Akamai to Extend API Security Reach via Neosec Acquisition
Akamai Technologies plans to make it easier to detect application programming interfaces (APIs) using behavioral analytics following its acquisition of Neosec.
Patrick Sullivan, CTO of security strategy at Akamai, said that while the company already provides a range of API security capabilities, it’s difficult to secure APIs that no one on the security teams knows exist.
The addition of Neosec to the Akamai portfolio lays the foundation for simplifying the identification of rogue and zombie APIs that developers may have created without informing the cybersecurity team, he added. The deal is expected to close this quarter.
API security has become a crucial issue because APIs are proliferating across the enterprise at a rapid rate. The challenge is that the team that creates and exposes those APIs doesn’t always have the greatest appreciation for cybersecurity best practices, mainly because they may never have received any formal training. As a result, APIs represent a new class of endpoint that needs to be secured. The acquisition of Neosec adds some much-needed visibility into API security, noted Sullivan.
Another challenge is that not all APIs are equally vulnerable. External APIs present a juicy target that enables cybercriminals to exfiltrate data from misconfigurations, so there tends to be more focus on securing them over an internal API. However, it’s not uncommon for an internal API to become externally facing as applications are updated or business processes evolve. Many organizations will only discover that the API needs to be better secured long after it has been exposed to the internet.
More challenging still, there are now multiple types of APIs being used, ranging from REST APIs to GraphQL APIs that are starting to gain traction among the latest generation of applications. Each of those API classes, from a security perspective, has different nuances that need to be appreciated before implementing security policies.
A recent Akamai report found that attacks against web applications and APIs grew 137% in 2022. In theory, the overall state of API security should improve as cybersecurity teams collaborate more with application development teams that adopt DevSecOps best practices to build and deploy applications and their associated APIs. However, most organizations are still in the early stages of adopting DevSecOps best processes, so the level of security applied to APIs remains inconsistent. In the meantime, cybersecurity professionals, as always, can expect to be held accountable for any breach that does occur.
In the meantime, cybersecurity teams would be well-advised to spend more time with application development teams. Half the battle is just understanding how APIs are created. Armed with that insight, it then becomes simpler to identify traffic patterns that are indicative of an API having been deployed without adequate security. Akamai is making a case for a tool that applies behavioral analytics to make it simpler to identify those patterns before they are discovered by cybercriminals and exploited.
