The use of APIs across organizations’ digital infrastructure has increased exponentially within the past several years. As the primary link between customers and their desired data and services, the expedited volume of APIs within modern ecosystems is certainly no surprise. While their operational advantages are vast, given their behavioral complexities and unique characteristics, malicious actors have also discovered the benefits of APIs to aid their attack efforts. Often acting as a legitimate means to discreetly gain access to critical assets, API attacks are running rampant across industries. Earlier this year, Dell became the latest victim to API abuse, whereby attackers scraped information of 49 million customer records using a partner portal API that they accessed using a fake company identity.
Also Read: CIO Influence Interview with Mark Whitehead, CEO and co-founder, NDay Security
The rapid and widespread adoption of Generative AI (GenAI) technology is also adding further severity to API security challenges. As GenAI applications are equipped to create new APIs at scale within minutes or even seconds, enterprise API ecosystems are quickly multiplying in size. Existing solutions that organizations have leveraged to protect their API infrastructure, from API gateways to web application firewalls (WAFs), do not possess the sophistication required to maintain equal speed with constantly changing API ecosystems. GenAI also gives cybercriminals an advantage, enabling them to launch more convincing attack campaigns in large volumes and create entirely new AI-based attacks that can bypass existing security measures.
While more organizations than ever are investing time and resources into API security, many continue to remain relatively early in their journey and face significant roadblocks. Our recent research, the Salt Security State of API Security Report 2024, revealed that most API security programs remain immature, despite a rapidly increasing attack surface. Only 7.5% of organizations have an advanced API security program. Over half of the organizations (55%) are still at the basic or intermediate stages of API security, relying on traditional security measures that are most often inadequate against modern API threats. Unsurprisingly, almost all (95%) survey respondents experienced security problems in production APIs within the past 12 months, with 23% suffering breaches due to API security inadequacies.
As organizations worldwide rapidly deploy solutions that can detect and protect against their growing API ecosystems, many are doing so without looking at the bigger picture – the creation of a comprehensive strategy that accompanies such solutions. APIs must be protected across their entire lifecycle and a robust strategy is often the difference between API success and falling victim to an attack.
Several core steps are involved in creating an API security strategy, treating them as any other IT asset. The first is discovery. As the age old saying goes, “you cannot protect against what you cannot see.” Organizations must start by implementing mechanisms that continuously discover and categorize all their APIs. This intelligence can then be leveraged to establish a robust API security posture governance program, across the life of APIs from design to deployment..
API posture governance programs help organizations gain comprehensive visibility into their API landscape and compile deep intelligence about each of its API assets. This knowledge can in turn be utilized to plug security gaps and blindspots before attackers can exploit them. The insights can also help create appropriate standards and regulations for an organization’s API ecosystem to ensure compliance with industry specific protocols and best practices. Posture governance is at critical building block for achieving advanced threat protection.
Listen Now: Tech-IT Times by CIOInfluence.com Featuring Todd Cramer, Director Business Development- Security Ecosystem at Intel CCG-Commercial Client Group
Given the logic-based nature of API abuse, behavioral anomaly detection for APIs is no easy feat. The process requires the availability of substantial volumes of data and cloud compute power to pinpoint anomalous behavior accurately and quickly. API posture governance initiatives equip organizations with the visibility and API intelligence needed to determine and maintain a comprehensive API security foundation.
A deep awareness of activity across an API infrastructure enables CISOs and security teams to proactively address potential vulnerabilities while ensuring that APIs continuously adhere to preset standards and best practices. API security posture governance programs are essential to API security success, and many organizations have begun to realize the power and sheer importance of such efforts. According to our research, nearly half (47%) plan to implement a posture governance strategy for their API ecosystem within the next 12 months.
To protect against rising API abuse, and the catastrophic damages that tend to follow such instances, it is imperative that organizations adopt a proactive approach to API security. The strides that many organizations have made to deploy purpose-built, automated API security solutions is commendable, but its implementation alone will fail to achieve substantial protection. Posture governance initiatives help organizations bolster overall API security posture by discovering all API assets and determining their unique behaviors, functions and attributes. With this intelligence, organizations can make more informed decisions about their API stack, and thus implement the necessary controls to create more secure API ecosystems.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]