APIs power today’s connected world. They enable organizations to supply the digital services that support everyday activities like shopping online, booking a holiday or using a banking app. The unprecedented growth of API usage across all industries in recent years has accelerated digital transformation and brought new API security challenges to light.
According to the State of API Security report Q3 2022, API traffic has grown 168% in the past year, with 94% of companies reporting they have suffered an API security problem in production in the same period. The vital role that APIs play in fueling business innovation and enabling digital services hasn’t gone unnoticed by cybercriminals.
With API attacks on the rise and growing in sophistication, how do you know if your approach to API security will provide sufficient protection? Below are key questions that today’s organizations must ask as they begin to develop an API security strategy:
With the API ecosystem exploding in recent years, many organizations have found themselves in a position where it’s hard to keep track of all their APIs as their environment evolves. With APIs changing at a quicker pace than ever before, developers often don’t keep documentation up to date and keeping an accurate API inventory becomes challenging and often frustrating.
In order to understand the attack surface and level of risk in your environment, you must be able to see all internal, external and third-party APIs, including APIs that are not noted in the documentation, known as shadow APIs, and deprecated APIs that have not yet been disabled, known as zombie APIs.
These uncatalogued APIs may expose sensitive data, including personal identifiable information (PII), meaning they present a high level of risk. Ensuring your API security strategy includes a comprehensive and up-to-date API inventory is key, as you can’t protect what you can’t see.
Traditional API management tools that include some security capabilities, such as web application firewalls (WAFs) and API gateways, understandably play an important part in today’s security stacks.
WAFs can help detect exploitation of web application traffic and API gateways give you observability over your API usage and the ability to enforce access controls.
Shift left practices aim to improve security practices in organizations by pushing more security processes into the design and development phases. Although detecting and fixing API security issues early in the development lifecycle is undoubtedly valuable, traditional testing tools often rely on well-defined patterns and weren’t built specifically with APIs in mind.
With API designs varying greatly between organizations, there are several types of security issues that can’t be detected by commonly used design and developer testing tools, and end up being deployed into production. It’s important that organizations recognize the limits of shift left when it comes to API security and don’t assume that security will be baked into every API during the development phase.
While shift left practices certainly have merit, the business logic flaws that are commonly behind today’s API attacks can only be spotted through continuous, automated runtime analysis. An API security solution needs to provide protection across the entire API lifecycle.
Zero trust architecture came as a welcome development to replace outdated security models that were ineffective in securing today’s application environments which comprise private and public cloud and on-premises data centers. However, its ability to protect APIs is limited due to one key aspect: the primary goal of zero trust is access restriction and APIs need access to function.
Because today’s APIs sit within inner architecture, IP address-based access control methods used in zero trust architecture don’t work when applied to API security. Here’s where zero trust architecture falls short:
API security will inevitably touch several teams within your organization, making it hard to decide who needs to be ultimately responsible for it.
Ideally, you need dedicated API security leads within your organization who understand its complexity and are able to take ownership of it, so identifying your API security experts would be step number one.
You may be able to find people who are knowledgeable in API security in your development, application, security or product teams, so the end goal would be to end up with a multidisciplinary team of API security leads who can drive collaboration across all relevant teams and ensure your API security strategy addresses threats across the full API lifecycle - from discovery and deployment to runtime detection and response.
Today’s attackers use reconnaissance techniques to reverse engineer APIs and understand their structure and unique business logic. These attacks take time and rely on low and slow activity to look for vulnerabilities and exploit them.
Since attacker reconnaissance activity looks like normal API traffic to traditional tools such as WAFs, API gateways, and other proxy-based solutions, they inevitably miss the attacks that target unique API vulnerabilities. These traditional tools leave significant gaps and are not enough to protect APIs.
API security solutions must automatically and continuously analyze API traffic to learn normal behaviors for each unique API and gain the context needed to identify anomalies, pinpoint attackers and protect APIs. Dedicated API security requires three core capabilities:
Discovering New and Modified APIs: an API security solution must have the capability to discover all APIs, including shadow APIs and zombie APIs. To keep up with the ongoing release of new and updated APIs, discovery must happen automatically and continuously and must cover all partner-facing, internal, and customer-facing APIs.
Ideally, a dedicated API solution should also be able to identify sensitive data exposure to help your organization understand risk and remain compliant.
Detecting and Stopping API Attacks in Runtime: in order to detect and stop modern API attacks, an API security solution needs to analyze and correlate API activity to create a baseline of normal behavior and identify activity that falls outside of that baseline. This will allow you to tell the difference between normal changes in API traffic caused by API changes or user behavior, and malicious traffic stemming from attacker activity, enabling you to detect and stop attacks early during the reconnaissance stage.
Traditional security tools can only inspect each transaction in isolation and identify known malicious traffic and are unable to use context and correlation to identify and stop malicious activity.
Stopping today's sophisticated API attacks requires a breadth of context that can only be gained by using cloud-scale big data and leveraging AI and ML technology to correlate millions of API calls over time.
Shift Left Practices to Eliminate Vulnerabilities in Development: any software will be deployed into production with gaps, even if DevOps teams follow development best practices and make use of scanning tools. APIs are no exception.
You can only prevent the exploitation of any API vulnerability that makes it into production using runtime protection, but flaws must be identified and eliminated in development to improve your overall API security practices.
An API security solution needs to detect potential issues and feed them back to developers early in the development cycle, to help them eliminate vulnerabilities before APIs are deployed into production.
Providing DevOps teams with insights on vulnerabilities found both in development and in runtime can help teams prioritize remediation efforts and eliminate weaknesses and continuously enhance your organization’s security posture.
By asking the above API security questions, organizations can prepare a more comprehensive API security strategy.
APIs keep us all connected to critical data and enable digital innovation in today’s connected world. Acknowledging the need for dedicated API security solutions, market research firm Gartner added API Security as a distinct tier in their updated Security Reference Architecture. With this new architecture, Gartner recognizes that these traditional tools leave gaps and are not enough to protect APIs.
Organizations need to develop a robust API security strategy that goes beyond traditional security solutions and provides full visibility, rich context into API behavior over time, and shift left capabilities to improve overall security. Only cloud-scale big data, combined with ML and AI, has the ability to provide the depth of context required for today’s API security needs.
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
We want to thank our customers, partners and friends for the calls and messages to our team showing your concern and support.