The Rise of the APIs… and Security Risks
APIs are the connectivity and functionality mechanisms withwhich enterprises can enable digital transformation. The stark growth in thenumber of APIs indicates how much enterprises and developers value thetechnology.
According to ProgrammableWeb, whichchronicles the public API sector, the number of APIs has been increasingsharply since the late 2000's. API growth is at an even faster pace in 2019than in previous years.
However, as the deployment of APIs continues to increase, properAPI security is not as widely practiced as it should be. The lack of APIsecurity awareness is concerning, as the rise in APIs means there is acorresponding rise in security risks for enterprises.
Consider some of the recent and high-profile, API-basedincidences at Facebook, Salesforce, the UnitedStates Postal Service, and Equifax. APIs, acting as thedata-rich links between different applications, expose multiple vulnerabilitiesthat can be targeted by hackers and extends the attack surface of anenterprise.
Approaching API Security as a Priority
What do we mean by API security? As detailed here, "API securitydescribes the practices and products that prevent malicious attacks on, ormisuse of, application program interfaces (API). API Security is part of APImanagement and governance. "
APIs use web technology to integrate applications, but it is amistake to assume that APIs can be protected using the same practices andtechnology used to secure the web. The risk profile of APIs is entirely differentand requires a different security approach. Developers who fail to use or writeAPIs with security as a central focus are compromising both the data and theapplications.
Enterprises have to assume a proactive approach in API securityand prepare for the worst-case scenarios. The security of an API is one of thefirst things that should be established when developing that API'sarchitecture. Security testing should begin early—well before deployment—andcontinue throughout development.
It is also during API development that decisions should be maderegarding how certain requests should be handled. The security measures may bebroad at first but should eventually be narrowed down based on the enterprise'sneeds.
How is API Security Being Handled?
There are many ways hackers are using APIs to gain access toenterprise systems. Some of the most common attack paths include parameterattacks (often via an SQL injection), identity attacks, and man-in-the-middleattacks. To combat these attacks, the most widely used API security models areemploying identification, authentication, and authorization measuresimplemented with the use of tokens, API gateways, quotas, and throttling andencryption and signatures.
Some enterprises are opting to use in-house solutions for APIsecurity and are finding their efforts becoming mere reactionary measures toattacks, rather than actively preventative ones. There may be no consensusbetween an enterprise's IT security team and the API development team on who isresponsible for API security, which can cause the task being delegateddownward.
More enterprises are using API-security firms that haveroutinely updated threat databases and that offer a complete arsenal ofidentity and management tools. However, even with these tools, the level ofprotection being provided can fail to detect the most sophisticated attacks. While the securitymeasures are robust, additional steps are needed to address the resultingsecurity gaps that arise when APIs are deployed. This has presented an openingfor applying machine learning-backed API security,an area to be further investigated and discussed.