From Data Bridges to Data Breaches: Understanding API Security

Modern digital systems are increasingly built as distributed architectures, where multiple independent components interact to deliver complex functionalities. In such environments, APIs (Application Programming Interfaces) play a central role in enabling communication between systems. However, while APIs act as essential “data bridges,” they can also become entry points for security vulnerabilities if not properly designed.

In a recent presentation, Alex Chiquito (Sinetiq) provided a clear and practical overview of API security, focusing on how design decisions can directly impact system resilience.

The Shift Toward Distributed Systems

As organizations move away from monolithic systems toward microservices and service-oriented architectures, the number of system interactions increases significantly. APIs enable these interactions, but every exposed interface introduces a potential risk.

As highlighted in the presentation, security challenges are not only caused by implementation flaws but often originate from how APIs are designed and structured.

Understanding API Security Risks

A key reference in the discussion is the widely recognized OWASP Top 10, which outlines the most critical web application security risks. Among these, broken access control stands out as one of the most significant issues.

Broken access control can be described as:

Unauthorized access to sensitive data
Exposure of information beyond what is necessary
Improper enforcement of permissions

Even well-secured systems can be affected if API interactions are not carefully designed.

Example: Excessive Data Exposure

One common issue is excessive data exposure, where APIs return more information than required for a specific use case. While this may simplify development, it violates the principle of minimizing access and can unintentionally expose sensitive data.

This becomes particularly problematic when:

APIs are designed for multiple use cases
Clients are expected to filter the data themselves
Sensitive attributes are included in responses by default

Security Principles in API Design

Least Privilege

A fundamental concept discussed is the principle of least privilege, which states that systems and users should only have access to the minimum information required to perform their tasks.

Applying this principle to API design often involves:

Creating more specialized endpoints
Limiting data exposure per request
Avoiding unnecessary data sharing

While this approach improves security, it also introduces additional complexity in managing multiple endpoints.

Zero Trust Approach

The presentation also highlights the zero trust security model, summarized by the principle:
“Never trust, always verify.”

In this model:

Every request must be validated
Access is continuously checked
Trust is not assumed based on network location

However, practical implementation requires balancing security with usability, as overly strict controls may increase system complexity and operational overhead.

Managing Access Control

Controlling access to APIs involves determining:

Who can access a resource
What they can access
When and under which conditions

Different access control models exist, including:

Role-Based Access Control (RBAC)
Attribute-Based Access Control (ABAC)
Policy-based approaches

Each model offers different levels of flexibility and complexity, and the choice depends on system requirements.

The Role of API Security Gateways

To enforce security policies consistently, API gateways can be extended with security capabilities. These API security gateways act as enforcement points that:

Validate authentication and authorization
Apply security policies
Filter and validate data
Monitor API usage

By centralizing these controls, systems can better support secure communication between services.

Balancing Security and Complexity

One of the key messages of the presentation is that there is no single “perfect” level of security. Instead, system designers must balance:

Security requirements
Implementation complexity
Operational overhead

Highly sensitive systems (e.g. financial services) require strict controls, while less critical applications may adopt lighter approaches.

Designing for Security from the Start

API security is not an afterthought. Many vulnerabilities arise during the design phase, making it essential to:

Consider security early in system architecture
Apply principles such as least privilege and zero trust
Carefully design API structures and data exposure

While perfect security is not achievable, improving access control and API design significantly strengthens system resilience.

For a complete overview of the topic, you can watch the full presentation here:
https://lnkd.in/d4upR2-Q

Acknowledgment

This development is part of the Eclipse Arrowhead framework and the Arrowhead fPVN project (Grant Agreement No. 101069774), and has been supported by the AIMS5.0 project. This project has received funding from the Chips Joint Undertaking (Chips JU) and its members, including top-up funding by Finland, Denmark, Sweden, Spain, Italy, Romania, Portugal, Hungary, and France.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.