API Attack Numbers Are at Their Highest - Do You Have a Strong Security Plan in Place?
September 14, 2023

Bret Settle
ThreatX

API security should be a key part of any organization's security strategy today; however, it's often overlooked. APIs make up 83 percent of all web traffic, and they play a vital role in nearly all modern mobile and web applications, as well as containers and microservices. APIs are designed to be accessed by third parties, which exposes them to a broader spectrum of potential attacks compared to traditional web applications. And API attacks are increasing.

In 2022, API-based incidents cost organizations a staggering $75B, averaging $4.35M per breach. This number doesn't include the cost of fines or penalties, which can reach up to $1.19B.

Beyond these stark numbers, the true cost of these incidents is ultimately the impact on organizations' brand reputations. Recent widely publicized zero-day vulnerabilities like the infamous Log4J vulnerability
have highlighted the extent of the potential damage — a bad actor only needs to get one payload in to access databases and internal systems, install ransomware and more, without an organization knowing. Even big names with huge security budgets like T-Mobile, USPS, Facebook, Equifax, and Venmo have all experienced high-profile API breaches in the past. However, many companies still fail to adequately invest in API security measures until they have been breached and the damage to their reputation and bottom line is done.

When building a strong API security strategy, organizations must ensure they cover the three main pillars of API security: Prevention, Detection, and Response. The secret doesn't lie within one approach or tool, it's the ability to have multiple layers of defense.

Prevention: What proactive measures can be taken to prevent security breaches?

There are many ways to proactively plan for threats against APIs, including ensuring authentication and authorization are up to date. The combination of authentication and authorization provides the means to identify individuals attempting to access APIs and determine what they are or aren't allowed to access.

Other proactive measures include data encryption, which is the process of encoding data so only authorized users can access it. Threat modeling is another structured way to identify and evaluate potential risks. This gives an organization a clear idea of existing and potential security threats. Next, vulnerability scanning is an important step to identify any obvious problem areas.
Additionally, implementing API gateway software secures the traffic between an API request and its execution, acting as an extra layer of API protection.

Finally, having security awareness training for teams, where there is a higher degree of security literacy and everyone in the organization can think about security on different levels, provides another proactive step to defending against bad actors.

Detection: How can teams ensure they know when a breach has occurred?

Observability is the name of the game here. Security teams need to have visibility over a constant flow of information to ensure timely detection. Ideally, they should attain this degree of visibility through a single platform—one tool that provides access to comprehensive security data, enabling teams to examine various events as a unified perspective to oversee everything, organize data, and spot any anomalies.

However, not every organization will possess an all-encompassing solution for detection. This is why it's crucial to ensure you have tools that incorporate logging, monitoring, rate limiting, and behavioral detection capabilities. Logging creates a clear record of what's occurring in systems — every call to the API, every error, every failure, etc. Monitoring for alerts when unusual behaviors occur allows teams to decide if a response is required. The number of alerts can become overwhelming, so automating the response for certain conditions is key to keeping the review of alerts manageable. Rate limiting restricts the number of requests an API can handle, controlling legitimate users' interactions and safeguarding against malicious attacks. Behavioral detection uses machine learning to oversee API traffic, closely examining user behavior patterns.

Response: What can organizations do to stop a breach and mitigate its impact?

If an organization does fall victim to an API security breach, teams need to swiftly identify, contain, and remediate the threat, while still providing continuous service to the rest of their customers.

In the event of an incident, it's crucial that everyone knows how and when to act. Establishing an instant response plan allows the procedures and plans to be laid out for each employee. Implementing tools that work to automatically block a threat as it is detected in real time further brings detection and response pillars together to mitigate risks as they are identified.

Finally, threat intelligence is a crucial part of any response plan, as security teams must comprehensively grasp the attacker's motives, tactics, and objectives during the attack, allowing them to thwart future attacks and improve security.

Cybercriminals will continue to exploit vulnerabilities for personal and financial gain, but that doesn't mean organizations should make it easy for them. An organization's approach to API security should no longer be checkbox compliance, but instead a strategy that enhances observability into their APIs, mitigates against potential security threats, and ensures readiness to address any issues or threats that may emerge.

Bret Settle is Co-Founder and Chief Product Officer of ThreatX
Share this

Industry News

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.

November 18, 2024

Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.

Read the full news on APMdigest

November 18, 2024

Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.

November 18, 2024

Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.