The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Over the last few years, APIs have rapidly become a core strategic element for businesses that want to scale and succeed within their industries. In fact, according to recent research, 97% of enterprise leaders believe that successfully executing an API strategy is essential to ensuring their organization’s growth and revenue. This shift has led to a massive proliferation in APIs, with businesses relying on hundreds or even thousands of APIs to provide their technology offerings, enhance their products, and leverage data from various sources.
However, with this growth, businesses have opened the door to increased risk. In 2021, Gartner predicted that APIs would become the top attack vector. Now, two years and a number of notable breaches via APIs later, it’s hard (or rather, impossible) to dispute this.
The security trends shaping the API landscape
One of the biggest threat vectors when it comes to APIs is that they are notoriously hard to secure. The API ecosystem is constantly evolving, with enterprises producing huge numbers of APIs in a way that’s outpacing the maturity of network and application security tools. Many new APIs are created on emerging platforms and architectures and hosted on various cloud environments. This makes traditional security measures like web application firewalls and API gateways ineffective as they can’t meet the unique security requirements of APIs.
For bad actors, the lack of available security measures for APIs means that they are easier to compromise than other technologies that rely on traditional (and secure) architectures and environments. Given that so many businesses have made such a large investment in their API ecosystem and have made APIs so core to their operations, an attack on an API can actually be quite impactful. As such, if a cybercriminal gets access to an API that handles sensitive data, they could make quite a bit of financial and reputational damage.
At the same time, many businesses have limited visibility into their API inventory. This means there could be numerous unmanaged and “invisible” APIs within a company’s environment, and these make it increasingly difficult for security teams to understand the full scope of the attack surface, see where sensitive data is exposed, and properly align protections to prevent misuse and attacks.
In light of these trends, it’s no surprise then that Salt Security recently reported a 400% increase in API attacks in the few months leading to December 2022. Unfortunately, ensuring that APIs are secured with authentication mechanisms is not enough to deter bad actors. Data shows that 78% of these attacks came from seemingly legitimate users who somehow were able to maliciously achieve proper authentication.
At a more granular level, 94% of the report’s respondents had a security issue with their production APIs in the last year. A significant 41% cited vulnerabilities, and 40% noted that they had authentication problems. In addition, 31% experienced sensitive data exposure or a privacy incident — and with the average cost of a data breach currently at $4.45 million, this poses a significant financial risk. Relatedly, 17% of respondents experienced a security breach via one of their APIs.
API security is lagging behind
While API security is increasingly becoming a must-have for leadership teams — Salt’s report indicated that at least 48% of C-suite teams are talking about it — there’s still a long way to go before it becomes a priority for everyone. Security teams are still facing a number of concerns when it comes to their API security, and that includes outdated or zombie APis, documentation challenges (which are common given the constant rate of change APIs experience), data exfiltration, and account takeover or misuse.
The truth is, most API security strategies remain in their infancy. Only 12% of Salt Security’s respondents were able to say that they have advanced security strategies in place, including API testing and runtime protection. Meanwhile, 30% admitted to having no current API strategy, even though they have APIs running in production.
Next steps with API security
With reliance on APIs at an all-time high and critical business outcomes relying upon them, it is even more imperative that organizations build and implement a strong API security strategy. This strategy should include steps for robust and updated documentation, clear visibility into the entire API inventory, secure API design and development, and security testing that accounts for business logic gaps. For APIs in production, there should be continuous monitoring and logging, mediation tools like API gateways to improve visibility and security, the ability to identify and log API drift, and runtime protection deployment, to name a few.
As businesses continue to leverage the power of APIs, it is their responsibility to adopt and deploy a strong API security strategy. Only then will companies be able to reduce the threat potential of APIs and counter Gartner’s prediction.