Why Organizations Struggle to Secure APIs
API attacks are plaguing businesses. In The State of API Security in Q1 2023, Salt Security reported that “94% of respondents have experienced security problems in production APIs over the past year, with 17% having experienced an API-related breach.” Add to that the fact that attackers are getting better at coming up with ways to fool security measures, with more than three-fourths of all attacks appearing to involve legitimate users because they are using stolen credentials.
These numbers emphasize something that many organizations already know: Securing APIs is hard. Until there is a deeper understanding of the reasons behind why API security is such a struggle, APIs will be vulnerable to attacks.
Multiple Factors Leading to Difficulty
There are multiple factors that make it difficult to secure APIs, including:
• API Sprawl. Companies are building and deploying huge numbers of APIs at a rapid pace, yet there is too often a lack of API governance programs. Many organizations don’t even have an accurate count of the APIs in their environment, explained Nick Rago, field CTO at Salt Security, in an email interview. If you don’t know an API exists, you can’t secure it, he added.
• API attacks differ from traditional attacks. Because of this, traditional security tools don’t offer the type of protection APIs. API security requires context over time, which most traditional security tools don’t offer. “API attacks are attacks on business logic,” said Rago. “Bad actors do reconnaissance over time to find flaws in APIs.”
• Lack of standardization. APIs are all fundamentally built and secured differently depending on the development team, according to Krishna Vishnubhotla, vice president of product strategy at Zimperium. “The lack of standardization, inherent complexity and diverse interactions between multiple systems, services and data formats make securing APIs a multifaceted challenge.”
• Multiple layers. “APIs are a particularly tricky technical interface to secure because they combine so many different layers: Network, applications, data and identity,” said Jeremy Snyder, founder and CEO of FireTail, in a statement. “APIs sit on a network, are the outer edge of an application, expose access to data and are leveraged using identity credentials to check access and specific permissions.”
• Inconsistent logging behaviors. Because of where they sit in the technology stack, API logging behaviors tend to be inconsistent and may not be collected or correlated with other logs, Snyder pointed out.
• Fragmented teams and siloed information. For a lot of organizations, APIs are attack vectors that are separated inside the security organization. Organizations, especially large enterprises, tend to have different teams for network security and identity management and security, according to Snyder. Different teams are responsible for different processes. This creates silos of information and of people, so no one is truly aware of what is happening or has a good understanding of the risks presented by API vulnerabilities.
Steps to Take to Secure APIs
No one is going to wave a magic wand and solve API security in one fell swoop. If that were possible, we wouldn’t be talking about API breaches today. But there are steps organizations can take to ease the security struggles.
It begins with artificial intelligence (AI) and machine learning (ML), said Rago. AI/ML tools will allow you to identify unknown attacks through behavioral analysis.
“A purpose-built API solution should be able to automatically and continuously monitor API behaviors in runtime to detect potential threats arising from cybercriminal reconnaissance,” said Rago. “Only AI has the capability to quickly spot anomalies in behaviors across millions of API calls and correlate them over time.”
It’s also time to break down the silos and bring teams together. Scott Gerlach, co-founder and CSO at StackHawk, recommended solutions such as engaging engineering in security best practices and deploying developer enablement.
“Foster collaboration between security and engineering teams to integrate security considerations into API design, development and testing. This ensures that security is embedded in the development process, minimizing vulnerabilities from the start,” Gerlach said in an email interview.
Organizations should also equip developers with contextual information about security vulnerabilities, including detailed explanations and steps to recreate issues. “This facilitates quicker resolutions and promotes a deeper understanding of security concerns,” Gerlach stated.
APIs are part of every application today, and attackers understand that organizations struggle with good security practices to protect them. Recognizing the security weak spots in API development and management is the first step to improving security systems around them.
