Three reasons why your API security is failing

By Michael Isbitski

APIs have come a long way. Gone are the days of limited use; in fact, recent data has shown over a quarter of businesses have doubled API usage in the past year, with 5% saying they have more than tripled their APIs. This increase amplifies the risk of attacks which, according to the same study, have risen nearly 700% in the same time period. Modern APIs expose more sensitive data than ever, making them a valuable target.

Insufficient awareness

Organisations lacking sufficient awareness and visibility into their attack surfaces will struggle to accept the risk that APIs pose. When it comes to recognising the security threat that APIs present in their environment, most organisations fall into one or more of the common misconceptions:

• “We know all our APIs” – Most organisations today use APIs in some capacity, including APIs powering customer-facing applications; APIs that are consumed or provided in a partner ecosystem; and APIs that are in the cloud or microservice environments. It’s not uncommon for organisations to be unaware of some or all of these APIs. The lack of information that these gaps represent prevents security teams from comprehending the real exposure and risk of an API.
• “APIs are protected by the firewall” – APIs are often taken out from behind the firewall and exposed by developers. Reasons may include testing, enabling third party developer access or partner demonstrations. If security teams aren’t made aware of these exposures, they can present a major threat.
• “Our APIs don’t carry much traffic” – Even low traffic APIs are a valuable target. Many low traffic APIs are a critical part of a business, meaning that they’re likely exposing sensitive data.
• “APIs aren’t important” – APIs provide a pathway to a range of high value services and sensitive data. Gartner predicted that “by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.” In fact, Gartner re-evaluated this statement in 2021 to say it had already happened.
• “Our APIs aren’t worth attacking” – Even small organisations with little known APIs are at risk, because they typically lack the sophisticated security tactics of larger companies.
• “APIs are hard to attack” – It is often wrongly assumed that APIs benefit from security by obscurity. APIs inherently expose application logic and, when compared to traditional web applications, expose a huge amount of data. Attackers can probe APIs with the same tools as developers, using subtle methods to map the API, understand the logic and look for vulnerabilities.

Dependence on dev teams to address security

Many organisations have adopted DevOps practices, realising efficiencies in the development cycle. It’s natural that they would want to remove similar barriers with security. In the recent Salt Labs State of API Security report, 40% of respondents said developers or DevOps teams hold primary responsibility for securing APIs, but 95% of respondents experienced an API security incident in the past year, highlighting that the burden cannot fall solely on developer shoulders.

Developers make applications work, but attackers make them perform in unintended ways. It’s difficult for developers to shift into an attackers mindset. Despite the methods available to identify potential vulnerabilities, it’s rare that all aspects of code are tested.

Furthermore, as it is so difficult to keep up with today’s ultra-fast code, developers typically only test primary apps or specific areas of functionality and most scanning tools depend on best practices and signatures to identify vulnerabilities. Yet, these approaches are ineffective at identifying unique logic vulnerabilities.