In January 2023, news broke that because Twitter refused to pay a ransomware demand, hackers were set to release 235 million unique records of Twitter users, complete with their email addresses and phone numbers.
Twitter has confirmed that the data breach was caused when hackers used a zero-day API vulnerability to collect data by submitting an email address or phone number, verifying that it is associated with a Twitter account, and retrieving the associated account ID. The threat actor then used this ID to scrape the public information for the account. This leak leaves users, especially activists, anonymous users and celebrities, vulnerable to hacking, targeted phishing and doxing.
That this leak comes right at the beginning of 2023 serves as a timely reminder that API security remains a major security concern across all industry sectors.
Cloud native development has become the industry norm, and it relies on technologies including microservices and serverless computing, containers, APIs and Infrastructure-as-Code (IaC). These technologies allow organizations to build and run their apps almost in a distributed manner and without reliance on physical hardware infrastructures.
But while this flexibility helps save time and money across the entire software development life cycle (SDLC), it does not come without a security price tag.
APIs serve as a fundamental part of modern software development across industries. A recent survey of developers shows that 90.5% of developers expect to use APIs more or the same as in 2021, while only 3.8% of developers think they will use fewer APIs in 2022. The three industries with the highest percentage of developers who expect to rely on APIs more in 2022 than in 2021 are health care (71%), technology (69%) and financial services (68%).
Unsecured APIs are more common than any of us would like to admit.
APIs pose an ongoing security concern because they are the gateway to data and to systems. In 2021, an undergraduate at Rochester Institute of Technology who was searching for better student loan terms discovered an Experian breach that allowed him, or anyone, to look up private credit score information for tens of millions of Americans.
By examining the code behind the lookup page, he was able to see it invoke an Experian API that allows lenders to automate queries for FICO credit scores from the credit bureau. Because it was publicly exposed, anyone could use it without authorization to look up credit scores.
When asked about the Twitter breach, Sammy Migues, principal scientist at Synopsys Software Integrity Group, said that “API security is the real story here. As cloud native app development explodes, so does the world of refactoring monolithic apps into hundreds and thousands of APIs and microservices.”
Unsecured APIs are more common than any of us would like to admit. When pressed to design at speed, developers who have designed an API to get the job done may not take the time to secure it, or to revisit it once it’s working to make sure it’s secure.
“Humans are terrible at securing what they can’t see,” said Jamie Boote, associate software security consultant at Synopsys Software Integrity Group.
“In 2021, people discovered that the Twitter API could be used to disclose email addresses that were provided from other sources and also leak some other semi-public info like tying a Twitter handle with that email address,” Boote added.
“Several groups then used leaked email dumps as seed material to start farming for handles that they could then gather other information such as follower counts, profile creation date and other information available on a Twitter profile.”
Although Twitter fixed that issue in 2022, it appears that the company wasn’t done with the issue.
“After all that, Musk bought Twitter, and dumps of these started showing up for sale as hackers were looking to get paid for their efforts,” Boote said. “It appears as though someone collected a bunch of these and tried to get Musk to pay up for them.”
‘From now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.’
When that didn’t happen, hackers released the data. Now the question is: What could come next?
“To be safe,” Boote said, “users should change their Twitter password and make sure it’s not reused for other sites. And from now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.”
For organizations, however, effective API security practices should include the ability to continuously test and verify vulnerable APIs, including custom, open source and public-facing APIs in real time.
It is not enough to have an API tool that can simply discover the APIs for each application and then implement risk-policy firewalls. A better strategy expands API discovery capabilities to include dynamically testing, verifying and triaging continuously during integrated application tests at runtime compilation with other open source and third-party codebases and APIs.
Organizations need the ability to quickly identify and proactively test and remediate their highest-risk apps before they go into production release.
Gartner’s most recent cloud native survey found that organizations are incorporating other application security testing (AST) solutions such as software composition analysis (SCA), interactive application security testing (IAST), and API testing in addition to static application security testing (SAST) and web application firewalls (WAF).
A modern application security testing solution such as IAST can help alleviate the burden of conducting security testing in DevOps environments, as it doesn’t require additional scans, triaging or verification that adds time and test cycles to the continuous pipeline.
How Synopsys Can Help
An advanced IAST tool such as Seeker by Synopsys is unique and useful in securing cloud native apps. It can detect, test and validate all your inbound and outbound API calls, whether they are API calls your app declares or callable APIs you are not testing. It also tracks and tests for commonly leveraged serverless functions such as AWS Lambda and Azure Functions without adding additional scan cycles and friction to the continuous pipeline.
In addition to Seeker IAST, Synopsys offers complete, end-to-end scanning technologies that help secure your cloud native applications.