DevSecOps, Application security

Three ways enterprises can prevent the next API data breach

Today’s columnist, Jason Needham of Cloudentity says that all attacks may not have the magnitude of the Cambridge Analytica scandal where Facebook’s API exposed the raw data of some 87 million users, but he cautions security teams to pay attention to API security in the months and years ahead. (Photo by Justin Sullivan/Getty Images)

The SaaS market has been projected to reach $307 billion by 2026, up from $158.2 billion in 2020. The industry's rapid explosion has called for an accelerated use of application programming interfaces (APIs) as software developers and modern organizations look to drive innovation, collaboration, and productivity for their customers and partners.

While APIs are an essential component of seamless data sharing, they also introduce a new attack vector for organizations already struggling to keep their data secure. Major data leaks like last year’s Peloton and Experian incidents underline how even larger corporations with millions of customers can fall victim to a security vulnerability as preventable as a leaky API. As a result, Gartner forecasts that APIs will be the most common point of attack this year.

As organizations and developers are eager to digitize their business and progress their transformation goals, they must make securing their APIs a top priority. Below are three essential steps for enterprises to take to avoid becoming the next victim of an API-related data breach:

  • Know the vulnerabilities impacting APIs.

Organizations and developers must understand the emerging API vulnerabilities that could place sensitive data at risk. Threat actors can easily abuse API flaws to steal personal data, sell on the dark web or even leverage for their own malicious gain. This was exemplified by the Cambridge Analytica scandal, where Facebook’s API exposed the raw data of over 87 million Facebook users, which was then exploited by the political consulting firm.

In 2019, the Open Web Application Security Project (OWASP) Foundation released its API Security Top 10 list, detailing the most common API vulnerabilities impacting organizations, with seven of these vulnerabilities correlated to authentication and authorization. While this list was published two years ago, organizations are still facing the same vulnerabilities today. For instance, security researchers have disclosed a variety of API vulnerabilities in Coursera’s platform and broken object level authorization (BOLA) was the primary issue. The OWASP Foundation had listed BOLA as the most pressing vulnerability on their list since attacks can easily exploit it, and the Coursera discoveries emphasize how organizations have yet to modernize their security postures accordingly.

  • Invest in cybersecurity controls.

As data-sharing through APIs increases exponentially, organizations must ensure that all entities, including users, services and APIs, are continuously identified and authorized. However, traditional IAM solutions weren’t designed for the new sophistication of identity-related API vulnerabilities, such as those highlighted by OWASP. Cybercriminals can easily bypass tools like multi-factor authentication (MFA), pose as a user and access data shared through an API. As such, enterprises must implement solutions that provide fine grained authorization with the intelligence to understand the specific conditions and parameters in which data can be shared. Modern authorization technologies and techniques can securely verify both user and service identity, while mitigating inconsistencies and errors associated with traditional IAM solutions. Security teams also need to adopt a zero-trust approach to determine the “who, what, where, when and why” of each transaction and to define each policy and user permissions based on their context.

  • Follow API best practices.

API security has become the foundation of any API management strategy and it’s essential for enterprises to safely extend data to customers, partners and other third parties. Organizations and developers must work together to ensure their APIs are easily discoverable to understand where companies are sharing information and with whom. This will also help them visualize how sensitive data travels between services, data sources, partners and customers.

Shadow APIs, or those that are unknown and undocumented, are often caused when the security teams are not directly aligned with developers. Undisclosed APIs can pose a significant risk to businesses, since IT teams can’t protect what they can’t see. To prevent shadow APIs, organizations must keep inventory of every API in the IT ecosystem by continuously monitoring and analyzing all new developments. If an API is no longer valid or in use, the security team must shut it  down immediately. Additionally, while developers help enterprises improve the customer experience and bring products to market fast, they are note security experts. Enterprises must invest in security personnel to provide them with the right knowledge and expertise required to address security issues as they arise.

APIs offer a multitude of business benefits, such as enhancing the customer experience, increasing productivity and automating many tasks that previously required human interaction. Almost every industry leverages APIs in today’s digital age, from financial services to social media. As the API economy explodes, a strong, companies will need a well-defined API security posture to mitigate API vulnerabilities and prevent the financial and reputational damages associated with a data breach.

Jason Needham, chief executive officer, Cloudentity

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.