Computing power embedded in everyday objects makes it possible for your phone to connect with various devices. And Application Programming Interfaces (APIs) are used more than ever now to connect services and transfer data — when you stream Netflix, content is distributed to your device via an API, when you book an airline ticket, your app uses the APIs of airlines to aggregate data about availability and rates.
It is one of the most common ways that microservices communicate, just like systems and apps. They enable developers to obtain valuable information from other software components and integrate it into their applications, for example, embedding Google Maps in a rideshare app. APIs are key components at every stage of a user’s interaction with an app, from logging in to leaving feedback. As integration and interconnectivity become more critical, so do APIs.
Moreover, enterprises moving away from monolithic apps, and legacy applications being broken into smaller independently functional components has led to an API explosion.
Rapid adoption of iterative development methodologies such as DevOps, DevSecOps, technology adoption trends such as public and private cloud adoption, containers, orchestration (Kubernetes), and management frameworks that make it easier to develop and deploy API based microservices at scale are other growth drivers of API.
With a growing number of smaller application pieces trying to communicate with each other, and applications moving from on-premises to the cloud to support new remote users, APIs are becoming increasingly challenging to secure.
Enterprises have incomplete knowledge about their APIs, because of wider usage of open source and third-party software libraries. These libraries often have hidden APIs that are difficult to find manually.
As application development is accelerated by using thousands of APIs, governing all APIs seamlessly becomes paramount to protect the security posture of enterprises.
Meanwhile, despite knowing that API security needs to be a critical component of developing applications, DevOps teams often remain handicapped by inadequate tools. This has put the software industry in an API security crisis.
According to Gartner Hype Cycle for APIs and Business Ecosystems, 2021 report, “Every connected mobile, modern web or cloud-hosted application uses and exposes APIs. These APIs are used to access data and to call application functionality. APIs are easy to expose but difficult to defend. This creates a large and growing attack surface, leading to a growing number of publicised API attacks and breaches. Traditional network and web protection tools do not protect against all the security threats facing APIs, including many of those described in the OWASP API Security Top 10.”
In the report, Gartner further states “Because APIs are typically used for access to data or application functionality, often linked to systems of record, the impact of an API breach can be substantial. Privacy regulations typically require reporting if private data is breached through an insecure API. APIs are easily and intentionally programmable, so a vulnerability can leak large volumes of data. That it can be challenging to separate valid API use from nefarious access raises the risk of blocking valid use.”
APIs are rich targets for security breach because they are not intended for direct access by users, but often granted access to all data within the application environment. Access is then controlled by granting specific permissions to the users making the initial requests that are translated into API calls, and having the API inherit only those permissions. This works fine until an attacker manages to bypass the user authentication process and access the downstream app directly via the API. Since the API has unrestricted access, the attacker gets visibility into everything.
Just like a web application, APIs are subject to application vulnerability exploits to gain unauthorised access, steal sensitive data and launch damaging attacks.
Despite frequent high profile breaches such as Peloton and LinkedIn, organisations on average only allocate about six per cent of their overall IT spend towards security — leaving them unprepared to manage the explosion of API adoption and the associated security risks.
“API security threats are becoming pervasive and increasing in frequency. API security is an emerging field, and application and security teams need to understand how to address this problem unique to their business models. It’s past time for us to have a real-solution that solves the problem rather than just apply a band-aid,” Jyoti Bansal, CEO and co-founder of Traceable AI, said in a statement.
Recently, Traceable AI, application and API security for the cloud-native era, announced a free API security solution, which enables developers and security operations teams to get started improving the API security of their applications without the need for budgetary approval. With the free API security solution offered by Traceable AI, teams now have the option to use a free enterprise-grade solution to gain visibility, protection, and analytical insights into their APIs.
Broken, exposed, or hacked APIs are behind major data breaches exposing sensitive medical, financial, and personal data. That said, not all data is the same nor should be protected in the same way. How you approach API security will depend on what kind of data is being transferred.
Whether on your corporate network or in the cloud, securing your APIs is critical to your organisation’s overall security posture in a digitally transformed world. Constant vigilance should be your mantra. It’s crucial to adopt a holistic approach to API security, focus on identity and monitor and set rate limits.
Here are some of the most common ways enterprises can strengthen their API security:
- Establish trusted identities and then control access to services and resources by using tokens assigned to those identities.
- Encrypt your data. Ensure that the right users are decrypting and modifying your data, and no one else.
- Identify vulnerabilities. Monitor your operating system, network, drivers, and API components. Use sniffers to detect security issues and track data leaks. A WAF recognises illegitimate requests. Advanced API protection profiles protect against attacks with parsing and structure enforcement, attack signatures, method enforcement, and path enforcement.
- Place quotas on how often your API can be called and track its use over history. More calls on an API may indicate that it is being abused. Make rules for throttling to protect your APIs from spikes and Denial-of-Service attacks. Shape Security’s API Defence provides visibility, throttling, and mitigation options to protect HTTP-based APIs from bots and other forms of automated attacks that generate online fraud and application abuse.
- Use an API gateway as the major point of enforcement for API traffic. A good gateway will allow you to authenticate traffic as well as control and analyse how your APIs are used.
With the increasing cost of security breaches, APIs security is a strategic necessity to give organisations the agility to ensure that exposing data via APIs does not create security risks that might impact their business.