The fundamentals of API security

Eric Schwake at Salt Security explains how to secure your digital backbone

 

The significance of Application Programming Interfaces (APIs) to our modern technology stacks is often understated. 

 

APIs power an organisation’s digital operations, essentially working as a backbone to many websites and apps used globally. APIs facilitate seamless connections between customers and vital data/services, passing sensitive data and information through them. It is no wonder that cyber-criminals are exploiting them with increasing ferocity.

 

Worryingly, recent research found that almost all (95%) of its respondents experienced security problems in production APIs within the past 12 months, with 23% suffering breaches due to API security inadequacies. So, why are API attacks on the rise? And what can organisations do about them?

 

The rise of API incidents

API incidents are increasingly cropping up in the media, with globally recognised brands feeling the brunt of rising attacks. Earlier this year, for example, Dell suffered a breach resulting in 49 million stolen customer records.  The attackers used a business logic flaw and an API to scrape records.

 

The impact of these sorts of attacks can be devastating and widely felt, often resulting in a loss of data, reputational damage, and financial losses.

 

What’s more, the wide (and fast) adoption of new technology introduces another layer of complexity when it comes to API security.

 

Generative AI (GenAI), for example, creates both a solution and a problem for developers: new APIs can be created, at scale, within minutes. Whilst this is great for productivity, the rapid creation of new APIs also poses a significant security risk. With an organisation’s API ecosystem growing exponentially, security teams, as well as traditional protective solutions (like API gateways and web application firewalls, WAFs), are ill-equipped to keep up with changing API landscape dynamics.

 

From a developer perspective, these GenAI created APIs can be, among other things, buggy and insecure. For cyber-criminals, generative AI also provides a handy leg up. GenAI gives malicious actors a means to launch attack campaigns in higher volumes. It also helps them to create new and novel AI-based attacks that can evade existing security parameters. 

 

Defining API security strategies

With all the stats and research pointing to a rapid proliferation of API attacks, one thing is clear: traditional tools just can’t cut it when it comes to solving modern API problems. Traditional API security controls and mechanisms are, evidently, no match for API security at scale, given the complexity and varying use cases of these attacks.

 

Additionally, each attack has unique behavioural attributes that need thorough exploration to prevent similar attacks elsewhere.

 

Security teams are also having to deal with the management of more APIs generally. The Salt Security State of API Security 2024 report found that nearly two-thirds (66%) of security professionals are managing more than 100 APIs. This makes it hard to safely and thoroughly monitor and protect APIs, whilst keeping compliant.

 

Despite widespread recognition of API security as a critical issue at the C-suite level - with nearly half of organisations acknowledging its importance - the research revealed a significant gap in the maturity of API security programs. Fewer than 10% of organisations have achieved an advanced level of API security, and over a third lack a formal security strategy for their production APIs.

 

While the escalating threat landscape has prompted many organisations to invest in API security solutions, a strategic approach is often overlooked. Yet, a comprehensive strategy is essential to protect APIs throughout their lifecycle.

 

Next steps for modern API security

When considering a comprehensive API security strategy, security, leaders must start by conducting deep discovery to find all APIs within the ecosystem. After that, API discovery should happen continuously. This makes it easier to manage the proliferation of APIs, as well as associated risk.

 

Knowing how many APIs an organisation has means that a thorough API security posture governance programme can be put in place. This programme must span the entire lifecycle of an API, from its initial design to deployment.

 

API posture governance programmes help organisations gain deep understanding and insight into their API landscape, along with asset intelligence. This intelligence can then be leveraged to eliminate any blind spots, but also to establish company-wide security standards and regulations across the entire API ecosystem.

 

Additionally, posture governance measures are important for compliance reasons. By understanding regulatory obligations, tools can help detect and manage any APIs that are non-compliant.

 

Additionally, posture governance provides organisations with a foundation for effective threat protection. Unlike traditional methods of attack, API threats often exploit logic vulnerabilities. Detecting these anomalies requires advanced behavioural analysis, which demands substantial data processing and computational resources.

 

Once a strong posture governance programme is put in place, security teams can proactively identify and mitigate potential risks, ensuring the necessary context for decision making is provided. This is important for ensuring that APIs adhere to established standards and best practices throughout their lifecycle.

 

By continuously monitoring API configurations and identifying vulnerabilities, organisations can significantly reduce their attack surface and mitigate the risk of security breaches.

 

Proactive API security

As with most areas of cyber-security, proactivity is key. Putting in place robust strategies before deployment (or incident) is essential for mitigating the risk of insecure or poorly configured APIs, especially as the use of GenAI in API creation becomes more commonplace.

 

While implementing tools that discover and manage an organisation’s APIs, as well as detect malicious actors and behavioural anomalies, is important, it must also be paired with ongoing posture governance programmes that improve overall API security posture.

 

A holistic API security programme that incorporates both security and governance is key for keeping cyber-criminals out of an organisation’s network and to create a stronger, more compliant API ecosystem. 

 

---

 

Eric Schwake is director of cybersecurity strategy at Salt Security

 

Main image courtesy of iStockPhoto.com and BlackJack3D