Whether you realize it or not, APIs are everywhere in your organization and they’re growing in numbers. In fact it’s estimated that the average organization manages over 300 APIs, many of which are exposed externally to customers and partners.
While the concept of APIs may still be foreign to some, they’re an integral part of modern application environments everywhere, providing the connective tissue for SaaS, web, mobile, microservices and IoT applications.
Developers have taken to APIs as a way to connect applications, extend functionality and interface with partners. This has created an often complex web of logic, connectivity and exposure for critical infrastructure and data as well as creating new vulnerabilities and new targets for attackers.
Most security teams are aware of the primary APIs in their environment but there are many APIs that go unnoticed, and thus lack the monitoring and protection needed to properly secure your environment. Even if you do have a good handle on your APIs, most security solutions lack the deep understanding needed to properly protect them. Here are 5 things to consider as you think about API protection as part of your overall security strategy.
1. APIs are one of the fastest-growing attack targets
The API Economy is here and businesses are looking for ways to deliver new apps faster, extend application functionality and connect with partners. APIs are everywhere now and as the number of APIs grows so too do the number of attacks. According to Gartner in their research on How to Build an Effective API Security Strategy, “By 2022, API abuses will be the most-frequent attack vector resulting in data breaches…”
2. APIs are a rich target for attackers
Behind many APIs lie attractive targets for attackers. With the right attack, a wealth of valuable data can be exfiltrated, ranging from customers’ personally identifiable information (PII) to company intellectual property (IP). Do a search for API breach and you’ll find plenty of examples of well known companies who have been targets, like T-Mobile, Panera Bread, Verizon, Facebook and recent vulnerability disclosures at the United States Postal Service (USPS) and Google+.
These attacks not only have compliance implications that cost organizations millions in fines but can also damage reputation and cause loss of customer confidence. As a result of a 2018 breach at Facebook, the company faces up to $1.63 billion in fines under GDPR.
Data exfiltration is not the only goal for attacks. Denial of Service (DoS) can also be the motivation for an attacker who wants to impact the availability of a target application. Unlike a Distributed Denial of Service (DDoS) attack that require high levels of sophistication and coordination, a single attacker can overwhelm an application with a subtly crafted API call. As with exfiltration, downtime due to DoS attacks can result in loss of customers’ confidence and loss of revenue.
3. API security requires a layered approach
APIs are no different from the other infrastructure that you’re tasked with protecting. There is no single solution that will provide you with comprehensive protection. Traditional solutions like a Web Application Firewall (WAF) and newer solutions like Runtime Applications Self-protection (RASP) are commonly used in conjunction with more proactive penetration testing and bug bounty programs. With the increase in API-focused attacks, a new class of API protection solutions have also come to market that help to protect organizations from these new threats.
4. Signature-based solutions offer only partial protection
WAF and RASP solutions work based on known attack vectors that can be predicted and fingerprinted. While these solutions provide good protection from known attacks, the attackers are evolving, increasingly moving away from these common, easily identified attacks. Since many traditional solutions lack granular knowledge of APIs, modern attacks often go unnoticed until it’s too late.
5. API attacks target your unique API logic
Your organization is unique and so are the APIs and the applications that use them. Today’s attacks target this unique logic. Also take into consideration that in this day and age with CI/CD development practices your APIs are constantly changing and evolving. This makes it even more difficult to defend your APIs. An API protection solution needs to not only understand the uniqueness of your APIs but also has to be aware of any updates or changes that are made.
Because APIs are unique, dynamic and undergo constant changes, organizations must look beyond security solutions that require manual configuration and signature updates. With the number of APIs for a single organization numbering in the hundreds, it’s important to find an approach can efficiently and effectively monitor and defend this complex web of logic, connectivity and exposure. There is no single solution that can keep modern organizations safe, but a layered security approach that incorporates granular API monitoring and protection will go a long way towards closing vulnerabilities and preventing API attacks that have become increasingly common in our connected world.
Roey Eliyahu, CEO and Co-Founder, Salt Security