Enterprises remain vulnerable through compromised API secrets

Cybersecurity professionals are frustrated over how much time and attention they must devote to API security and worried that their defenses still need to be improved, according to Corsha.

Researchers recently surveyed over 400 security and engineering professionals to learn about their API secrets management practices and the challenges they face in thwarting API attacks. Among the key takeaways:

  • 86% of respondents spend up to 15 hours a week provisioning, managing, and dealing with secrets.
  • 53% have already experienced a data breach with unauthorized access to their networks or apps due to compromised API tokens.
  • 72% use a secrets management solution yet 56% are still concerned about a potential data breach due to their current secrets management practices.

“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” said Jared Elder, CGO at Corsha.

“Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing. Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball,” added Elder.

A changing threat landscape

API usage has exploded over the last several years as companies continue to expand their adoption of could native technologies and API-driven ecosystems such as microservices and serverless architectures, hybrid cloud infrastructures, CI/CD pipelines, and a host of other applications and services that are sending and receiving sensitive information through APIs.

According to the survey, 44% of respondents host their API services across multiple clouds. For many enterprises, this often means disjointed secrets management solutions across disparate environments.

As a result, survey respondents spend an inordinate amount of time managing API tokens. 78% reported they manage at least 250 API tokens, keys, or certificates across their networks. Unfortunately, their security strategies for API-based communication cannot keep up with the level of scale and automation that’s possible today.

Outdated approaches to a modern security challenge

All APIs have one thing in common: they connect services to facilitate data transfers. That makes them a favorite target for hackers as the number of APIs that depend on secrets increases, and workflows (e.g., secret provisioning and sharing, secret management, monitoring, control) become more difficult.

According to the survey, the top three API secrets management pain points are:

  • Working with certificate authorities (44%)
  • Rotating secrets (37%)
  • Provisioning secrets (36%)

The methods respondents most commonly use to address these pain points are often dated, manual, error-prone, and cumbersome.

While many security teams assign specific entitlements to API keys, tokens, and certificates, the survey discovered that more than 42% do not. That means they’re granting all-or-nothing access to any users bearing these credentials, which although is the path of least resistance in access management, also increases the security risk.

Corsha’s researchers also found that 50% of respondents have little-to-no visibility into the machines, devices, or services (i.e., clients) that leverage the API tokens, keys, or certificates that their organizations are provisioning. Limited visibility can lead to secrets that are forgotten, neglected, or left behind, making them prime targets for bad actors to exploit undetected by traditional security tools and best practices.

Another red flag: although 54% of respondents rotate their secrets at least once a month, 25% admit that they can take as long as a year to rotate secrets. The long-lived, static nature of these bearer secrets make them prime targets for adversaries, much like the static nature of passwords to online accounts.

API security best practices

The report also outlines what organizations can do to implement effective secrets management processes, including:

  • Integrating a good secrets manager to gain overall visibility into all secrets
  • Using mTLS when and where possible
  • Always set a short expiry on secrets when possible
  • Always sign and verify tokens
  • Don’t store or pass secrets in plaintext

“Today, even the most robust modern secrets management implementation isn’t sufficient to prevent APIs from being exploited, which explains why over half of our survey respondents highlighted the continuing worry of suffering a potential data breach due to their current secrets management practices,” said Scott Hopkins, COO at Corsha.

“The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight. Organizations would benefit from a stronger, automated, and highly scalable answer to their API authentication woes that can readily integrate into any environment,” concluded Hopkins.

It’s also important for security and development teams to recognize that risk is predominantly shifting from human to machine to machine-to-machine and consider what needs to be done to account for this transformation.

Don't miss