Leaders are facing the same common challenges regardless of how mature their API Security Programs may be
In 2022, we're seeing more organizations across all industries starting to mobilize around their APIs. This mobilization is partially an attempt to heed warnings around API Security and leverage the value that APIs can provide.
These organizations focus on improving security efforts, managing APIs more effectively, and creating strategies to accelerate the value that APIs can bring both internally and externally.
In the midst of this mobilization attempt however, security and application leaders are facing the common challenges, despite where their organization may fall on the API Maturity scale.
Challenge #1: Number of APIs Are On The Rise
There are predictions that we'll reach into the billions of APIs by 2034. That's no surprise as more organizations use APIs to deliver more connected environments, accelerate innovation, integrate their systems, generate business value, and even act as products themselves. Realistically, we've merely scratched the surface in terms of APIs' anticipated global economic impact. We expect this growth will pick up speed in this coming year and next as more organizations begin implementing omnichannel approaches to their operations.
Challenge #2: Attacks on APIs are On The Rise
In addition to the number of APIs being on the rise, attacks are naturally on the rise as the attack surface grows. In 2017, Gartner accurately predicted that APIs would be the number one attack vector by 2022. This statistic may be a familiar one at this point. But Gartner has recently updated this prediction to claim that "By 2024, API abuses and related data breaches will nearly double in volume."
With malicious traffic targeting APIs up 350% in the past year according to Salt, things certainly aren't boding well for organizations and their APIs. Especially when we consider just how many players have been hit with API-related attacks recently, including Peloton, Bumble, Facebook, Tesla, T-Mobile, LinkedIn, Experian, Venmo, Microsoft, Clubhouse, NoxPlayer - to name a few!
Challenge #3: Hackers Are Evolving Their Attack Types on APIs
Last year, an API within the Russian Central Bank was targeted and exploited. Attackers were able to attack the bank's operations by intruding on its electronic interbank money transfer system. The threat actors could transfer funds from customer accounts through the Fast Payment System (FPS) by simply replacing the "Account ID" parameter with any random account number. As such, the money theft was allowed to proceed.
This instance is a classic example of broken object-level authorization, which remains one of the most frequent and dangerous API vulnerabilities.
Tip: Implement resource-level authentication in your APIs and prevent enumerations!
2021 also reminded us that APIs don't even need to have a classic OWASP Top 10 vulnerability to be exploited. For example, let's take LinkedIn, which had 92% of its user base exploited last year through its official API. Hackers pulled information from over 700 million accounts, exposing names, physical and email addresses, phone numbers, geolocation records, username and profile URLs, personal and professional experience/background, and more. Again, this exploit didn't succeed through a specific API vulnerability. Instead, it was merely poor API design on LinkedIn's part.
Tip: APIs should not give access to more data than you are comfortable with (and are allowed to) share through user interfaces! Bulk operations are hazardous. It's essential to limit the rates at which APIs can be invoked and the amount of data they can return.
Challenge #4: Cost of API Breaches
It's important to remember that breaches from APIs can be costly in more ways than one, and this is another responsibility on the shoulders of security and application teams. According to IBM's Cost of Data Breach Report, the average global data breach costs around $4 million. Aside from financial losses, organizations also need to factor in the potential loss of productivity, reputation damage, decreased customer loyalties, legal liability, and business continuity problems.
We're seeing a picture come to light that tells us that:
"If data is the new oil, then APIs could, unfortunately, become the new plastic, with byproducts wreaking havoc on the ecosystem."
"If data is the new oil, then APIs could, unfortunately, become the new plastic, with byproducts wreaking havoc on the ecosystem."
It's why it's so essential for organizations to wrap their hands around this API problem fast, and learn how to create, manage, and leverage APIs in a responsible fashion.
Challenge #5: Lack of Visibility into APIs
But how can organizations be expected to wrap their heads around this problem when the API environment continues to grow in size and complexity, hampering visibility into this issue?
