Application Programming Interfaces, or APIs, are the connective tissue of the modern digital economy. While invisible to consumers, they play a foundational role in weaving together the services and applications that collectively power today’s digital experiences.
Whether it’s checking a credit score directly from a banking app, picking up an online order at the closest retailer, or getting real-time flight status updates and gate changes at the airport, APIs enable all of these “omni-channel” capabilities behind the scenes.
Facilitating seamless integration across various platforms and devices, APIs ensure that data flows smoothly and securely between and across different systems, delivering the personalized, real-time, and intuitive experiences that today’s digital consumers demand.
But here's the rub: the very openness that makes APIs so useful also introduces significant security risks. It’s the essence of the connectivity paradox: while the accessibility of APIs allows for a more seamless and integrated user experience, it simultaneously broadens the attack surface for malicious actors. The more we integrate and open up our systems through APIs to enhance capabilities and functionality, the larger and more tempting a target we create for cyber threats.
Why APIs are the new low-hanging fruit
Unlike traditional software with predictable update cycles, APIs are in a constant state of change. Updates can happen daily or even hourly, making it challenging for resource-strained security teams to maintain a complete picture of their security posture. In fact, one recent study found that 75% of organizations make changes to their APIs on a daily or weekly basis. And that figure will only rise in the next few years as APIs become further enmeshed in the consumer digital experience.
Organizations also face the challenge of having to manage and maintain the rapidly escalating quantity of APIs, with the typical large enterprise estimated to run between 15,000 and 25,000 APIs. The sheer volume of APIs combined with this rapid rate of change, means that security vulnerabilities can develop quickly and go unnoticed.
APIs are often leveraged in authentication and authorization schemes, and that’s where the vast majority of network incursions begin. Consider an internal API built without robust authentication because it was only meant for trusted systems on a closed network. If that API gets repurposed for a public web application without regular and systematic security updates, it’s like an impending sinkhole – everything seems fine on the surface, but underneath, there’s trouble ahead.
Another challenge lies in the unique nature of APIs themselves. Each one has its own vulnerabilities, rendering traditional one-size-fits-all security approaches largely ineffective. That’s because exploiting an API requires far less effort than discovering and exploiting a zero-day vulnerability in conventional software because the open nature of APIs makes them more accessible to attackers.
Threat actors view targeting APIs as a simple numbers game. While traditional application security relies on a deep understanding of the code and system architecture, with APIs, attackers can probe and prod for weaknesses without needing such specialized knowledge. If their probing fails to uncover a vulnerability, they can simply move on to the next, of which there is no shortage.
Three principles for API security
Despite all the challenges, more organizations are aware of the need for API security. A recent survey of senior security leaders found that 81% of businesses surveyed said that they have prioritized API security more in the last 12 months. But simply applying traditional security controls designed for monolithic software fails to cover the breadth of security challenges unique to APIs. Consider these three principles for strengthen the company’s API security posture:
- API security takes the entire team: Who are the people in an organization who wake up in the morning and obsess over whether the APIs are secure? Developers and product owners need to prioritize security alongside functionality from the very beginning of the design process. Security can't be an afterthought bolted onto a finished product. This type of proactive and collaborative approach means integrating security practices throughout the entire development lifecycle, ensuring that every stage, from design to deployment, considers potential vulnerabilities.
- Secure APIs require automated testing and discovery: A report by Gartner indicated that frequent updates are among the top challenges in API management because they can introduce new vulnerabilities without adequate testing. Yet, only 18% of security leaders said they are testing APIs in real-time. With such a vast number of APIs, manual methods of discovery and testing are simply not scalable. Automated tools are essential for continuous discovery, testing, and behavioral modeling. By continuously monitoring API activity and flagging suspicious behavior, automated testing and discovery tools can serve as a critical first line of defense.
- Context is now as important as the code: It’s easy to think that APIs are secure code quality issue, however, all too often it’s the business context (or lack thereof) where the problem lies. Consider an e-commerce site that has deployed several hundred APIs. The team may have properly configured and secured the APIs, but only in the context for which they were originally conceived. For instance, an API that facilitates payment processing might function perfectly within the original set of partner services. However, if the e-commerce site integrates a new payment service without a comprehensive security review, this might expose vulnerabilities, particularly if the new partner abides by a different set of security standards or protocols.
Ultimately, building and maintaining a robust API security posture goes beyond implementing specific tools and processes. It also requires a cultural shift that emphasizes security as a core tenet of API development and management. Only then can teams fully leverage their full potential to transform the user experience across channels without putting their sensitive data at risk.
Karl Mattson, Field CISO, Noname Security