API attacks have dominated the cybersecurity news cycle lately. In early 2023, T-Mobile made news for an API-based breach of 37 million PII records of its past and present customers. And last year, Optus, a major telecommunications company in Australia, experienced an API security incident that exposed around 10 million customer records. And API attacks that aren't quite as ”newsworthy” happen every single day. In fact, the Salt Security Q3 2022 State of API Security Report showed that 94% of survey respondents had experienced API security problems in production, with 19% admitting to an API-related breach. The Gartner prediction that “by 2022, API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications” has certainly come true.
Securing APIs is no longer a luxury, but it also shouldn’t be seen just as a burden. The reality is, protecting your APIs offers real business benefits - in risk reduction, expense mitigation, and revenue growth opportunities.
Salt has just released a new ebook entitled “How Protecting Your APIs Protects Your Bottom Line”. This eye-opening piece explores some of the bottom-line gains that security and development leaders can point to as they consider investing in API security.
Reduce Risk & Introduce Controls
Today’s security leaders are constantly seeking to close security control gaps and ultimately reduce their risk. APIs have emerged as a predominant business enabler, and they increasingly provide unprecedented access throughout business systems, so it’s become crucial to protect them. Some of the key risk mitigation benefits of API security include:
- Eliminating API blind spots and control gaps: What you don’t know can hurt you. An accurate view of your attack surface is essential to informing your security strategy, but understanding your attack surface is especially challenging with APIs, in part because they’re constantly changing. In fact, a recent Salt Security survey found that 11% of respondents update their APIs daily, and 31% update them weekly.
- Uncovering malicious API activity to decrease the potential of a security breach: There is no way around it – study after study shows that security breaches cost millions. And with APIs being the most frequent attack vector for application attacks according to Gartner, it simply makes financial sense to do everything you can to protect your production APIs during runtime.
- Reducing the possibility of future API issues and application downtime: Security leaders fear many things, but top on the list are security breaches and resulting downtime (and the certain fallout resulting from both of these). Attacks cost millions, but downtime costs also add up quickly.
While new technology is often required to address new attack vectors like API security, security budgets aren’t unlimited. Security leaders know that it’s important to minimize expenses and leverage existing team structures and processes whenever possible. API security solutions are a new element in the security stack, so you can’t eliminate another tool to pay for them. However, you can leverage an investment in API security to reduce other costs such as vulnerability remediation and compliance, and you can leverage existing team members and processes to implement API security. Some of the key expense reduction benefits to API security include:
- Decreasing costs by fixing vulnerable APIs quicker with less friction: API vulnerabilities are different from traditional software vulnerabilities, which is why traditional vulnerability management tools cannot spot them. API vulnerabilities are almost always business logic-based, and because each API is unique, they are all in essence zero-day vulnerabilities. Security leaders need a solution that can do “double duty” to discover API vulnerabilities as early and quickly as possible in the development process and also reduce the effort required to fix vulnerabilities once discovered.
- Eliminating potential costly regulatory fines: Organizations spend a lot to build and maintain compliance practices, and those costs go up if they have to pay regulatory fines. I’s no surprise that in the API security realm regulators are starting to realize the implications of insecure and unknown APIs. PCI DSS and NIST have begun implementing API-related mandates, as have the New York Department of Financial Services and the Australian Government. Even regulatory bodies that don’t yet definitively identify the need for API security can still institute fines tied to poor API visibility or threat detection, particularly if a PII loss occurs.
- Protecting APIs without adding headcount: Security leaders face the trifecta of tight budgets, already over-tasked teams, and an industry security skills shortage, so adding headcount to accommodate new security use cases is rarely an option. But even though you can’t add more bodies, that doesn’t mean you can avoid the work of implementing new security measures to protect the business. API security is one of the arenas where organizations simply cannot afford to take a “wait and see” approach. Security leaders need to ensure that they can address API security concerns without needing to bring in an army of new team members to support it. Leveraging advanced artificial intelligence and machine learning models to automate manual workloads at scale can make security teams exponentially more efficient
Increase Revenue Opportunities
Hundreds of millions of application programming interfaces (APIs) power today’s digital economy, and that figure continues to expand at a relentless pace. APIs are at the heart of digital innovation, and with that comes revenue opportunities. API security done right can help open these doors and provide faster development and smoother deployments as well as free up team members from tedious manual processes to work on value-added projects. API security offers revenue generation potential including:
- Unlocking existing security team members to do more value-added projects: It’s no secret that security teams are burned out and being asked to do more with less. Frequent, boring manual tasks only make matters worse. Every day, these teams have to hunt down information from multiple sources, across many alerts, and then attempt to stitch them together to see the bigger picture. Fortunately, advanced ML/AI-based threat detection tools have changed the industry in recent years, reducing that monotony and freeing up security teams (and developers) to do more interesting work.
- Accelerating innovation by building and delivering new applications more quickly: APIs drive today’s economy, helping organizations bring data together in new ways to provide the applications and services that consumers expect. A recent study featured in Forbes found that businesses that utilize APIs were more profitable over the past decade, experiencing 12.7% higher growth in market capitalization growth than those that did not use APIs. APIs allow access to a company’s most valuable data, helping them efficiently reuse internal capabilities, share assets, and co-innovate with partners.
- Monetizing your data with secure APIs: APIs are essential for companies to support their innovative and revenue-generating digital transformation initiatives. Open banking services, mobile and online services, digital information sharing apps, DoorDash, Uber, PayPal, Spotify, Netflix, Tesla – you name it – they all require APIs to function. The monetary opportunities of APIs are immense, but to harness them, security leaders must ensure the protection of those APIs. APIs support the interconnectivity of a company’s crown jewels – the essential and sensitive data that businesses require to deliver their digital goods and services.
Protecting Your APIs Can Make Real Business Sense
It’s a constant race! API security solutions must help organizations stay one step ahead of the bad guys. Companies need the ability to automatically and continuously identify and catalog their APIs, protect them in runtime, and protect their future selves with shift-left practices. Deploying API security helps companies stay out of the wrong news headlines and protect their own and their customers’ data from attack.
Security leaders who embrace the challenge of API security don’t just avoid problems – they also realize the many business benefits of doing so, namely reduced risk, minimized expenses, and new revenue opportunities. The time is now to start experiencing the full benefits of a comprehensive API security strategy.
We encourage you to download the full ebook to learn more about each of these areas, see some of the ways Salt customers have achieved these business benefits, and learn some of the key questions you can ask to help evaluate your own potential benefit.
If you’re interested in seeing the Salt Security API Protection Platform in action, contact us for a customized demo today!