Beyond Checkboxes: The Essential Need for Robust API Compliance

Highlights:

• APIs are a primary target: Recognize the growing focus of cybercriminals on APIs and the urgent demand for strong security measures.
• Compliance is mandatory: Explore essential regulations such as PCI DSS 4.0, GDPR, and NIST, along with the real implications of failing to comply.
• Real-world breaches, real-world costs: Explore the significant fines and reputational harm experienced by companies such as Meta, Geico, PayPal, and AT&T due to failures in API security.
• Proactive security is crucial: Understand the significance of API discovery, posture governance, and Zero Trust approaches in ensuring effective API protection.

APIs serve as essential links in today’s digital infrastructure, enabling data sharing and application integration. However, their widespread use has made them prime targets for attackers. Hence, strict compliance with security regulations is not just optional; it is imperative for business success.

The increasing frequency of data breaches and the sophistication of cyber threats highlight the pressing need for strong API security. Regulatory agencies globally are responding with stricter requirements, compelling organizations to reassess their security strategies.

Understanding the Regulatory Landscape:

• Payment Card Industry Data Security Standard (PCI DSS) v4.0: The PCI DSS v4.0 standard prioritizes the security of APIs used in payment processing. Organizations are required to adopt secure development practices, enforce strong access controls, and perform routine vulnerability assessments. For businesses aiming for PCI compliance, section 6.2.4 is particularly important as it focuses on common coding vulnerabilities impacting APIs and outlines “attacks on business logic.” This includes attempts to exploit APIs and related systems to circumvent security measures, featuring threats such as cross-site scripting (XSS) and cross-site request forgery (CSRF). Non-compliance poses significant risks to sensitive cardholder information, making compliance essential.
• National Institute of Standards and Technology (NIST) SP 800-53 Rev. 5: The NIST SP 800-53 Rev. 5 framework sets strict security benchmarks for federal information systems, particularly concerning API security. It requires organizations to implement thorough input validation, adopt least privilege access controls, and ensure comprehensive monitoring capabilities. Businesses managing sensitive government information must prioritize these controls to secure compliance and safeguard important data.
• Canadian API Standards: To align with the Government of Canada’s Digital Standards, APIs should adhere to RESTful architecture principles, utilize clear message schemas, prioritize security measures, ensure interoperability, manage the API lifecycle, and implement performance and throttling guidelines.
• ISO/IEC 27001 & ISO/IEC 27017: These ISO standards offer vital guidance for securing cloud services, particularly the APIs that support them. They stress the need for secure data transmission using technologies like TLS 1.2+ and strong authentication mechanisms like OAuth 2.0 and JWT. By following these standards, organizations can protect the confidentiality and integrity of data exchanged through APIs in cloud environments.
• IEC 62443 – Industrial API Security: The IEC 62443 standard is tailored to enhance the security of industrial automation and control systems (IACS). It mandates robust authentication methods, including mutual TLS (mTLS), and stringent access restrictions for APIs interacting with operational technology (OT) systems. This standard is essential for safeguarding critical infrastructure against unauthorized access and potential disruptions.
• Health Insurance Portability and Accountability Act (HIPAA): HIPAA is focused on ensuring the privacy and security of electronic protected health information (ePHI) managed by APIs. Organizations must follow strict security-by-design principles, such as minimizing data, utilizing encryption, and enforcing strong access controls. Non-compliance can lead to significant financial penalties and harm an organization’s reputation, highlighting the need for comprehensive security measures.
• General Data Protection Regulation (GDPR): The GDPR requires organizations managing personal data through APIs to implement strong security measures to protect user privacy. This includes compliance with security-by-design principles like data minimization, encryption, and effective access controls. Failure to comply can result in hefty financial penalties and damage public trust, making GDPR adherence crucial.
• Open Banking and PSD2: The growth of open banking has increased dependency on APIs for financial transactions. The PSD2 regulation calls for vigorous security protocols, including Strong Customer Authentication (SCA), to avert fraud and unauthorized access. Secure authentication mechanisms must be implemented to maintain the integrity and security of financial APIs.
• New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500): The NYDFS Cybersecurity Regulation emphasizes securing APIs that are accessible to third parties, especially for financial institutions in New York State. Organizations must establish monitoring capabilities to identify anomalies and enforce multi-factor authentication (MFA) for API access, ensuring the protection of sensitive data.
• MITRE ATT&CK Framework for API Threats: The MITRE ATT&CK framework offers an extensive database of adversary tactics and techniques specifically relevant to API threats. It aids organizations in understanding and mitigating risks such as credential theft and the exploitation of public-facing APIs. Organizations can improve their capacity to detect and respond to API-related attacks by utilizing this framework.

