Your API Security Is Calling You
Will you answer the call to address API vulnerabilities?
By Seemant Sehgal, CEO and Founder, BreachLock
Since the early 2000s, enterprises have been taking advantage of the potential of APIs. Today – APIs are everywhere, from small businesses to third-party providers.
In recent years, cybercriminals have caught onto the ubiquity of APIs in today’s business landscape. In addition, they have gotten equally getting serious about attacking API vulnerabilities nowadays.
Seeing the rise in digital supply chain breaches combined with advanced persistent threats and social engineering attacks reaching new levels of persistence. Hence, everyone’s API security is calling out loud for cyber security risk management in 2023.
Will your organization heed the call?
Security leaders looking for ways to significantly improve their cyber resilience and manage the new API risks can get ahead of this with a simple approach.
Those wise to focus on this opportunity have realized that integrated, on-demand API penetration testing can elevate their visibility to the numerous – sometimes unknown – APIs communicating on the network.
With the visibility that API security testing offers, security leaders can identify and accelerate the remediation of application vulnerabilities in measurable ways.
They can also reduce the overall risks that APIs contribute to the organization’s security investments. To understand API security and the problems today, let’s take a step back and understand how APIs became insecure in the first place.
The Rise in Application Programming Interfaces
The revolution that brought web applications to internet users around the world opened the floodgates to a connected digital age where anything is possible.
Every piece of data that can be transferred – from databases to payments to digital file sharing – can be delivered to another destination via an API. Billions of API calls are made every day to facilitate business operations around the world.
API security, on the other hand, has not kept up with the evolution of APIs – leaving security operations teams scrambling to keep up with the evolving risks and threats without routine testing in place.
The lack of security testing for APIs has left a storm of incidents in recent years that has led to expensive security breaches, specifically in the digital supply chain.
As web apps have become ubiquitous in modern life, mobile applications followed the same trend. Some may argue that mobile apps are more popular than web apps. It is due to the adoption of cellular phones and mobile technology.
APIs serve mobile applications like a rubber-hits-the-road pathway that integrates one’s mobile life seamlessly with their real life and an internet connection.
There’s no doubt that the web and mobile apps have made life inherently easier compared to the ‘old days’ before the internet.
The use of application-based technology has exploded with the portability of internet-connected devices. These have also driven the API trend.
Cloud Applications and the Democratization of API Technology
The second stage of this revolution brings the power of the cloud to center stage. As businesses shifted their core offerings to the cloud, APIs were a way to provide customers and partners access to data with a democratized approach.
Companies do not have to own the data, nor do customers, to use the data or transfer the data. The rise in APIs made this shift possible, as companies used API technology to build value additions on core applications that different parties can use.
For example, initially, web applications were only in use by the major banks in Financial Services.
Then came the FinTech industry. FinTech businesses did not have any core business logic or core data of their own. They wanted to democratize the consumer data which was already available with banks.
This is, in part, why API technology came into existence and continues to central to running digital operations today.
As the norm of interoperability and intercommunication within different business applications, APIs are now a way to establish a communication protocol between various applications, whether internal or external.
What’s become the biggest problem with APIs is now related to the cloud security of APIs. Due to their popularity, APIs have opened a new attack surface, as the developers who create the code and documentation for APIs do not necessarily take security into account.
Therefore, from an API perspective, cybercriminals are obviously taking advantage of these cloud-based security gaps, as API attacks have been on the rise.
Why is API security critical now?
Over the years, web applications have been made more secure with certified third-party providers. While this has been driven by regulations, APIs are now starting the same journey to security maturity.
The topic is certainly getting more attention. API security is being scrutinized in the SDLC. Moreover, those delays are slowing the pace of innovation for many organizations.
In a recent study by Google Cloud, ½ of U.S. technology leaders reported experiencing an API security incident in the past 12 months.
Threats such as Misconfigured APIs and Security (NET) at 40%, outdated APIs, data, and components (NET) at 35%, and spam, abuse, and bots (NET) at 34%.
That same study found that 53% of responding organizations had to delay the rollout of a new service or application due to API security issues.
For those who have experienced an incident in the past 12 months, 77% of respondents reported having to delay the rollout of a new service or application due to API security issues.
These API-related security events not only delayed rollouts of new services and applications. In addition, they also likely delayed revenue that had been forecasted.
In today’s economy, businesses have not prepared for the double-whammy of addressing API security risks. Particularly before launching a product or service.
What are the challenges with API security?
There are a few notable challenges with managing API security for today’s modern security operation center. From the number of APIs to the API technology itself to the lack of API documentation, API security presents challenges to Security and IT leaders predominantly in these three areas.
API Velocity Is Outpacing API Security
First and foremost, the sheer velocity at which APIs are getting developed is literally overflooding the capacity for API security to be properly managed. A great example is that every mobile and web application developed now comes with a native API.
API Technology Is Still Evolving
Secondly, API technology itself is still in the evolution stage. Training API developers on secure code best practices and changing protocols for server-side authentication are a few of the ways API security is improving.
But clearly, due to the lack of technology advances to date, API security is truly an area where organizations can shine or be extremely vulnerable.
There seems to be very little ‘in between’ for most modern businesses today. Their APIs are either secure – or they are not.
Today’s APIs Lack Documentation
Finally, the lack of API documentation continues to be a challenge. When an organization needs to test its API with a third-party provider, it’s critical to have the API documentation. This is to provide to the external testing team.
The third-party pen testers can only test what they know. And, without proper API documentation in place, there are many holes without answers for the pen tester.
The lack of API documentation certainly hurts business continuity in obvious ways. As API developers leave, future API developers will need proper documentation to be able to manage the API and its security requirements moving forward.
Too often, API documentation is an afterthought and not necessarily required by the organization to launch.
How can security leaders improve API security?
When it comes to API security, the solution is to tackle these three challenges with full force. This is to ensure organizations avoid preventable API security breaches this year.
Organizations seeking to tackle this challenge in 2023 should specifically address the following opportunities to transform API security:
- Ensure you use specialized developers to manage API security. Give them the capability to routinely test their API code in a sandbox before its production.
- Mandate that proper API documentation is in place, along with required scheduled maintenance.
- Establish a security testing program to protect and enhance your API security. Testing for security validation and compliance, whether conducted in-house or outsourced to a qualified pen testing as a service or red teaming services provider, is an excellent investment to assess and fix vulnerabilities within your API.
With the right number of resources and dedicated expertise, companies can take the steps they need to elevate API security in 2023.
Want stories like this delivered straight to your inbox? Stay informed. Stay ahead. Subscribe to InqMORNING