Digital transformation, app modernisation and API-first application design practices have exponentially increased the usage of APIs in organisations today. As a result, APIs have become the number one attack vector of bad actors. Why? Because the sprawl of APIs in organisations has created an extended attack surface that is ripe with low effort, high reward opportunities. Attackers today look to abuse exposed and badly implemented APIs or take advantage of APIs with business logic flaws, which can be uncovered through simple trial and error reconnaissance.
With this in mind, API security is more important than ever. Let’s take a closer look so we can answer the question: API security - why now?
API usage is growing at an alarming rate. The Salt Labs State of API Security Report found that the average number of APIs per customer grew 82% from July 2021 to July 2022. The sheer number of APIs organizations now manage has made it difficult for security to keep track - that same report found that 53% of respondents identified API sprawl as their greatest API security concern.
Aside from rapid adoption, there are a number of key factors contributing to API sprawl, including:
- Adoption of cloud-native design patterns and microservices architectures
- Use of API-enabled cloud infrastructure
- Support for increasingly mobile consumer and employee user populations as well as machine identities
- Consumption of SaaS-delivered services and mobile applications
- Partner and supplier integrations, commonly referred to as digital supply chains
Nick Rago is field CTO at Salt Security.
Because multiple APIs may need to be built or integrated to support varied clients and service types, API protocol disparities represent another major cause of API sprawl. While REST still dominates much of the API landscape, GraphQL is also gaining traction.
The risks inherent with API sprawl are both numerous and serious, introducing significant operational and cybersecurity challenges for organizations. Some of the most serious concerns include the potential for business logic abuse of APIs and exposure of sensitive customer and company data.
However, unknown (or shadow) APIs and outdated (or zombie) APIs represent the biggest risk, as these APIs fall outside of an organization's official API governance. For all intents and purposes, organizations don’t even know that they exist, making it impossible to maintain an accurate inventory of their APIs. Without a complete API inventory, companies put themselves at high risk. As the old security adage goes: You can’t protect what you don’t know exists.
These threats are compounded by the fact that traditional security tools - web application firewalls (WAFs) or API gateways, for example - cannot adequately protect APIs from abuse. In fact, most of the security issues included in the OWASP API Security Top 10 cannot be addressed with these traditional technologies. So, that begs the question: How do we address API sprawl?
In a perfect world, all APIs would be blueprinted and documented at design time and populated in an internal developer portal or API service catalogue, before they are coded. However, most organizations today are not enforcing spec-first API development practices and admit that they do not have dependable (if any) documentation for most of the APIs they develop and utilize. As a result, organizations are left to scour their infrastructure, looking to find and inventory APIs in use.
In this effort, gaining adequate visibility into all your environments is absolutely essential to address API sprawl. API gateways or perimeter proxies simply don’t go far enough; they will not give you a complete picture of your API traffic. Your applications, systems, and APIs – and the data they interact with – span across scores of environments. To discover all API assets, organizations must gather telemetry at multiple points of their enterprise architecture.
To keep up with API sprawl, organizations must seek API-specific security tools that:
- Integrate with the countless technology stacks and varieties of compute that are used across all environments
- Deliver value “out of the box”
- Work alongside pre-existing network proxies and gateways to enforce the most appropriate type of mitigation, in the most appropriate point of an architecture, for a given API exploit or abuse
- Provide continuous insights and runtime protection to instantly spot and defend against potential abuses
What makes API security unique?
Because every API is unique, with its own business logic, every API attack is also unique. Traditional attack techniques, known colloquially as “one and done” attacks - SQL injections or cross-site scripting, for example - typically fail when launched on APIs. Attackers cannot leverage known vulnerabilities, as they would in the aforementioned techniques. Instead, cybercriminals probe APIs repeatedly to find business logic gaps they can exploit, making API attacks “low and slow.”
In addition, while pre-production testing provides value against flushing out the known-bad vulnerabilities, to date automated testing has lacked the proper context to properly identify API business logic flaws or bad API design. As a result, most APIs that go through rigorous testing cycles still contain business logic flaws and opportunities to be misused once they land in production. Many of the breaches that have made the headlines over the past year were experienced by large organizations with robust devsecops models and security testing practices.
Additionally, shift-left efforts only identify security gaps for what is in development and don’t address what is already in production today. To immediately lower risk, you must utilize runtime monitoring and protection tools to protect the APIs that are already running in your environment. To ensure fast attack detection and response, look for tools that provide behavioral analysis in runtime that are able to infer user intent. In today’s increasingly digital world, API-specific security has become vitally important to protect businesses’ – and their customers’ – critical data. Some of the biggest cyber breaches of the last few years have stemmed from API security issues - including the recent Optus and T-Mobile hacks, as well as potential threats, such as a recent vulnerability uncovered on LEGO’s BrickLink service. 2023 will either be the year of API security, or API attacks. It’s up to us to decide which one.