Securing the API Hunting Ground

Written by Shay Levi, Co-Founder and CTO, Noname Security

How APIs could swiftly turn into a negative rather than an enabler for those underestimating their underlying criticality to organisational security strategies and infrastructure.

 

APIs the ‘horseshoe nails’ at the heart of modern business

Most of us are familiar with the old proverb “for want of a nail, the shoe was lost; for want of a shoe, the horse was lost; for want of a horse, the battle was lost…” and so on. The object lesson is that small and sometimes apparently unimportant objects or actions can have outsized impacts if they are not properly attended to.

So, it is with Application Programming Interfaces or APIs. They are the ‘horseshoe nails’ at the heart of modern business.

Today, APIs are the glue that enables digital transformation and other critical IT initiatives to thrive and be successful. As low-key and overlooked as they so often tend to be, APIs do an essential job of holding the commercial infrastructure together. Indeed, they have quietly become nothing less than vital to ongoing operations, which is to say they are indispensable to how almost all of us currently operate.

 

APIs enable our digital world

Take the eCommerce world of today. APIs enable consumers to have digital-first and convenient ways of shopping. They enable retailers to transform their systems and processes in quick and efficient ways and merchants to provide offerings on digital platforms and enhance traditional brick and mortar engagements. In healthcare, APIs are transforming the way that we not only access healthcare services but are providing essential efficiencies badly needed by cash-strapped healthcare providers.

Likewise, the manufacturing industry is acutely aware that the future of manufacturing is digital, where digital has become essential to solving complex production problems and improving business agility.

Overall, companies that embrace digital are seeing greater speed-to-market, reduced risk, increased margins, and enhanced market position. To achieve these benefits organisations must work more closely with their ecosystem of partners and suppliers to integrate, access and exchange data; it’s APIs that are making this digital vision a reality.

Put simply, APIs create exciting new experiences for customers, partners and other key stakeholders – they are now mission critical across almost every imaginable environment and industry.

 

Ensuring APIs aren’t compromised is a ‘must-have’ security requirement

For these reasons, if nothing else, ensuring that APIs are secure is especially important. But the downside of APIs is that now organisations are witnessing a wave of API-related security incidents resulting from leaky APIs, vulnerable system APIs, authorisation flaws and much more. In fact, APIs have quickly become one of the top attack vectors for cyber-criminality. And that makes their security a more critical consideration than ever before.

So, indeed, do other factors. The fact that the respective aims and imperatives of most security and development teams often now find themselves at odds is one example. The rapidly steepening API threat curve is another.

With regard to the latter, a growing array of drivers are pushing up the use of APIs right across the enterprise – commercial needs, digital transformation, public cloud infrastructure, agile/continuous delivery, microservices, and evolving regulatory requirements to name a few. This sharp upturn – in turn exacerbated by employees and skills shortages, plateauing security capacity, and the rapidly widening API gap that has resulted – is seeing the available API attack surface ramping in unprecedented fashion. In fact, Gartner has predicted that in 2022 API attacks would become the most frequent attack vector, causing data breaches for enterprise business applications.

And even though many enterprises are now focusing on API security, there are still significant security gaps. Dark Reading’s 2021 Secure Applications Survey highlights that 41% of respondents treat APIs the same as web applications, and only 23% have a dedicated process for evaluating API security.

 

Underestimating the importance of API security

The problem, however, is that still many organisations don’t realise quite what all this could mean for their businesses.

Yes, interest in API security is surging and it is being taken seriously by large organisations. However, despite this, if the findings of our recent survey of senior enterprise cybersecurity professionals across six key verticals are anything to go by, worrying levels of apathy and misconception appear to remain elsewhere.

For instance, while 76% of respondents admitted to having experienced API security incidents in the 12 months, a massive 74% don’t have a full API inventory or know which APIs return sensitive data. A similarly large 71% of participants reported being confident in the API security provided by their CSPs – which seems at odds when you consider the amount of API security incidents respondents were reporting.

With three quarters of all respondents admitting to having experienced an API security incident, we thought it would be interesting to understand how often respondents undertake API security testing for signs of abuse. We found it alarming, considering the prolific number of incidents, that only 11% of our survey respondents admitted to undertaking testing in real time.

 

The API security disconnect

Indeed, these figures and many of the others in the survey show a contradictory picture indicating businesses are not comfortable with the realities of managing and securing their API estate. We found a disconnect between CISOs’ views around visibility into APIs and confidence around DAST and SAST tools as well as cloud and security providers, in comparison to the more operational AppSec teams, which points to a lack of communication and understanding.

 

For now, it’s clear that plenty of organisations need to revisit the measures that they have in place for ensuring their API estates don’t become happy hunting grounds for opportunistic cybercriminals aiming to hit the business via those fundamental “horseshoe nails” on which the rest of the organisation depends.

 

Previous post THE POWER OF AI IN 2023
Next post Strike-mare before Christmas – 2022 to be remembered as the year businesses failed on customer experience.