Ninety-five percent of IT organizations surveyed are confident their existing security tools are effective at protecting their companies, but there are serious gaps: only 10% of organizations fully document their APIs, according to Enterprise Management Associates (EMA).
Major breaches the past several months at T-Mobile and Twitter underscore the need for better API security and the need for stringent documentation for application programming interface (API), the software intermediary that allows applications to communicate with each other.
“It's alarming that most organizations have only a portion of their APIs documented,” said Edward Roberts, vice president of marketing at Neosec, a sponsor of the EMA study. “The lack of visibility and lack of documentation highlights the security blindspot that APIs pose to organizations."
Organizations need visibility into every API endpoint and the data exposed, said Scott Gerlach, co-founder and CSO at StackHawk, adding that it requires having solid documentation. Gerlach said testing APIs during the development phase with documentation can help ensure that once an API ends up in production, it's not a "fingers-crossed and hope for the best" situation.
“Our standards for API security have to evolve in the same way API usage has,” said Gerlach. “What used to constitute a mature security model just doesn't cut it anymore, and the data in this report reflects that."
Richard Taylor, chief technology officer at Approov Mobile Security, said he found it interesting that 83% of respondents believe they would know if their APIs were being abused. Tellingly, the primary methods for detecting API attacks are alerts from wireless access firewalls (25%) or alerts from API gateways (42%), said Taylor.
“It seems that there’s an unrealistic level of blind faith that putting a WAF or gateway in front of the traffic will magically fix any abuse,” said Taylor.
Taylor noted that many forms of API abuse operate under the radar using spoofed applications to make legitimate requests.
“No wonder when, in many cases the API keys and other credentials to perform such operations, are hidden in plain sight in mobile apps, open to exploitation," he continued.
The EMA researchers said while it’s possible that organizations use different tools for API visibility compared with API protection, they say it’s “unlikely” that organizations would notice API abuse.
“It’s reasonable to infer that the tools organizations are using for API management and security are effective at protecting the APIs that they know about, but can do nothing for the ones where they are lacking visibility,” said the EMA report. “It’s also possible that current security tools are not configured correctly to deal with evolving threats, or threat detection solutions and API management/security solutions are not integrated.”
For Salt Security's Michelle McLean, the finding that 32% say they only implement API standards in production was somewhat misleading.
“The report argues that it’s ‘too late’ to protect APIs once they’re in production,” said McLean, vice president at the Palo Alto, California-based security firm. “While that observation seems sound, it misses one key point about security APIs: there are very strong limits in the ability of pre-production testing to identify API security gaps."
McLean argued that organizations need running traffic to understand business logic gaps, "so threat protection in runtime remains the most crucial and most beneficial API security capability.”