How CISOs Can Influence API Security Change

Security incidents can cost a chief information security officer (CISO) their job. For example, cybersecurity breaches at Capital One, Uber, Equifax and plenty of others have led to the firing or forced resignation of the companies’ respective CISOs. Whether all these removals were fair is up for debate, but regardless, there’s a growing incentive for security leaders to strengthen their applications to avoid abuse and costly breaches.

Simultaneously, APIs have become a more frequent attack vector, requiring CISOs to pay more attention to this growing threat. To put things in perspective, Salt Security recently unearthed a shocking 400% rise in unique API attacks over the past six months. And when API attacks are successful, they can leak large amounts of customer data. For example, five million Twitter user records were leaked due to an API vulnerability in late 2022. Improperly secured APIs were also at the heart of recent breaches at Optus and Peleton.

According to Nick Rago, field CTO at Salt Security, API security requires a holistic approach that involves much more than a single vendor’s solution. It necessitates a combination of strategies and tools to properly discover and protect against threats. It also requires broader education on secure-by-design fundamentals to avoid gaps in business logic. Below, we’ll summarize the common risks associated with web APIs and consider what steps CISOs can take to remediate potential vulnerabilities.

Understanding Common API Risks

Over the last few years, the number of APIs on offer has escalated. In one blog post, Jason Harmon, CTO of Stoplight, explained how, just within a single large organization, the number of APIs might be connected to anywhere from 5,000 to 10,000 services. At scale, it can be challenging to maintain an inventory of all these services, and according to Rago, this constant development is leading to sprawl issues.

The OWASP Top Ten API list is a good rundown of specific vulnerabilities to consider. And according to Rago, many of the attacks fall into four common attack types:

  1. Lack of visibility and posture compliance: Organizations are often unaware that these APIs exist, let alone that they insecurely deal with customer data. As I’ve covered before, these rogue endpoints may exist due to shadow or zombie APIs.
  2. API abuse and misuse: Secondly, Rago said that very often, companies build APIs that are insecure by design. These APIs enable hackers to sniff traffic and leak data. The API does exactly what it’s supposed to do, but the software provider hasn’t anticipated the potential for misuse.
  3. Business logic risks: Next come the issues related to insecure logic and broken access control. These involve a hacker poking and prodding a system, often with malformed requests, to produce negative behavior, explains Rago. Broken object-level authorization (BOLA), for example, might enable one to request data they are not authorized to consume. Sometimes, this may involve messaging multiple elements to escalate privileges.
  4. Stolen credentials: Finally, attacks may use phishing schemes to steal credentials. If granted access inside an engineering domain like a source code repository, they could steal static API keys, giving them free rein to read, write or delete data under the radar. This is concerning since 54% of organizations cannot detect the use of stolen API keys being used to mimic genuine requests, according to a 2022 Approov report.

Taking Action

So, knowing these common risks, how can CISOs take action? Rago shared many helpful tips for encouraging positive API security change within an organization.

Enhance developer education. First off, many API vulnerabilities stem from code issues, said Rago. Developers aren’t always thinking like a hacker and might not consider how the logic of the system might be abused. Therefore, educating developers on secure design practices will help avoid multi-step attacks and secret leakage.

Find the APIs and enhance visibility. To fully understand the problem, you’ll need to first discover the APIs hidden throughout the organization. Next, you’ll want to improve the visibility into requests against these APIs to better track behaviors, said Rago.

Enhance governance throughout the API life cycle. Next, once your APIs are documented and cataloged in a developer portal, do you have a program to continually secure them? And what is the plan for deprecation and eventual retirement? Considering how the API will be treated throughout its life cycle can help reduce fragmented governance policies and avoid shadow or zombie APIs.

API security takes a village. Also, leaders should realize that proper API security will require a holistic, multi-layered approach. “API security is a big enough problem that it requires more than one vendor,” said Rago. “It’s a strategy, not a platform.”

As such, Rago cautions consumers against solely relying on comprehensive cybersecurity platforms, as they are not best-of-breed. Instead, API security will require a combination of components like an API gateway, OAuth server and traditional web application firewall (WAF). You will likely benefit from additional solutions to cover areas like automated security testing, service discovery and cataloging, schema testing, rate limiting, runtime detection and identity and access management.

API Security: In the Limelight

In 2023, API security has become a hot-button topic. As a result, we’re seeing more value being placed on securing APIs than ever before, noted Rago. “API security is on the map for the first time. Really, this is the first year it’s showing up as budgeted in a major way.”

Although protecting APIs may very well be a C-level concern, there is a long road ahead to plug gaps. The tips above can help reduce risk, but they only scratch the surface of API security best practices. “There’s no API security panacea,” said Rago. For example, although most APIs conform to REST development standards, leaders must also consider the potential security repercussions of new API styles, like GraphQL. Furthermore, spec-driven testing can’t be wholly relied upon, said Rago, since not all teams actively engage in spec-driven development. (Only 3% of developers rated the APIs they work with as “very well documented,” according to Postman’s 2022 State of the API Report.)

When you add it all up, the various factors contributing to API risks can seem overwhelming. So, what actions should CISOs prioritize? Well, Rago recommended that business leaders immediately wrap their services with runtime protection. This should reduce the chance of business logic flaws being exploited while you investigate core issues and seek to positively change the culture around API design and ongoing maintenance.

Avatar photo

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and analyst based in Seattle. His beat is cloud technologies, specifically the web API economy. He began researching APIs as an Associate Editor at ProgrammableWeb, and since 2015 has been the Editor at Nordic APIs, a high impact blog on API strategy for providers. He loves discovering new trends, researching new technology, and writing on topics like DevOps, REST design, GraphQL, SaaS marketing, IoT, AI, and more. He also gets out into the world to speak occasionally.

bill-doerrfeld has 23 posts and counting.See all posts by bill-doerrfeld