Digital transformation delivers competitive advantages, increases business efficiencies and offers new avenues for growth. The APIs that foster digital transformation introduce a new attack surface and a high-risk point of potential data exposure.
APIs have been built specifically for services that share critical data with customers, partners, and employees, and the usage of APIs has grown exponentially with digitalization. In its 2021 State of the API Report, Postman found that more half of developers deploy new APIs to production once-per-day, once- per-week, or once-per-month.
Because APIs foster new and transformative mobile and online services, this growth isn’t surprising. However, APIs also facilitate connectivity for the usage of highly-sensitive data, such as personally identifiable information (PII), financial data, and medical records. Because APIs hold the key to this treasure trove of data, they’ve become an attractive target for attackers.
As a result, API security has become an essential component of an organization’s security technology stack. Building team expertise in API security has been identified as one of the top focus areas for CISOs on the CISO MindMap 2022.
Many enterprise companies, including Parler, Experian, Facebook, and Peloton, have already experienced API breaches. API attacks can decrease customer trust, cause loss of revenue, and irrevocably damage a company’s reputation. In the case of crypto exchange platform Coinbase, had an API vulnerability not been detected, it could have bankrupted the business. Despite these risks, APIs remain poorly protected today. According to our latest research, more than one-third of organizations lack any API security strategy.
API attacks operate based on a string of related events, but traditional solutions, such as web application firewalls (WAFs), only view transactions one at a time. They’re built for “known” paths, whereas APIs are unique and require the detection of slower reconnaissance activities. To identify and defend against threats, security leaders must have the ability to see all activities.
Moreover, even using APIs as they were designed for can result in exploitation. Excessive data exposure, as outlined in the OWASP API Security Top 10, can also unwittingly deliver access to more data than actually required for a specific request. In the examples of Experian and Peloton, the APIs were targeted for data exfiltration simply by using them as designed in response to legitimate queries.
Three principles of API security
With a rapid development cadence, the API attack surface has been constantly growing. To effectively protect this evolving landscape, CISOs require an API solution that can deliver the following three capabilities:
- Complete visibility into API traffic: Systems, applications, and APIs and the data they interact with span multiple environments. If the security team doesn’t have visibility into all of its APIs and which may expose sensitive data, it can’t protect them. With an accurate baseline inventory of their APIs that’s easily dynamically updated, CISOs can eliminate blind spots.
- Continuous and dynamic analysis in runtime: Because APIs are not just straight code where security teams can look for code flaws in development and testing, but instead instantiations of business logic, the teams need to see its APIs in action to spot flaws in that logic. Seeing patterns in runtime as APIs are exercised offers the most context when it comes to API security to identify malicious activity.
- Remediation insights for proactive security: Remediation insights, including runtime learnings, help bring API security findings back into developer training and development to give them the broadest insights for hardening their APIs. With remediation details, the team supports shift-left practices to get ongoing value for its APIs – which lets the team identify risks before they become exploited. These insights help developers write better APIs, even as they continue to build new ones.
Automation, big data, and intelligence
API attacks take place over days, weeks or months, as bad actors painstakingly investigate how APIs work to find business logic flaws. API security solutions need the ability to process large amounts of data over a long time to develop the context needed to distinguish attack traffic from normal traffic. Security teams can’t get this level of rich context with on-premises, VM-based solutions. Only cloud-scale big data, combined with artificial intelligence (AI) and machine learning (ML), can track millions of users in parallel over days, weeks, or months.
At a time when cybersecurity has become the crucial issue, APIs have become the weakest link in IT systems. Without API security, CISOs cannot maximize the value of digital and IT modernization initiatives. Even worse, API weaknesses place potential business profits at risk. CISOs need to stay threat-aware, business-aligned, and proactive. By implementing a dedicated API security program, CISOs can help the organization accelerate digital innovation, build a more security-centric culture, and generate business growth.
Yaniv Balmas, vice president of research, Salt Security