Unattended API challenge: How we’re losing track and can we get full visibility
API sprawl is a prevalent issue in modern enterprises, as APIs are being developed and deployed at an unprecedented rate. As highlighted by Postman’s 2022 State of the API Report, “89% of respondents said organizations’ investment of time and resources into APIs will increase or stay the same over the next 12 months,” emphasizing the confidence in the growth of API development and deployment.
Due to this rapid growth, organizations risk losing track of their APIs, which leads to the creation of shadow APIs that attackers can exploit and contributes to high maintenance expenses. To illustrate the potential of real-life consequences of unattended API sprawl, here are three real-world examples of breaches resulting from unknown or outdated API endpoints:
In 2016, Uber experienced a massive data breach that affected 57 million customers and drivers. The attackers exploited a private GitHub repository used by Uber’s developers and discovered AWS credentials, which were used to access an S3 bucket containing sensitive information. The incident led to a $148 million settlement and severely impacted the company’s reputation. Source.
In 2018, Facebook suffered a breach that exposed the personal information of nearly 50 million users. The attackers exploited a vulnerability in the “View As” feature, which allowed them to obtain access tokens and impersonate other users. The breach was traced back to an API endpoint that wasn’t properly secured. Facebook had to reset the access tokens for nearly 90 million users to resolve the issue and faced significant regulatory scrutiny and user backlash. Source.
Panera Bread (2018)
In 2018, Panera Bread, a U.S. bakery-café chain, experienced a data breach that exposed millions of customers’ personal information. The cause of the breach was an unsecure API endpoint that allowed unauthorized access to customer data, including names, email addresses, phone numbers, and the last four digits of credit card numbers. The company was criticized for its slow response to the vulnerability report and its failure to properly secure the endpoint. Source.
Rising costs of API-related data breaches
According to the Cost of a Data Breach Report published by IBM Security, the costs of data breaches have been steadily increasing from 2018 to 2021. Specifically, the 2021 report revealed that the average total cost of a data breach was $4.24 million, which was the highest cost reported in the last four years. Additionally, the cost per record lost or stolen has also increased from $148 in 2018 to $164 in 2021.
The Verizon Data Breach Investigations Report (DBIR) from 2019, 2020, and 2021 all revealed that API attacks are becoming increasingly common. In 2021, APIs were identified as the top threat action variety in breaches, accounting for 13% of all breaches. In the 2020 report, APIs were involved in 16% of breaches, and in the 2019 report, APIs were involved in 7% of breaches.
It is presumable to say that API attack costs are increasing at a similar rate to the overall costs of data breaches. As APIs are increasingly being used in modern applications to facilitate the exchange of data between different software systems, they have become a prime target for cybercriminals. This trend emphasizes the need for businesses to prioritize cybersecurity measures and take proactive steps to protect their APIs to prevent costly data breaches.
Bridging the gap: From API challenges to solutions
There are various solutions that organizations can implement to address the risks associated with API sprawl, specifically unsecured APIs and shadow APIs. One approach that can help in API risk evaluation and monitoring is the use of SBOM (Software Bill of Materials), which can enable organizations to identify vulnerabilities and dependencies within their API infrastructure.
A Software Bill of Materials (SBOM) is a comprehensive inventory of all software components and dependencies in a product. SBOMs play a vital role in API risk evaluation and monitoring by providing visibility into the API’s underlying components, making it easier to identify potential vulnerabilities and manage risks associated with third-party dependencies.
In addition to SBOMs, effective API governance in cloud environments, promoting a culture of security within the organization, and continuous education can also help mitigate the risks posed by unsecured APIs. All of these solutions will help businesses navigate towards a more secure and resilient digital ecosystem.
Going beyond WAFs and API Gateways
In 2019, Capital One faced a data breach affecting over 100 million customers. The malicious actor exploited a misconfigured WAF and an SSRF vulnerability in the API gateway to access sensitive data.
While Web Application Firewalls (WAFs) and API Gateways are widely adopted for API protection, they may be insufficient on their own. For example, WAFs can block known threats but may not detect sophisticated attacks, and API Gateways might fall short in addressing complex security risks. To effectively secure APIs, it is recommended to adopt a multi-layered approach, including continuous monitoring, API governance, and risk assessment.
“Relying on just WAFs and API Gateways is insufficient for API security. As seen in the Capital One breach, sophisticated attacks can exploit vulnerabilities. Organizations must adopt immediate observability, continuous monitoring, API governance, and risk assessment to effectively safeguard their digital assets.” – Chaim Peer, CEO of BLST Security
Understanding API governance in cloud environments: What security teams need to know
API governance is considered crucial for the management and security of APIs in cloud environments. The establishment and enforcement of policies, standards, and processes for API lifecycle management are involved in this process, which includes:
- APIs designed to meet security best practices and regulatory requirements
- APIs developed to be secure, reliable, and performant
- APIs deployed in a controlled manner to meet compliance requirements
- APIs monitored to ensure continuous compliance and performance
Due to the dynamic nature of cloud environments, it is important to automate the governance process as much as possible. The benefits of implementing effective API governance include:
- Security best practices are followed and regulatory requirements are adhered to by APIs
- APIs deliver consistent performance and reliability
- The organization’s exposure to risks and vulnerabilities is reduced
- Security teams can keep up with the pace of changes in cloud environments
Therefore, automated governance solutions are considered essential by security teams to continuously monitor APIs for compliance with security best practices and regulatory requirements. These automated governance solutions are also relied on to implement any necessary changes rapidly.
Promoting a culture of security
A strong security culture directly influences the development and implementation of secure APIs. Employees who are well versed in security best practices will be more inclined to adhere to robust API security protocols, ensuring that sensitive data is properly protected and access is strictly controlled. This proactive approach to security helps to prevent potential vulnerabilities and reduces the likelihood of unauthorized access or data breaches.
Although nurturing a security-centric culture is often regarded as one of the most challenging responsibilities for a CISO, it is equally one of the most stimulating and rewarding endeavors, with far-reaching benefits that permeate every aspect of the business. In the context of API security, a security-first mindset promotes vigilance, adaptability, and resilience, which are all crucial elements for safeguarding an organization’s valuable digital assets.
Importance of continuous education and learning
In order to effectively manage and secure APIs in the ever-evolving digital landscape, it is crucial for organizations and security teams to continuously educate themselves and stay updated on best practices and emerging trends in API security. One excellent opportunity to gain insights and learn from industry experts is the upcoming API Blind Spots Webinar: Revealing and Mitigating the Risks of Shadow APIs.
This webinar will feature a panel of esteemed security professionals who will address critical challenges while focusing on the unknown, outdated, and undiscovered endpoint APIs that can leave organizations vulnerable to potential attacks. By participating in such events and constantly updating their knowledge base, security teams can better understand the factors that contribute to losing track of APIs, ultimately strengthening their organization’s security posture and reducing the risk of costly data breaches.
The growing prevalence of API sprawl and the risks associated with unattended APIs have highlighted the need for organizations to adopt robust security measures and governance practices. As we have seen from real-world examples and the increasing costs of API-related data breaches, the stakes are higher than ever.
To overcome the challenges posed by unsecured endpoints, shadow APIs, and rapid API deployment, organizations must look beyond traditional security measures, such as WAFs and API gateways, and embrace comprehensive, multi-layered security approaches.
This includes the implementation of SBOMs for API risk evaluation and monitoring, effective and automated API governance in cloud environments, and fostering a culture of security and continuous learning. By taking a proactive approach to API security, organizations can better protect their digital assets, maintain customer trust, and mitigate the potential risks associated with unattended APIs.