Unsecured APIs Create a Back Door into the IT Environment


The use of application programming interfaces (APIs) has exploded in recent years as organizations seek to interconnect software and share data both internally and externally. APIs define the means of communication among various applications, enabling programmers to take advantage of third-party code and break up large applications into microservices.

Unfortunately, APIs can also provide hackers with a back door into an organization’s IT infrastructure. API calls give hackers visibility into what the infrastructure looks like, a means of distributing malware and, worst of all, the ability to gain legitimate access into other applications and systems.

Authentication of users is a critical component of API security, but some APIs use only HTTP Basic authentication to enforce access controls. User credentials are sent in clear text across a network, making it easy for hackers to intercept that information. Authorization, which defines the level of access a user is granted, goes hand in hand with authentication. However, some developers routinely grant the highest levels of access to all users, making the system more vulnerable to attack.

Some services use API tokens to grant access. This eliminates the need to store information about the user during a session, as authenticated users are provided a signed token that is sent with every request. Tokens also allow services to share permissions with third-party applications. Like credentials, tokens must be properly secured.

Many services also assign API keys to the users or applications accessing them. An API key is a long alphanumeric string that a client uses when making API calls. It is meant to prevent excessive use of compute cycles or bandwidth, or to limit clients to the level of access they have purchased. However, it is not meant to be used as a security control. While an API key is unique, it doesn’t identify an individual user or provide secure authorization. It often passes to the user in plain text and requires that the user secure the key in some fashion.

All “secrets” associated with APIs should be secured and managed like other privileged accounts. CyberArk’s Core Privileged Access Security platform allows you to store API credentials, tokens, and keys in the Enterprise Password Vault, where they are protected from unauthorized access. CyberArk Privileged Threat Analytics collects data related to privileged access and analyzes it using statistical modeling, machine learning, user and entity behavior analytics (UEBA), and deterministic algorithms. It can quickly detect malicious activity and alert IT personnel who can remotely suspend or terminate high-risk privileged sessions.

Clango’s team of CyberArk Certified Delivery Engineers are experts in the design, implementation, and support of CyberArk solutions. We have a deep understanding of privileged account management across all aspects of the IT environment, including application and service accounts, DevOps tools, SSH keys, and APIs.

API security is critical, but many organizations are struggling with it. In a recent survey, security was the No. 1 API technology challenge IT teams wanted to see solved, cited by 41.2 percent of respondents. Clango and CyberArk address this challenge with a comprehensive suite of tools and services for protecting APIs and other privileged secrets.


For more information about API security, please send us an email at (

Comments Closed.