The use of Application Programming Interfaces (APIs) has accelerated exponentially over the past decade and continues to grow. However, company security measures have yet to match the increased security risks caused by this rapid surge in API use.
Businesses rely on APIs more than ever before. The sheer scale is staggering. Essentially, every application and device connects or communicates with an API. This is why it shouldn’t be surprising that API calls represent 83% of all web traffic.
APIs are also the new cybersecurity battlefield. Security measures have not matched the meteoric rise in popularity. As more companies publish their APIs and connect them to the open web, cyber attackers have increased their exploitation of this attack vector. What’s more, APIs have been in use for decades. They pre-date app security teams, API gateways, and the OWASP API Top 10.
It’s only a matter of time until bad actors sniff out legacy or shadow APIs that don’t comply with your current processes and standards. Therefore, it is essential that businesses can discover APIs as fast as possible.
Why is API Discovery Important?
API discovery is about finding and inventorying APIs, as well as gathering rich data from the API. Simply knowing that an API exists doesn’t improve your security posture. Who or what is accessing each API? And what data is each API sending?
Today, businesses do not have a complete inventory of all their APIs. It poses a significant risk. Misconfigurations, suspicious behaviour, and cyber-attacks can occur unabated without the business’s knowledge. And once an API issue is found, it can take a substantial amount of time to investigate the incident to determine the severity and conduct root cause analysis.
The lack of visibility isn’t just due to legacy APIs that pre-date API management or security solutions. The demands of the business often force development teams to choose speed over security. A culture that revolves around velocity can incentivise shortcuts where APIs may be routed through a simple proxy. Enterprises won’t have deep insights into these “rogue” APIs and, in some cases, won’t have any visibility at all.
Gartner estimated that in 2021, APIs would account for 90% of the attack surface for web-enabled applications. It also estimates that API abuse will become the most frequent attack vector by 2022. These APIs provide a direct on-ramp deep into the organisation’s systems and critical data.
Why Are Businesses Failing to Close API Security Gaps?
The lack of API security maturity is why it isn’t surprising that API leaks and exploits make headlines on a frequent and consistent basis. In addition to industry maturation, several common misconceptions and misunderstandings keep businesses from holistically protecting their API environments.
When we show potential customers all the vulnerabilities we’ve discovered in their APIs, it’s a real light-bulb moment for them. Even the most seasoned security professionals often have no idea how exposed their systems are. So, let’s explore the most common reasons organisations fail at closing API security gaps.
1. Dangerously Narrow View of “API Security”
“API security” is almost exclusively positioned in the media as API attack prevention. It’s not about protecting your APIs from an attack. It’s about protecting your digital environment and your data from all the risks associated with APIs. As simple as this shift in mindset may seem, it has significant implications for security strategies, processes, and tooling.
APIs are so critical to the business today that design errors and simple misconfigurations can put sensitive information and company reputations at risk. Additionally, these honest mistakes can easily be exploited by bad actors. They expose an even deeper layer of risk to the company than a standalone attack. A broader definition and understanding of API security is required.
2. Exponential Threat of an API Breach
The nature of APIs is to connect and to communicate. A sprawling mesh of APIs connects applications, services, and databases. If an API is compromised, it’s often difficult to even identify what other APIs, data, and systems could have been exposed or exploited.
The rate of new API deployments exceeds an organisation’s ability to keep up with API testing and security. The API attack surface grows daily, and new misconfigurations find their way into production environments. Without a rapid change in businesses’ API security strategy, it is only a matter of time before more businesses fall victim to API security vulnerabilities and attacks.
3. Flying Blind in an Ever-Changing Landscape
Security is either a shared responsibility or given to yet another team to sort out. The result is a lot of APIs slipping through the cracks. Businesses do not have a complete inventory of APIs, and it isn’t uncommon for 30% of APIs to be unknown or unmanaged.
Additionally, of the known and managed APIs, there is often limited visibility into the communication and behaviour of the APIs. Many enterprises have an intent for their API management but validating the API behaviour is still a difficult and time-consuming process.
4. Limited API Security Functionality with Traditional Tools
A major issue is that current application security systems, such as Web Application Firewalls (WAF) or Security Information Events Management Systems (SIEMS), are insufficient to identify attacks. Breaches and data exportation can look like normal application behaviour to these legacy systems. It causes a fundamental blind spot for security teams and explains why they can fall short.
Traditional API security is far more complex than simply detecting run-time attacks. It may explain why many sophisticated organisations still fall victim. It is not just a case of buying a new tool that gives visibility into API inventory and behaviour. Instead, API security should be thought of as a process that looks at how APIs can be discovered, misconfigurations identified, vulnerabilities mitigated, and new APIs tested.
5. Confusion Around Ownership
Multiple teams play a role in creating, consuming, and managing APIs. It creates confusion about which teams are responsible for API security. Is it the development team, the platform team, or the CISO who is responsible for enterprise API security?
API security vulnerabilities will continue to slip through the cracks without a clear ownership structure. It will lead to more effort being put into finger-pointing than into eliminating API risks.
The Solution
There’s no doubt that threat actors have taken notice of APIs. They have quickly become a fruitful target for those looking to steal your organisation’s sensitive data. Cyber attackers are particularly nefarious because they know how common mistakes and mishaps occur. Additionally, they are constantly probing to discover and exploit them.
How do you solve the above security risks and complexities that the increasing use of APIs has brought to businesses? Security teams must deploy a proactive and effective platform to lock down their APIs. It will decrease the potential for successful cyber-attacks. It is also the most reliable solution on offer to businesses and undoubtedly the correct route for reducing vulnerabilities.
Sources:
https://www.gartner.com/en/documents/3956746/api-security-what-you-need-to-do-to-protect-your-apis
Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and Secure API SDLC. Noname Security is privately held, remote first with headquarters in Palo Alto, California, and an office in Tel Aviv and Amsterdam.
