Gartner just released a new report on API Security, Predicts 2022: APIs Demand Improved Security and Management. These “Gartner Predicts” reports, released every year, address the technologies analysts see as a critical priority, sharing top-level guidance on how to approach the latest challenges in that particular space.
We believe this report is incredibly well timed. One could argue that 2021 was the worst year (so far) for API attacks. As organizations continued to transform their ways of working, and as developers built more applications and APIs for services we all love and use, hackers also changed their tactics – by targeting APIs. From the Experian API security incident to the Log4j vulnerability, companies scrambled to find ways to prevent these security incidents from happening again.
The Gartner report is packed with the latest key trends and insights into what security and engineering leaders can do now to proactively protect APIs. You can get the full report here.
As Gartner analysts Jeremy D’Hoinne and Mark O’Neill point out:
“Enterprises are producing a massive number of APIs at a rate that far outpaces the maturity of network and application security practices. Newly created APIs are supported by emerging architectures and are frequently hosted in cloud environments. This situation resembles the early days of infrastructure as a service (IaaS) deployment, as ungoverned API usage is on the rise. As the architecture and operational technologies continue to mature, security controls try to apply old paradigms to new problems.”
Here at Salt, we have witnessed not only the rapid growth of the API security market but also how integral APIs have become to organizations’ business objectives and to their security. Discussions about enterprise cybersecurity today must include serious consideration of a company’s API security posture as well. APIs present a fundamental challenge for legacy security tools, such as web application firewalls (WAFs) and API gateways, which simply cannot detect attacks against APIs – they simply can’t meet the unique requirements of API security.
According to Gartner:
“Unmanaged and unsecured APIs are easy targets for attacks, increasing vulnerability to security and privacy incidents.”
Whether you realize it or not, APIs are everywhere, and they exchange highly sensitive data constantly, making them a rich target for attackers, which explains why we’ve seen a significant increase in attacks targeting APIs in recent years.
Attackers have moved beyond well-known methods such as cross-site scripting (XSS) and SQL injection (SQLi) attacks to focus on finding unique vulnerabilities in APIs. Again, traditional solutions such as WAFs, which depend on signatures and known attack patterns, can’t detect or prevent these new attacks targeting the unique nature of APIs. Because they validate transactions one at a time and cannot correlate activity over time, they cannot detect the reconnaissance behavior of a bad actor looking for a business logic flow in a company’s APIs.
The report also highlights the unique challenge of API discovery. API discovery is an important part of any security strategy. As we are well aware in the security industry, you can’t secure what you can’t see. Cataloging all the APIs in your environment (both known and unknown or shadow APIs) helps security teams understand the attack surface, ensure APIs comply with organization policies, see where sensitive data is exposed, and properly align protections to prevent misuse and attacks.
Per Gartner, “Strong inventory and real-time discovery are both necessary to gain enough visibility into all APIs that the organization produces.”
The challenge with discovering APIs is that most approaches depend on humans (primarily developers) to document APIs, including their parameters and other details, and maintain documentation as APIs change. Security teams must also be aware of API documentation and new versions when updates become available. That process is often not complete or updated on a regular basis.
GraphQL is a query language and server-side runtime for APIs that prioritizes giving clients exactly the data they request and nothing more. It was designed to make APIs flexible and developer friendly, and it continues to become more popular among developers and organizations.
Per Gartner, “By 2025, more than 50% of enterprises will use GraphQL in production, up from less than 10% in 2021.”
Gartner analysts also make it clear the issue of risk with GraphQL APIs:
“GraphQL APIs will also expand into data sharing and integration-centric use cases, driving demand for better native GraphQL support from business intelligence (BI), self-service analytics, integration platforms and low-code application platforms (LCAPs). For data centric use cases, software engineering leaders must be wary that while GraphQL APIs are easy to use, they also have limitations.”
GraphQL changes the security equation – they are harder to protect than REST APIs. Ultimately, the level of expected growth in GraphQL will, no doubt, require increased – and more sophisticated – API security.
Salt Labs conducted extensive threat research into a GraphQL vulnerability recently. You can read about it here.
We believe this report highlights the growing importance of API security and serves as a rallying point for security and engineering leaders to protect against these types of attacks. We encourage you to download and read the report to learn more about how you can proactively secure your APIs.
Salt Security is an API protection solution built on cloud-scale big data, AI, and ML to help customers discover all APIs and exposed data, stop attackers early in their process, and provide insights to developers to enable a model of continuous improvement for security. Salt has a flexible, easy model for deployment, does not require changes to application code, and is not inline, so there’s no impact on developers or applications.
If you’re building APIs to power your applications, reach out for a personalized demo to learn how Salt can make your APIs attack proof to protect your customers, your data, and your business.
Gartner, Predicts 2022: APIs Demand Improved Security and Management, 6 December 2021, Shameen Pillai et. al.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the US and internationally and is used herein with permission. All rights reserved.
Dr. Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, joined our recent API Security Summit. Dr. Chuvakin’s session – co-hosted by Salt Security's Michelle McLean – provided an in-depth discussion on why API security has become a “now” problem.
The monetary growth opportunities promised by APIs are immense, but to harness them, CISOs must ensure the protection of their APIs.
With the industry moving to microservices and API-driven applications, new security threats and attack vectors have emerged. The PCI Security Standards Council has worked to address these threats in its newest PCI DSS 4.0 standard.