security teams know about the danger and respond intelligently.
Advanced Threat
Prevention
Organizations can respond to attacks in a number of ways. This may mean blocking all suspicious traffic, geo-blocking traffic from a specific region or even using deception to make attackers think the threat is working.
Security and Development
Integration
One of the best ways to prevent sensitive data exposure on an ongoing basis is to shift security left and apply API protection tools during the development process.
Get Started with Protecting APIs Against Sensitive Data Exposure Risk
The threat of sensitive data exposure is a leading risk factor, but with Unified API Protection in place, organizations can finally bring the danger under control. Visibility into their whole API footprints, coupled with effective ways to detect and counteract threats, creates the necessary level of defense.
When organizations don’t attend to the cryptographic failures that lead to sensitive data exposure, the consequences can add up quickly. Falling out of compliance with important regulations, losing personally identifiable information to attackers and suffering long-term ongoing infiltration are just a few of the problems that can haunt organizations.
The best way to deal with these threats is to move forward with a Unified API Protection approach, simultaneously guarding against inadvertent sensitive data exposure and other leading API risk factors that could lead to a sensitive data breach, such as business logic abuses and brute force attacks.
There are simply too many APIs in use today to take API security for granted. Organizations that pay attention to their APIs, including third-party and shadow APIs, can prevent these useful development tools from turning into a risk-heightening attack surface. Request an API security assessment to find out where your organization stands on the path to API protection, and what your next step should be.
