Why enterprises can’t afford to overlook API security in 2023 

Application and API security is vital for protecting modern enterprise environments. Yet most organizations are failing to implement it.

According to Salt Security, not only did 94% of organizations experience security problems in production APIs last year, but one in five actually suffered a data breach as a result of security gaps in APIs. 

Well-known organizations including Experian, Peloton, and most recently, the FBI, all suffered API-related breaches. In the most recent API attack on the FBI, hackers gained access to a vetted database of executives called InfraGuard, where members of the private sector can collaborate with the FBI to share threat data. 

To access InfraGuard, the fraudster submitted an application for an account using the personal data of an unknown CEO. Once the FBI approved the application the hacker then used a Python script to retrieve user data through an exposed API. 

The result was the exfiltration and leakage on a hacking forum of over 80,000 cybersecurity and private sector stakeholders’ data, including their names, email addresses, industry of employment and social media user IDs. 

APIs: A gateway to interconnectivity and data theft 

This incident highlighted that while APIs play a critical role in enabling data exchange among applications, microservices and services, they can also provide cybercriminals with a gateway to user data if they’re left unprotected. 

Of course, protecting this infrastructure is easier said than done, given that organizations have an average of 15,564 APIs to secure, and a growing expertise gap.  

Hackers see APIs as an easy target for man-in-the-middle attacks or API key and token theft, to gain access to high-value information including personally identifiable information (PII) and intellectual property (IP).

“APIs are the common thread that connects all devices and microservices; gaining access to the pipeline that carries sought-after information can prove profitable. In today’s drive towards digital transformation, the popularity and use of APIs increases, as does the cyber-risk landscape associated with it,” said Filip Verloy, field CTO EMA at API provider Noname Security.

The problem isn’t that APIs are insecure, but that there are so many APIs in use in modern enterprise environments that these vulnerabilities go unnoticed and unaddressed. 

In fact, according to Gartner, by 2025 less than 50% of enterprise APIs will be managed, as the growth in APIs surpasses the capabilities of API management tools. 

“As the number of APIs in use increases, it becomes harder for organizations to secure — and track — them,” Verloy said. “If attackers are trying their luck in industries and businesses they know are full of APIs, it’s likely they will find an unauthenticated API — similar to what occurred during the Optus breach.”

API security challenges: The weaknesses of tokens

When looking to exploit an API, threat actors will often try to harvest client credentials and API keys to obtain access to the underlying data. 

Many API authentication measures are easily exploitable. For example, some APIs use API keys or tokens to authorize client access to datasets. A client calls the API and uses a unique authentication key or credential to authenticate the client’s identity and exchange data with the service.  

The problem with this is that if the information isn’t encrypted with HTTPS during the call, then a hacker can eavesdrop on the communication, harvest the token from the client and use it to gather data from the API. 

“Multi-factor authentication is now the default for human user authentication, but APIs typically rely on a single credential, which is often hard-coded as an API key,” said Faiyaz Shahpurwala, chief product and strategy officer at Fortanix.

“This issue, along with the systemic access and intelligence (i.e. what actions are supported for authenticated users and what system components are accessible via the API) provided, makes APIs a suitable target for attackers looking to compromise networks,” Shahpurwala said. 

Enterprises thus need to implement increased authentication controls, such as multi-factor authentication for token access, to verify the identity of clients before allowing the connection. 

Want to secure APIs? Start with visibility, move to controls 

When looking to secure APIs at a high level, organizations need to have a full perspective on external and internal APIs that exist throughout the environment.

This means using tools from providers like Salt Security and Noname Security to automatically discover and create an inventory of APIs, and to identify potential security risks.

In addition, organizations will need open collaboration between developers and security teams. 

“Security teams will want to work with their dev counterparts to have a process for deploying and updating APIs,” said Sandy Carielli, principal analyst, security and risk at Forrester. “Security leaders should make use of API discovery and inventory tools to have an accurate view of what APIs are deployed in their environment.”

Carielli suggests that organizations implement API gateways for authentication, authorization and rate limiting, while using WAF and bot management tools to manage and mitigate malicious traffic. 

Other actions, like deactivating zombie APIs (deprecated APIs that haven’t been disabled) and implementing role-based or policy-based identity and access management controls for creating, accessing and managing APIs, can help to mitigate other risks.