Cybersecurity challenges emerge in the wake of API expansion

In this Help Net Security interview, Vedran Cindric, CEO at Treblle, discusses the exponential growth of AI-related APIs, citing a 96% increase in 2023. He sheds light on the integral role APIs play in powering AI interactions, revealing the invisible threads that connect users to AI-based chatbots and tools.

As the technological landscape increasingly integrates AI, Cindric anticipates a profound impact on the evolution of APIs, emphasizing the growing importance of API security, authentication, and the challenges posed by zombie endpoints.

Your recent report indicates a 96% growth in AI-related APIs in 2023. What factors do you believe are driving this significant increase?

The growth of AI-related APIs is straightforward to explain – almost any AI interaction is API-based! That means you make an API request every time you type a message into an AI-based chatbot. You might not see or understand it, but at the end of the day, all those questions, image lookups, or jokes are API requests.

Given the recent popularity of AI-based and AI-assisted tooling, we also see a matching growth in the number of APIs needed to power those. APIs have been growing at a CAGR of 25% for the past few years, but that growth doubled in 2023, all thanks to AI. We predict that AI-based APIs will continue to drive API growth in 2024 as they go hand in hand.

With most developers using APIs, how do you see the role of APIs evolving in the technology landscape, and how will that impact cybersecurity?

APIs are already the fundamental building blocks of any modern organization today, and that will become even more evident going forward.

As organizations look to transform their digital business and enter the era of the API economy, we expect that we will be building and using more and more APIs. That’s especially true if we take a look at some of the trends that are happening in technology nowadays. Things like VR/AR glasses, wearable devices, and voice-controlled devices all require APIs to work.

APIs will play a more critical role as the world transitions to more browserless devices. All this growth and expansion means more APIs, requests, and security challenges. The toughest thing about API security is that, in most cases, organizations don’t know that hackers exploit their APIs because they don’t have access to API data in real-time. That’s why tooling, which allows you to do that, will become even more critical.

The data shows a high prevalence of zombie endpoints in APIs. What are the implications of this for API efficiency and security?

Organizations have many zombie endpoints simply because they don’t have access to data showing how their customers use their APIs. Zombie endpoints are particularly dangerous because, in most cases, they are not maintained and are prone to data leaks or hacks.

The implications for organizations are grave as hackers can quickly find out which endpoints are up to date and which aren’t, especially if the API documentation is publicly available. Besides security problems, dead or zombie endpoints present code-based issues because of unmaintained and legacy code.

Given that 51% of requests did not use any form of authentication, what are your recommendations for enhancing API security?

Authentication is the most basic form of API security, and every organization’s priority should be to implement any form of authentication as soon as possible. It doesn’t have to be complicated or time-consuming, but using anything for authentication is better than nothing. Think of it this way: I’m sure you have a house, apartment, or an office building.

I’m also sure that you have doors on those, and those doors have keys that prevent random folks from simply walking into your house, apartment, or office building. Treat your APIs the same way; have a key that can be used to control who gets in, when, and under what conditions.

With the report highlighting client-side errors as a common issue, what best practices would you suggest for API consumers?

The number one thing I’d say to consumers is to read the documentation thoroughly. Most client-side issues can be attributed to developers forgetting to authorize and calling resources or URLs that don’t exist. In both cases, these problems can be easily solved by properly reading the documentation, implementing test-driven development, and checking if resources exist before calling them.

How do you foresee the role of API observability and governance tooling evolving in response to the complexities of modern APIs?

API observability and governance will become essential tools for any organization building APIs. If you’re building a business around APIs, you need to understand how your engineering teams build them and how your customers use them. Just like websites use tools like Google Analytics, you’ll need the same for your APIs, especially as APIs become increasingly complicated.

Can you comment on the future challenges and opportunities in API integration and management as technology evolves?

Many organizations still need to figure out their API strategy and how to build a successful business around APIs. That’s the biggest challenge most companies face today.

After that, it all comes down to execution, where you need quality tooling to help you operationally move from one phase of the API life-cycle to another. APIs are not going anywhere; they’ll just become even more critical and complicated in the future.