Secrets Management: The Weak Link of API Security

As organizations increasingly rely on APIs to streamline their operations and drive innovation, the need to securely authenticate across these critical communication channels is more important and complex than ever. The Corsha State of API Secrets Report 2023 highlights the need for better tools, technologies, and tradecraft around API secrets to help DevSecOps professionals who feel overwhelmed by the amount of time they must dedicate to API security and worried that their organizations remain vulnerable to breaches.

The Prime Culprit: Leaked API Secrets

API secrets leaks have been the driving force behind several recent high-profile security breaches, including Twitter, Dropbox, and Uber incidents. These breaches emphasize the importance of securing API secrets and the potential consequences organizations face if they do not.

One red flag uncovered by the report is the high prevalence of data breaches due to compromised API tokens. Over half (53%) of respondents have experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens. This statistic underscores the need for improved API secrets management practices.

The report also found that although 72% of respondents use a secrets manager to handle their API secrets, more than half (56%) worry about potential data breaches. This suggests that simply using a secrets manager feels inadequate to ensure robust security.

The survey also reveals how much manual time professionals spend daily on secrets management. 86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets. This considerable time investment emphasizes the complexity and burden of API secrets management and underscores the need for more efficient and ideally automated practices around operations like secrets provisioning and rotation. After all, the tradeoff between security versus time and convenience is often solved by automation.

Inadequate Defenses

Clearly, API secrets leaks are a significant concern for DevSecOps teams and security personnel, despite the adoption of secrets managers. The report highlights that the current defenses in place for API secrets management fall short in multiple areas:

 Inadequate secrets management policies: Many organizations lack comprehensive policies for handling API secrets, contributing to the persistence of security vulnerabilities.

 Securing multi-cloud environments: With 44% of respondents hosting their API services across multiple clouds, managing secrets becomes even more complex as organizations must contend with varying security policies and mechanisms for each cloud provider.

 Managing too many credentials: 78% of respondents reported managing at least 250 API tokens, keys, or certificates across their networks. With such a high volume of credentials to manage, scaling security strategies for API-based communication becomes increasingly difficult.

 Thwarting insider threat: Granting all-or-nothing access to systems and service accounts is a common practice among more than 42% of respondents, which exacerbates the risks associated with insider threat. This approach fails to implement the principle of least privilege, which is crucial for minimizing the potential damage caused by compromised credentials or malicious insiders.

 Poor visibility: More than 50% of respondents have little to no visibility into the machines, devices, or services (API clients) that utilize the API tokens, keys, and certificates that their organization provisions. This lack of visibility hampers organizations' abilities to detect and respond to potential security incidents.

Implementing Effective Secrets Management

The inadequacy of current defenses highlights the urgent need for organizations to adopt more robust and comprehensive approaches to API secrets management by embracing these five core tenets of effective secrets management:

Integrate a good secrets manager: Selecting and integrating a reputable secrets manager is a good first step to help organizations gain overall visibility into their secrets, allowing for better management and control over sensitive data.

Utilize mTLS (Mutual Transport Layer Security): When and where possible, use mTLS to establish secure, encrypted communication channels between clients and servers, further enhancing the security of API transactions. Remember to factor good hygiene and secrets management of these certificates into new workflows though!

Set short expiry periods for secrets: Always set short expiry periods for secrets when possible. This limits the time window during which a potentially stolen secret can be exploited if compromised.

Sign and verify all tokens: Ensure secrets are always signed and verified to confirm their authenticity and integrity, reducing the risk of unauthorized access or data tampering. This is a great area to use

Avoid plaintext storage or transmission of secrets: Never store or pass secrets in plaintext, as this leaves them susceptible to interception or unauthorized access. Instead, always encrypt secrets during storage and transmission.

We also recommend adding a clear additional factor to API authentication, such as Multi-Factor Authentication (MFA). As API usage grows, static secrets are harder to manage and more vulnerable to compromise. We all now recognize the challenges associated with static passwords for human users and have adopted MFA to mitigate the risks for nearly all accounts, especially sensitive ones. The challenge with this bearer model of authentication using simple API keys, tokens, and credentials is no different.

As the digital landscape continues to evolve, it is crucial to recognize that risk is predominantly shifting from human to machine and, even more so, to machine-to-machine interactions. This transformation calls for reevaluating existing security measures and implementing more effective API authentication and secrets hygiene.

Adhering to some of these best practices will enable organizations to significantly improve their API security posture, alleviate the concerns of DevSecOps teams, and better safeguard critical digital assets against ever-evolving threats.