A report on API security released Wednesday by Salt Security found that 95% of surveyed organizations have experienced an API security incident in the past 12 months.
The research said that despite the dramatic increase in attacks and incidents, these organizations — all of which are running production APIs — remain unprepared for API attacks, with 34% of respondents lacking any kind of API security strategy. This lack of defense presents significant business risk to enterprises in the form of slowed business innovation, compromised consumer confidence, and disruption to modernization efforts.
“When you have 95% of respondents acknowledging they had an API security incident in the last 12 months, but 34% of them also have no API security strategy in place, it’s disheartening,” said Michelle McLean, vice president of marketing at Salt Security. “They see the problems, they see the threat, but they’re struggling to mitigate the risk. Lack of expertise being the biggest obstacle reinforces the high need for education on API security.”
McLean said to better prepare for API attacks, companies first need to invest in getting their API developers up-to-speed on the nature of API attacks. McLean pointed out that only 61% of respondents said their security teams were highlighting the OWASP API Top 10 threats as a focus area for their security programs. Developers have to understand how bad actors propagate attacks for them to improve how they can better harden APIs.
Second, McLean said companies need to invest in training security teams on API incidents. A lot of SecOps teams are reluctant to admit that they don’t know what they’re looking at when they see an attacker timeline of API call manipulation. McLean said they need to understand how APIs are written, what’s happening in different call/response pairs, and how they can get a sense of what “normal” looks like in API traffic so that abnormal can be better seen.
Finally, McLean said companies need to invest in tooling dedicated to identifying the particular manipulations of API calls. Every company’s APIs are unique, so every attack is unique. Companies need machine learning (ML) and artificial intelligence (AI) tooling that can spot the trial-and-error or reconnaissance activities of a bad actor trying to understand “what happens if I do this” on a company’s APIs.
“No human can keep up,” McLean said. “And given how bad actors spend days, weeks, and even months performing that reconnaissance, companies need cloud-scale big data for those AI/ML algorithms to act again, or they’ll miss any sophisticated API attack.”
Miclain Keffeler, application security consultant at nVisium, said APIs are a crucial backbone to most enterprises today — and companies need to treat them with the same concern they place on web applications. Keffeler added that the field has also been evolving given that there are not yet simple and easy ways to scan for — and fix — API security issues across various platforms.
“We often rely on traditional SAST tools to get the job done, but a square peg can also fit in a round hole if it’s small enough,” Keffeler said. “A common API issue also is future planning, scope changes over time and companies using APIs for different use cases — without considering security implications. These architectural changes happen naturally and are often why security teams will point out security headers that aren’t present on APIs — because if the company wishes to use that API more in the future, those headers may be needed.”
Tyler Shields, CMO at JupiterOne, added that the pace of API growth has become a significant problem, especially when it's possible for anyone to stand up a new system in the cloud. Shields said because everything has become software-defined today, anyone can build and grow a cloud-native API-based solution, making shadow APIs a real risk. Finally, termination of APIs and removing those that are no longer in use has also become an issue.
“Organizations absolutely must have a system that connects to all of their cyber assets and gathers all pertinent meta data and structural context from these systems,” Shields said. “This cannot be done in a manual way with spreadsheets and human beings. The pace of change and growth is simply too fast. Once an organization has their hands around what they have, they can begin to implement security.”