Most security professionals recognize that APIs present increasing risks to organizations, but they generally think in terms of vulnerabilities and misconfigurations, similar to other parts of the attack surface. Most believe that nearly everything, from servers to firewalls, can have vulnerabilities that result from unpatched or updated software, a change in conditions or a discovery about configurations that allow exploitation. APIs are grouped in with other elements of the attack surface where the security pros view that everything will have a vulnerability from time to time, and most they can uncover and address them in assessments and pen testing.
While API misconfiguration and vulnerabilities present real threats, they represent only the tip of the iceberg of the potential damage from API abuse or misuse. APIs are still viewed only as potential weak points or possibly even conduits for attacks—the means for an attack. This reflects dated thinking that does not match current realities. The potential risk from APIs are orders of magnitude greater than nearly anything previously experienced—APIs are no longer just an avenue for an attack: they now are the attack. That’s why Gartner and other analyst firms have identified APIs as the new frontier for cybercrime and misuse and why security teams must make APIs a top priority.
As companies embrace digital business, they are connecting core business systems, processes and data with partners, suppliers, customers and other third parties through the use of APIs. A new survey from RapidAPI shows that now almost 75% of developers use APIs for internal applications, and half work on third-party and partner-facing APIs.
APIs are now embraced by banks and FinTech firms to eliminate friction of conducting payments across international borders. APIs are key to virtualized business and a tight coupling of entities for creating seamless customer experiences. They also enable efficiency and maximum effectiveness. As a result, companies are fully exposing the heart of their business and turning this core asset and resources inside out. What previously were tightly monitored and guarded are now accessible and shared through APIs. The data on the API has become the organization’s crown jewels.
The shift means that threats and risks elevate exponentially. APIs themselves become the means for fraud, abuse and misuse. Through their direct usage, money, orders, parts and supplies, transactions, business know-how and processes are available to unauthorized parties for unauthorized uses. Cambridge Analytica, for instance, took advantage of Facebook APIs which they were authorized to access and abused Facebook’s core business, creating substantial ramifications. This kind of activity represents only the tip of the iceberg. Unauthorized parties can also gain access to APIs for nefarious means. Security teams need to monitor for malicious, fraudulent, criminal or inappropriate behaviors within important APIs. Abuse is unique for every API.
Nearly all enterprises are ill equipped to face the new requirements for application and API security. Most know only a portion of the APIs they have in use and lack the means to continually monitor for new ones or ones that have changed due to a new version or update. Of these, companies have an even slimmer understanding or even documentation of a fraction of these. Beyond discovering all APIs, companies must monitor how their important business APIs are being used and by whom. Security teams require behavioral analytics to observe and understand how APIs are used and to identify behaviors that are not only anomalous but also malicious. Companies must begin to adopt the technology and shift security priorities, strategies and procedures to emphasize the new threats from APIs. Not having these may mean existential risk.
Giora Engel, co-founder and CEO, Neosec