Less mature organizations may not know how many APIs they have, much less how many may lurk in the shadows. Questions abound about API ownership, whether there are duplicate APIs, and more. Even the most mature organizations are still struggling to fully comprehend and get transparency into the scope of their API Security problem.
In reality, you cannot secure what you can't find or measure. Obtaining visibility is a vital first step for security and application leaders to take if they have not yet done so already.
Challenge #6: No Single Unit Responsible for API Security
Lack of visibility can often become worse because, in many organizations, no single unit is seemingly responsible for API security. A Salt Survey found that 21% of professionals believe it's the responsibility of developers to secure APIs, 20% on the API team, 16% on the AppSec team, 16% on DevSecOps, 11% on DevOps, 9% on InfoSec, and 4% on platform teams.
"A Salt Survey found that 21% of professionals believe it's the responsibility of developers to secure APIs, 20% on the API team, 16% on the AppSec team, 16% on DevSecOps, 11% on DevOps, 9% on InfoSec, and 4% on platform teams."
This lack of centralization - this lack of a streamlined, uniform front on the problem of API security creates more chaos and uncertainty in an area where so much already exists. Organizations have a responsibility to grow their maturity levels to control the things they can, like centralizing their API approach, to better work against the factors they can't influence, like rising API attacks.
Challenge #7: Facing Unknown Risk Levels
Finally, security and application leaders face the challenge of not knowing how much risk they currently carry from their APIs. After generating visibility into APIs, leaders should understand just how much risk they are presently (and unnecessarily) taking on.
Only with a clear, transparent view of the state of your application's security can you effectively understand and manage risk and enforce necessary security policies. Without better telemetry and observability, every security decision will be a shot in the dark, and leaders will miss critical holes in API security.
Without better telemetry and observability, every security decision will be a shot in the dark, and leaders will miss critical holes in API security.
Suppose you cannot generate this observability and confidently demonstrate and track this risk around your APIs. In that case, you will have difficulty getting the support you need to prioritize this issue at the required level.
In Conclusion
The number of APIs increases the complexity of the API environment and contributes to poor visibility levels around APIs.
As attacks on APIs rise, organizations are potentially facing heavy financial damages and significant interruption to business continuity.
Uncertainty in responsibility and the lack of a united front maintains an ad-hoc, immature environment & processes around APIs, actively making things worse.
Uncertainty around risk levels adds additional risk to the organization, as teams cannot adequately prioritize vulnerabilities, and individuals cannot take critical actions to remediate them fast.
These challenges and their impacts indicate that the problem of solving API vulnerabilities has graduated from a technical problem for the organization to a business-critical one. It's why it's so essential looking forward into 2022 that organizations can get a handle on their APIs, understand the scope of the problem they face, and take swift and effective action to reduce risk from APIs as they move forward with their plans for the future.
Learn more about how to solve all of these challenges with ReactFirst:
Watch our most recent webinar on the topic (Passcode: Kg=k2N$g)
Introducing ReactFirst: Security for the new API Economy and the pace of modern business. ReactFirst is an award-winning, comprehensive API threat remediation solution that goes beyond technology to help minimize the threat caused by API security vulnerabilities.
ReactFirst helps bring together a combination of capabilities - a program, technology, and team of experts - to appropriately address the risk caused by API vulnerabilities. Instead of merely identifying problems, it tracks the organization's ability to resolve them, providing a command and control structure that delivers the necessary insights and accountability to see each vulnerability move through the remediation process.
This program is backed by executive sponsorship, supported by cross-industry experts, and enabled by state-of-the-art technology. ReactFirst works as the perfect accompaniment to your existing API strategy, providing the transparency, oversight, and control into the API Remediation process your organization needs as the risk around API vulnerabilities grows.
Talk to us to see if the ReactFirst is a fit for you, and whether it help boost your API Remediation efforts into one you can trust: https://www.reactfirst.io/contact