AI and APIs: Securing the future against emerging threats

By Chuck Herrin

From enhancing decision-making and automating routine tasks to personalising customer experiences, AI is already reshaping business operations. The numbers reflect this shift in Asia-Pacific (APAC), with the AI market projected to reach US$66 billion by 2024, growing at a compound annual growth rate (CAGR) of 28.6% between now and 2030.

AI’s rise is built on a constellation of APIs, each ‘speaking’ to one another to power the global digital architecture. Nearly every organisation we interact with daily relies on APIs to drive its business. APIs now account for a significant portion of global web traffic, with the number of public APIs growing rapidly over the past decade. In many ways, the world of AI is the world of APIs — they are two sides of the same coin.

These trajectories will only climb further. APAC companies are already setting aside up to 16% of their budgets to implement AI in 2025, according to the recent 2024 Strategic Insights: API Security in APAC report. As AI adoption increases, so too will the number of APIs.

However, this exponential growth comes with a caveat. In the first quarter of 2024, over 80% of total mitigated cyberattacks targeted APIs. Low-skilled attackers are ‘levelling up’ using generative AI and other increasingly sophisticated methods to exploit API vulnerabilities. Without clear visibility of APIs, strong bot defences and signals intelligence to discern malicious bots from legitimate AI agents, and a solid understanding of how overall architecture drives the attack surface, securing AI models that use APIs becomes nearly impossible.

So how do we increase API visibility and fortify API security measures in the age of AI?

An ecosystem under siege: A new age of API security challenges

If an application were a building, APIs would be the doors that allow you to enter, exit, and conduct business. The more doors you install, the more security you need to guard them — and the same applies to API security.

The proliferation of APIs not only complicates security efforts but also increases the number of potential entry points for attackers. Without proper governance and inventory, many organisations lack visibility regarding where and how their APIs are deployed. Like a building with many entryways but no map to indicate their locations, the lack of visibility leads to security blind spots that can be easily exploited.

For over 20 years, many organisations have used security tools and processes recommended by the Open Worldwide Application Security Project (OWASP) Top 10, a document highlighting the most critical security risks to web applications. However, many are unaware that new categories were added to the Top 10 only in the last five years.

The OWASP Top 10 for APIs, first published in 2019, highlights that legacy security tools and processes are no longer adequate for modern, API-first software development and vulnerabilities such as broken object level authorisation (BOLA). While organisations are proficient in addressing vulnerabilities like SQL injection and cross-site scripting in web applications, API attacks require different strategies. Industry collaborators are publishing new standards and updated guidance for AI models, machine learning, and other facets of the expanding attack surface.

Finally, the attacks themselves are becoming faster, more widespread, and more complex. With AI and automation tools readily available, even lower-skilled attackers can create or rent sophisticated and powerful attacks, exacerbating the asymmetry and overall threat level.

Offence, meet defence: Setting up multiple defence layers to thwart attacks

The best defence is informed by a deep understanding of the offence. We know that attackers commonly decompile mobile apps, steal API keys, and map out API endpoints as potential attack routes. The most effective strategy has always been a defence-in-depth approach — a multi-layered method to protect your assets, including APIs. Instead of relying on a standalone solution, we need to integrate signals intelligence, mobile security, bot defences, and web application firewalls into a cohesive defence strategy, ensuring these tools work together.

To catch up and keep up with the speed of development, we need a “Shift Left, Shield Right” approach to API security–this refers to a holistic approach that ensures security throughout the full API lifecycle, from development to deployment. While strong protection during production (“Shield Right”) remains crucial, it must not be the first and only line of defence. Increasingly, we are seeing businesses “shift left” by conducting thorough security testing during the software development lifecycle and using robust security tools to monitor APIs in real-time. This reduces vulnerabilities before deployment and ensures ongoing security.

To keep up with the speed of development, we need a “shift left, shield right” approach to API security. This holistic method ensures security throughout the full API lifecycle, from development to deployment. While strong protection during production (“shield right”) is crucial, it shouldn’t be the only line of defence. Increasingly, we are seeing businesses “shift left” by conducting thorough security testing during the software development lifecycle and using robust security tools to monitor APIs in real time. This helps reduce vulnerabilities before deployment and ensures continuous security.

Finally, in API security, prevention is better than cure. Thus, we must also think of ways to use automation tools for continuous API inventory management and real-time threat detection. These tools can track API changes, detect anomalies, and respond to threats in real time, enhancing visibility, reducing response times, and maintaining up-to-date security postures.

The brink of change

Today, we stand on the brink of an AI-driven future, where nearly every digital interaction will be influenced by AI. As we embrace the promises and opportunities of AI, it’s crucial to understand that API security is not just a technical necessity but a vital element in safeguarding our digital advancements.

Organisations can no longer afford to overlook API security. Without comprehensive solutions, we risk undermining the very systems that drive our innovations. By securing APIs, we ensure a secure AI future. This is a pivotal moment — one that will determine whether AI-driven innovations succeed or fail. It’s time to make the right call.

Please login to comment
  • No comments found