DEVOPSdigest

APIs form the connection between digital users and organizational services such as online banking and e-commerce. Personal identifiable information (PII) and many other types of sensitive data pass through tens of thousands of APIs daily, whether users are simply joining a Zoom meeting or online shopping.

Living in an API-dominated world poses unique challenges and risks to companies of every size. With ever-increasing digitalization, business leaders must look at traditional security measures in place and assess if they still adequately protect the organization from growing API threats.

Why Should Companies Be Concerned?

Recent research from Salt Security showed that 94% of organizations had experienced security problems in production APIs in the past year, with 61% lacking any API security strategy or only having a basic plan. These numbers are quite concerning, and the data from these reports emphasize how crucial early security implementation is within the API lifecycle.

APIs have become a foundational part of an organization. The research shows that the average number of APIs per customer grew 82% over last year, up from 89 in July 2021 to over 162 in July 2022. During that same period, overall API traffic per customer grew 168%.

With companies constantly developing and launching new APIs, the right security measures must be put in place to best mitigate risk. Security teams must be aware of this expanding attack surface and understand the unique vulnerabilities of APIs in order to protect themselves from increasing attacks.

Many security leaders erroneously believe their existing security stack can protect their APIs and often underestimate their risk. While their current stack is still needed throughout the Software Development Life Cycle (SDLC) and all serve a purpose, they cannot detect most of the "low and slow" behavioral API security threats.

Traditional security solutions, such as WAFs and API gateways, might work against basic attacks but don't protect against the increasing quantity and complexity of API attacks. These traditional tools provide foundational security capabilities and protection for conventional applications; however, they lack the context needed to identify and stop attacks that target the unique logic of each API.

If businesses don't have visibility into their APIs over time, they can't understand their full business exposure or adequately prioritize their risk management.

How Can Organizations Begin to Protect Their APIs?

Teams must be educated about API security

Various resources are available to help organizations thrive in an API-security-driven world. For example, OWASP offers multiple courses, white papers, and live demos to help organizations with their API security goals. The OWASP API Security Top 10(link is external) list represents a critical first step in API security and gives organizations the knowledge they need to understand the top API security vulnerabilities and how API attacks differ. 62% of all API attack attempts use at least one of the security vulnerabilities outlined in this important list, yet, according to Salt Security's Q3 State of API Security Report, many organizations don't utilize this valuable resource.

Business leaders must educate their teams about API security best practices. They need to ensure that authentication and authorization controls have been appropriately established and implemented. They should stay informed about recent and well-known API security incidents to learn what caused the issues and how to prevent them within their own organization.

Organizations need to assess their current level of risk

With API security risks becoming more and more prevalent, companies must also understand where their vulnerabilities and gaps in security strategies and programs may exist.

This starts with API discovery. Shadow, or unknown APIs, and zombie, or outdated APIs represent top API security concerns. According to our research, 42% of organizations list zombie APIs as their top API security concern. As companies build new APIs, they often fail to deprecate older versions, which can leave them vulnerable. Companies need to have a complete inventory within their API ecosystem to adequately defend themselves.

Attack surfaces are continuously growing and becoming more complex. Companies must be able to apply API discovery practices on applications running on-prem and in the cloud. It only takes a single unknown API to present a potential security risk.

Companies should start with runtime protection and then shift left

Companies already have APIs running throughout their environment, and those APIs need protection right now. By continuously monitoring APIs and establishing runtime protection, organizations can immediately start protecting their critical services and assets from threats.

Most attacks on APIs target gaps in logic flow. Because pre-production API testing and scanning can't spot these gaps, you must have API visibility in runtime. Unfortunately, our research finds that only 30% of organizations remediate API security issues in runtime. With 94% of organizations experiencing API incidents, this needs to change! Runtime protection delivers immediate insights to speed up API threat detection and response.

Shift-left helps organizations think strategically about improving their security posture as they move forward in the future. However, shift-left strategies can never be a total replacement for runtime protections.

Applying shift-left practices supports your API security strategy by integrating API security findings back into the development process. By establishing security guidelines and parameters at the start of the development process, shift-left capabilities can help safeguard assets yet to be developed and strengthen future APIs.

Companies must tap the power of cloud-scale big data and artificial intelligence

To identify the "low and slow" approach of API attacks requires deep context over time; API attacks can take weeks and months to unfold. An API security solution must have the ability to correlate activities across millions of APIs and users and provide real-time analysis of that data. Only cloud-scale big data combined with AI can capture this depth of context and provide the insights needed to spot normal versus potentially malicious API behaviors.

API Security Must Be a Top Priority for All Companies

Reliance on APIs is continuing to grow as APIs become ever more imperative to organizational success. However, current security tools and processes can't keep pace with new API protocols and attack trends. Organizations must move from traditional security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle and facilitates increased API security collaboration across teams.

Companies need to remember that everyone can be a target, no matter how big or small a company may be. Attacks on APIs are becoming more widespread as cyber criminals continuously become more tactful with their techniques. That's why it's even more critical than ever to make sure that your APIs are as well-protected as other elements of your applications.