Beyond Basic Compliance

Simply meeting regulatory minimums is not enough; organizations should embrace a thorough and proactive approach to API security, which entails:

• Comprehensive API Discovery and Inventory: Gaining complete visibility into all APIs, including shadow and zombie APIs, is vital for effective security management.
• API Posture Governance: Following discovery, it’s essential to establish and uphold a strong API security stance, which includes defining and enforcing security policies, regularly evaluating API configurations for vulnerabilities, and automating remediation. Effective posture governance ensures continuous compliance and minimizes security gaps.
• Advanced Threat Detection and Response: Deploying advanced tools and processes for threat detection is critical to recognizing and countering malicious activities, including credential stuffing and injection attacks.
• Zero Trust Security Model: Embracing a Zero Trust approach, where no user or device is automatically deemed trustworthy, can greatly enhance API security.
• Continuous Monitoring and Logging: Enforcing rigorous monitoring and logging practices allows organizations to spot and respond to suspicious activities in real-time.

The Real-World Impact of Non-Compliance

Neglecting API security has severe real-world consequences, highlighted by actual incidents. These breaches can lead to substantial financial losses, damage to reputation, and legal issues, emphasizing the urgent need for strong API compliance.

Meta Platforms (formerly Facebook) — 2018 API Vulnerability:

• Incident: In 2018, a vulnerability in Facebook’s “View As” feature exposed its APIs, allowing attackers to access compromised tokens and personal data of around 29 million users.
• Consequence: In December 2024, the EU fined Meta €251 million for a data breach, highlighting the financial risks of weak API security.

Geico — 2020 API Breach:

• Incident: In 2020, hackers took advantage of vulnerabilities in Geico’s online quoting tool API, gaining access to sensitive personal information, including driver’s license numbers and birth dates of approximately 116,000 individuals.
• Consequence: In November 2024, New York fined Geico $9.75 million for inadequate cybersecurity measures related to their API. This incident highlights the critical need for securing API endpoints and effective cybersecurity protocols.

PayPal — 2022 API Security Lapses:

• Incident: In 2022, cybercriminals exploited vulnerabilities in PayPal’s systems, potentially linked to API weaknesses, resulting in unauthorized access to users’ personal information, including Social Security numbers.
• Consequence: In January 2025, the New York Department of Financial Services fined PayPal $2 million for these cybersecurity shortcomings, highlighting the urgent need for strong API security practices.

AT&T — 2023 API-Related Data Breach:

• Incident: In January 2023, a data breach impacted 8.9 million AT&T wireless customers. Although the breach was tied to a cloud vendor and details about API involvement were unclear, such incidents often indicate vulnerabilities in API security.
• Consequence: In September 2024, AT&T agreed to pay $13 million to resolve an investigation by the Federal Communications Commission (FCC) regarding this breach, underscoring the critical need for secure API protocols.

These cases demonstrate that even prominent, established organizations can fall prey to API-related breaches. The resulting financial penalties and damage to reputation highlight the urgent need to prioritize API security and establish effective compliance strategies.

Taking Decisive Action

Organizations need to view API security as a fundamental business priority by:

• Implementing strong security measures and protocols.
• Staying updated on changing regulatory demands.
• Investing in sophisticated API security solutions.

Solutions like Salt Security can effectively aid in achieving these goals through comprehensive API discovery, threat protection, and API posture management. Proactively investing in API security is key to mitigating risks and ensuring business continuity.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture governance, and run-time threat protection, please contact us, schedule a demo, or check out our website.

*** This is a Security Bloggers Network syndicated blog from Salt Security blog authored by Eric Schwake. Read the original post at: https://salt.security/blog/beyond-checkboxes-the-essential-need-for-robust-api-compliance