Are you familiar with the smoker door? It’s an old discussion from security penetration testing that shows why you have to be vigilant about monitoring. An example of it appears in this Information Week story. The basic outline is that penetration testers were trying to figure out how to defeat the security of a building that had physical guards and other kinds of electronic authentication, like card keys and such. They examined the building and found that there were always a few people huddled off to the side next to an unmarked door. When they investigated, they found out the door was to let out people who needed to take a quick smoke break but didn’t want to go back and forth through the tight security of the front each time they needed a cigarette. As the story goes, the penetration testers were able to pose as employees and slip in the side door without being challenged by wearing heavy coats and chatting with the smokers out there before entering.
The story of the smoker door is one that has been passed around for years in the security community. How does it extend into the world of software security though? Programs don’t have doors, right? Well, they do if you count the application programming interface (API) that is quickly becoming the standard of interface with the programs your run each day. Except this door is wide open to the people that know how to use it. So you have to make sure you secure it properly with controls like authentication and encryption. You also have to make sure that your API isn’t exposing functionality that isn’t intended. After all, no one ever accidentally leaves a door unlocked, right?
Theory of Security
During RSA Conference 2020, I had a chance to sit down with Doug Dooley of Data Theorem and talk a little bit about API security. We’ve gone from a world where infrastructure admins wouldn’t know an API if it bit them in the leg to a world where the majority of interactions with things happen via API at some point in the process. Data Theorem understands the challenges of monitoring API access and ensuring it is secured properly.
Data Theorem comes from a background of network security. They understand how attackers want to move and exploit vulnerable systems. They also realize that the value of an exploit to professional hackers isn’t something as simple as defacing a website or making noise in an internal security operations center (SOC). Instead, the ability to exploit an API and expand the capability to steal data and more is where the money is, so to speak. Rather than tripping through IDS/IPS systems or data loss prevention (DLP) software designed to examine the data flowing out the front door, APIs represent a virtual smoker door that can allow for data exfiltration out an interface that may not even be monitored.
Exploiting a known API is bad. However, finding out there’s an API you didn’t know about is even worse. This is a phenomenon known as “shadow APIs”. These are the interfaces that are built into a program that isn’t designed to be used by the public because developers needed a shortcut for some function. After all, security through obscurity is a thing, right? Well, it is if you don’t have automated scanners probing your system. But with the technological advantage of software working against you today, it doesn’t take long to find a hidden API and start exploiting it for gain.
The other thing that Data Theorem can give you is something that you need with an always-on world. It’s easy enough to write an API. It’s harder still to write a secure API. But what happens when your previously secure API has a bug? We have to write new suctions into our APIs all the time. But no one is perfect and no one writes perfect code.
Because Data Theorem is constantly scanning for threats and errors in the APIs they manage, they can quickly tell you when something goes wrong. Maybe your developers opened a storage bucket that is readable to the whole world through this program. Data Theorem will pick up on it and alert you right away that this is the case. Data Theorem doesn’t need access to your source code either. They see the API vulnerabilities as potential attackers would see them. They don’t require a peek at something super secret to see how it will react in the real world. That’s the kind of vision you need to help your developers see the effects their code has in the real world.
Data Theorem can also send all their findings off to your favorite SIEM of choice to aggregate and analyze the data. It can be the difference between assuming that API errors are a one-off occurrence or might perhaps be a part of a bigger issue. Because SIEMs are more tuned to find these kinds of things than the average human brain, the more integrations you have with them for tools like Data Theorem, the better. Data Theorem can help you find the issues and a SIEM can tell you if you have a recurring problem.
Bringing It All Together
APIs are the fast way to get your application working well with others. You can open an API to create integrations and offer support for a world of other software. But APIs are just like the smoker door. Just because it’s convenient and easy doesn’t mean it’s not a risk. You need to secure APIs and monitor them just like any other door in your building. And if you have a platform like Data Theorem to help you out means one less door you have to worry about.
For more information about Data Theorem and their platform, make sure to visit their website at http://DataTheorem.com/