PeakSpan’s API Security Outlook
State of Play. In today’s digital landscape, Application Programming Interfaces (APIs) play an instrumental role in driving seamless interactions between various applications and services that are essential to facilitating modern customer experiences. Whether in banking, healthcare, retail, transportation, IoT, or even smart cities, APIs are the lifeblood of the app-driven world that we live in. However, their rapid proliferation throughout internal and external-facing business operations and increasingly critical role in providing access to information has also made them an attractive target for malicious actors seeking to exploit vulnerabilities and gain unauthorized access to sensitive data.
Recent reports show that US companies lost anywhere from $12–23B from API data breaches in 2022. 2023 is on track to be a record year, with disclosures of API breaches in the first two months alone having a potential impact of 49 million records. Given the growing volume of API attacks and severity of recent data breaches (e.g., TMobile, Microsoft, Optus), it’s no surprise that API security has become a point of discussion amongst C-Suite at large enterprises. Recent industry surveys have found that a majority of enterprises still have nascent API security practices, with nearly 50% lacking confidence that they can detect the malicious use of their APIs and 74% of cybersecurity professionals reporting that they do not have a complete API inventory or know which APIs return sensitive data.
At the heart of the issue lies several key factors:
Nascent Infrastructure: Security teams don’t have processes/tools in place to identify and classify all of their APIs at scale, let alone remediate vulnerabilities — making it extremely difficult to discover Zombie/Shadow APIs, maintain an updated API inventory, and understand who can access those APIs
Disjointed Approach: API security falls into two groups (that often struggle to collaborate) — engineering teams, who lack security skills, and security teams, who lack API skills — organizations need to take on a holistic DevSecOps framework throughout their APIsecurity efforts
Legacy Solutions: WAF and API Gateways are insufficient — organizations must leverage specialized API security tools to proactively identify and protect against vulnerabilities throughout the entire API lifecycle
Managing an Active Inventory. The accessibility and ubiquity that makes APIs the cornerstone of modern applications has given rise to a major challenge: managing API sprawl. Many companies grapple with an API landscape that has grown so vast and intricate across internal, partner facing, and customer-facing functions that they struggle to understand how many APIs they are using, who has access, and what data flows through those APIs. Recent high-profile breaches have showcased just how devastating the consequences can be — in the case of the Optus Breach, an unaccounted-for, publicly exposed, and unprotected API granted hackers access to sensitive data associated with 9.7M current and former customers. Because the API was public-facing and lacked authentication protocols, it was accessible by anyone on the internet — allowing criminals to walk in the front door and take what they want, which is not an isolated case, as most enterprises still don’t have a complete API inventory or know whether certain APIs return sensitive data.
APIs are so deeply ingrained in the digital ecosystem that their true extent often eludes even the most diligent organizations (e.g. Microsoft). Unraveling the tangle of Shadow APIs, Orphaned APIs, and Zombie APIs hidden in legacy systems is akin to navigating a maze. According to a recent Salt Security industry survey, the latter (Zombie APIs) was their customers’ most common API security concern over the last year. These dormant APIs, forgotten and abandoned, present a lurking threat. With no oversight or security measures, they provide an open avenue for attackers to exploit vulnerabilities.
In many cases, the leading factor resulting in exploitations is that organizations can’t protect what they can’t see. As such, taking measures to create a comprehensive inventory and gain visibility into the entire API ecosystem is the first step toward implementing an effective API security strategy.
We are big believers that automated API discovery and classification will be table stakes for organizations moving forward, especially as the API landscape grows increasingly vast and complex and it becomes impossible for security teams to keep up manually. We also expect that API security vendors will be able to differentiate themselves through the ability to go beyond discovery and drive greater orchestration — e.g., provide granular API taxonomies that not only map the full API inventory but also proactively identify which APIs are at greatest risk (based on data sensitivity and other measures) and need to be prioritized.
Taking on a Proactive Approach. The Open Web Application Security Project (OWASP) is the leading authority on API security. Their API Security Top 10 2023 list details the most critical concerns plaguing API implementations today. Broken object-level authorization, flawed authentication mechanisms, and inadequate rate-limiting mechanisms have emerged as the leading vulnerabilities in 2023. As such, it’s worth assessing the strengths and weaknesses of traditional API security practices.
Most organizations today use API Gateways and Web Application Firewalls (WAFs) to fend off API attacks. However, this approach falls short against more sophisticated and modern threats. In the case of WAFS — today’s complex cloud-native environments often feature endpoints that fall outside of the WAFs — rendering the organization vulnerable to attack. On the other hand, API gateways lack visibility into each API’s full schema and can’t classify the data that flows through them, leaving organizations blind to potential risks. Moreover, gateways miss east-west API traffic, thereby hindering the ability to detect data exfiltration and leaving open vulnerabilities prime for code injections and man-in-the-middle attacks.
True security demands a shift away from relying solely on WAFs and API gateways — organizations need continuous monitoring and full API schema visibility to know what data the API has access to and be able to detect compromised access points. Further, they need solutions that protect both public-facing and backend APIs, and work across legacy, hybrid, and cloud native environments. We firmly believe that purpose-built API security platforms will be increasingly impactful over the years to come as cybercriminals look to exploit gaps in visibility and launch sophisticated attacks.
Additionally, the zero-trust concept emerges as a pivotal strategy. Acknowledging the vulnerability of unauthenticated public-facing APIs to malicious attacks, the zero trust approach advocates for stringent authentication and authorization mechanisms for every API. This paradigm shift is going to be particularly critical in data-rich ecosystems where safeguarding customer information takes precedence — the transition towards a zero-trust architecture is no longer a choice, but a requisite response to evolving cyber threats. By integrating access control frameworks like OAuth2 with authentication techniques such as usernames, passwords, and API keys, organizations can establish robust access protocols, ensuring minimal privileges and elevated security in the intricate landscape of data interactions.
The Escalating Threat Landscape. The intensifying threat landscape is a wake-up call for businesses. According to the Salt Labs State of API Security Report for Q1 2023, 94% of organizations encountered security problems in production APIs over the past year, nearly 80% of attacks occurred through authenticated APIs, and there was a 400% increase in unique attackers over the trailing six months.
Conclusion. API security has become a major business imperative. Evidenced by a significant increase in application rollout delays over the past year due to security issues identified in APIs (Salt State of API Security Report, 2023), the associated financial fallout / regulatory repercussions of data breaches has grown to become a massive concern for enterprises. The cost of such breaches is not limited to financial implications associated with remediation efforts and business interruptions; it extends to diminished customer trust, and erosion of reputation which can prove harder to reconcile over the long-term than a fine. In 2022, the average cost of a data breach in the United States reached a staggering $9.44 million. It’s a stark reminder that the cost of inaction or inadequate security measures far outweighs the investment in robust cybersecurity. By prioritizing security, adopting best practices, and fostering a culture of vigilance, organizations can navigate the intricate API security landscape while safeguarding their data, reputation, and digital innovation.
Sources: Gartner, CIO, Cloudflare, The Verge, Dark Reading, Forbes, NPR, TechnologyMagazine, Marsh McLellan, Salt Security, Noname, Protocol, Securiti, Imperva.