API security: Understanding the next top attack vector

Application Programming Interfaces (APIs) underpin today’s digital ecosystem as the essential connective tissue that allows companies to exchange data and information quickly and securely. As the post-pandemic world leans heavily on digital interaction to maintain user connections, the volume of API traffic has grown rapidly. However, this growth has also brought on emerging security challenges.

While traditional application security controls remain necessary, they are not quite up to the API security challenge. Fortunately, there are certain basic API security practices organizations can implement to create a more resilient API security posture.

What is threatening API security?

When contemplating API security, you must consider its risks and exposures. Hackers spend more time poking at APIs than most companies do maintaining them. It is rare to see an attacker “break” an API. Rather, the most common threat vector is misconfigurations and weak links between APIs deployed in each piece of software.

The first step in fixing the API security problem isn’t necessarily a new testing solution, but rather taking stock of how many APIs an organization has deployed and how they are interacting with one another. Each API is unique and needs individual attention and detailed understanding. Without visibility into the nature and scope of its API deployments, an organization will find itself hamstrung at the earliest stage in attempting to tackle its API security risk.

Another challenge facing security practitioners when implementing API security programs are unclear roles and responsibilities for security teams. This commonly cited issue means that there are gaps in API maintenance, monitoring and security, and they become doorways for hackers to come in. Teams need to be given specific responsibilities regarding API security maintenance to ensure that nuanced differences between APIs are addressed.

What can companies do to ensure they are prioritizing API security?

The original security problems stemmed from a misunderstanding of an API’s software-to-software communication. With organizations often having hundreds or even thousands of APIs in use, the task of securing them all is highly complex. The challenge requires a strategic approach for security assessment that can be applied universally and efficiently across a diverse set of APIs.

One example of this type of strategy is D.A.R.T., which stands for Discover, Analyze, Remediate, and Test.

D.A.R.T. serves as both a lens to view security challenges, as well as a litmus test to measure the effectiveness of security efforts and solutions. This solution addresses security across the API ecosystem, from code to production, and needs to be used for each API’s unique individual requirements.

• Discover: This encompasses the ability to find and inventory all APIs. Enterprises manage thousands of APIs, and many of them are not routed through a proxy or API gateway. APIs that are not routed are not monitored, are rarely audited, and are most vulnerable to mistakes which lead to attacks. It is important to create a complete API inventory enabling the team to discover and assess every API, including legacy and shadow APIs with data classification.
• Analyze: The ability to detect API anomalies, changes and misconfigurations is vital. It’s important for enterprises to analyze API access, usage, and behavior. Leveraging AI and ML for automated behavior analysis helps to identify issues in real-time. When considering existing detection capabilities or those of an API security vendor, companies must remember they will only be as effective as their ability to discover a complete inventory of APIs.
• Remediate: The next step is to have the ability to resolve detected anomalies and misconfigurations. Based on that inventory, teams can begin remediation by identifying misconfigurations and vulnerabilities in the source code, network configuration and policy. Teams can focus on security interventions in the highest-risk areas and provide an effective detection and response. The implementation of automated and semi-automated blocking and remediation of threats means that they can be blocked from even happening.
• Test: Even if a detection and response system is implemented, it is important to have continuous testing of the different API endpoints to identify API risks before they emerge. Analyzing APIs and remediating issues while in development allows companies to deploy APIs with complete confidence and trust.

The road ahead

2022 will be the year of the API security “arms race,” as security teams and hackers alike bring more sophisticated technologies to the playing field.

Hackers are increasingly turning their attention towards APIs as an attack vector and will undoubtedly develop more advanced tools and methods for exploitation. Hackers have shown that they have and will continue to batter down the doors of companies through their insecure APIs.

Security teams that are too reliant on tools, have unclear roles and responsibilities and do not execute routine API maintenance may be doing their organizations more harm than good. Taking the time to get educated on specific strategies such as D.A.R.T, ensures that each API is properly managed and secured.