Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Credential Leakage Fueling Rise in API Breaches

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

API Security

There is a problem with API security – it isn’t working very well, and it’s largely down to credential leakage. Most security professionals are confident in their own API credential management; but at the same time, most of the same professionals admit to having experienced a breach effected through compromised API credentials.

In a survey of more than 400 US-based professionals (more than 90% of whom were developers or security people), 53% claimed to have suffered an API breach, while 77% claimed their company was very or extremely effective in managing their tokens. Only 3% believed they are not effective in protecting the credentials – and yet API breaches continue to rise.

The cause of this apparent contradiction is probably threefold: a lack of visibility into existing APIs, the sheer volume of APIs that are in use, and the amount of time already being spent on managing the credentials for those APIs. The survey conducted by Corsha discovered that 64% of companies are managing more than 250 API credentials across their network (with 3% managing more than 1,000).

This volume, and the company effort, is reflected in the amount of time spent on protecting them. Eighty-six percent of the respondents spend up to 15 hours every week provisioning, managing, and dealing with API secrets. That is time taken away from app development – making API secrets a costly and expensive exercise that still doesn’t work. Corsha costed this on an average developer’s salary of about $120,000 per year: “That means each respondent could be spending up to $44,460 per year on secrets management.”

There would appear to be no way of preventing API credential leakage. Corsha sees them being leaked from code repositories, versioning control, CI build systems, test artifacts and cloud environments. This problem is only going to worsen. Cisco predicts there will be more than 500 million new digital applications in 2023. “More applications means that the army of machines requiring API access will only catapult,” notes the report.

Credential rotation is one of the best manual practices to keep API secrets secret. Today, 27% of the survey respondents reported (PDF) that they rotate their API secrets only once per quarter, and sometimes only once per year. The strain on existing resources in a difficult economy combined with a growing API usage will make credential leakage more widespread, and credential rotation more problematic.

“The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight,” notes Scott Hopkins, COO at Corsha.

“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” adds Jared Elder, Chief Growth Officer Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing.  Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.” 

Corsha’s own solution to the problem is to add MFA to credential usage. This has several advantages. Firstly, since most of the APIs are internal on company networks, MFA from machine to machines is a form of microsegmentation that conforms to the principles of a zero trust architecture. This limits lateral movement by adversaries already in the network.

Secondly, one-time MFA from machine to machine is immune to one of the most successful MFA attacks used against humans – MFA fatigue attacks.

Thirdly, and perhaps most attractively, it removes the problem of credential rotation. Even if credentials are lost, stolen, or leaked, they cannot be used by adversaries who are unable to get through the MFA.

“That’s the problem we’re solving,” Anusha Iyer, co-founder and CEO at Corsha, told SecurityWeek. “If you have MFA in place, you don’t have to worry about the frequent rotation, and the same extensive hygiene of these static credentials.” 

All the customer needs to do is place the Corsha proxy at a point where it can monitor the traffic. “We will see the traffic that is coming in with good credentials and good MFA tokens and allow it; and we’ll see the traffic that’s coming in with no MFA or bad MFA credentials and block it,” she added.

Bad credentials probably mean bad guys on the network – so Corsha’s solution increases both visibility and prevention. The core of the Corsha platform is a distributed ledger system. Corsha uses this as an out-of-band element in the generation and use of machine-to-machine MFA. “The process is analogous to Google Authenticator,” explained Iyer. “In one direction you’re keeping in sync with a seed on Google servers, while in the other direction you’re using that to check MFA credentials.”

Corsha was founded in 2018 by Anusha Iyer, and Chris Simkins. It is headquartered in Washington, DC. It raised $12 million in a Series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures, with participation from 1843 Capital in April 2022.

Other providers in the API Security space include, Cequence42CrunchTraceable AIGhost SecurityPangea CyberWibFireTailSalt Security.

RelatedU.S. Postal Service API Flaw Exposes Data of 60 Million Customers

RelatedLeaked Algolia API Keys Exposed Data of Millions of Users

RelatedLeaked GitHub API Token Exposed Homebrew Software Repositories 

RelatedThe Next Big Cyberattack Vector: APIs

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...