The Rise of the APIs… and Security Risks
APIs are the connectivity and functionality mechanisms with which enterprises can enable digital transformation. The stark growth in the number of APIs indicates how much enterprises and developers value the technology.
According to ProgrammableWeb, which chronicles the public API sector, the number of APIs has been increasing sharply since the late 2000’s. API growth is at an even faster pace in 2019than in previous years.
However, as the deployment of APIs continues to increase, proper API security is not as widely practiced as it should be. The lack of API security awareness is concerning, as the rise in APIs means there is a corresponding rise in security risks for enterprises.
Consider some of the recent and high-profile, API-based incidences at Facebook, Salesforce, the United States Postal Service, and Equifax. APIs, acting as the data-rich links between different applications, expose multiple vulnerabilities that can be targeted by hackers and extends the attack surface of an enterprise.
Approaching API Security as a Priority
What do we mean by API security? As detailed here, “API security describes the practices and products that prevent malicious attacks on, or misuse of, application program interfaces (API). API Security is part of API management and governance. “
APIs use web technology to integrate applications, but it is a mistake to assume that APIs can be protected using the same practices and technology used to secure the web. The risk profile of APIs is entirely different and requires a different security approach. Developers who fail to use or write APIs with security as a central focus are compromising both the data and the applications.
Enterprises have to assume a proactive approach in API security and prepare for the worst-case scenarios. The security of an API is one of the first things that should be established when developing that API’sarchitecture. Security testing should begin early — well before deployment — and continue throughout development.
It is also during API development that decisions should be made regarding how certain requests should be handled. The security measures may be broad at first, but should eventually be narrowed down based on the enterprise’s needs.
How is API Security Being Handled?
There are many ways hackers are using APIs to gain access to enterprise systems. Some of the most common attack paths include parameter attacks (often via an SQL injection), identity attacks, and man-in-the-middle attacks. To combat these attacks, the most widely used API security models are employing identification, authentication, and authorization measures implemented with the use of tokens, API gateways, quotas, and throttling and encryption and signatures.
Some enterprises are opting to use in-house solutions for API security and are finding their efforts becoming mere reactionary measures to attacks, rather than actively preventative ones. There may be no consensus between an enterprise’s IT security team and the API development team on who is responsible for API security, which can cause the task being delegated downward.
More enterprises are using API-security firms that have routinely updated threat databases and that offer a complete arsenal of identity and management tools. However, even with these tools, the level of protection being provided can fail to detect the most sophisticated attacks. While the security measures are robust, additional steps are needed to address the resulting security gaps that arise when APIs are deployed. This has presented an opening for applying machine learning-backed API security, an area to be further investigated and discussed.