Are we paying enough attention to API security?


Is API security on the radar of most IT teams? It’s arguably still not as high on the priority list as it should be. Consider this: an Imperva/Marsh McLennan study from 2022 claimed that vulnerable and unsecured APIs cause up to 7.5% of global “cyber events and losses”, and cost businesses an estimated $75bn annually.

The experts I spoke to for an upcoming feature highlighteed complexity, visibility gaps and skills shortages as key barriers to enhanced API security. As digital transformation initiatives push on across the globe, the need to fill these gaps will only increase.

Out of control

APIs are essential to digital projects, connecting as they do applications to backend databases. But by the same token, if compromised, they could be used to provide a neat pathway to exfiltrate corporate and customer data.

“APIs that aren’t closely monitored can easily fall victim to high-volume attacks such as brute force login attempts and enumeration techniques. They are also often easily identified, are web accessible, and each of their methods documented,” Bridewell Consulting senior pen tester, Andy Tyler, told me.

“Once an attacker knows how to interact with your API they can quickly hunt for vulnerabilities; from authentication issues, to injection attacks, or access control misconfigurations. All of these can lead to sudden data theft on a large scale.”

In fact, that happened to T-Mobile USA last year. Although full details of the incident are yet to be released, the firm admitted in January that an attacker took data on 37 million customers via an API.

For Forrester analyst, Sandy Carielli, security teams and tools have been slow to catch up, even as the number of APIs has exploded.

“A lot of the traditional web app security tools didn’t support APIs, leaving holes in the protection – even as API security has evolved and more solutions are available, organisations struggle to understand what combination of tools and processes are needed,” she told me.

“The tools and processes exist to counter this threat, but many organizations struggle due to the newness of the technology and the number of APIs in their organization. It’s not uncommon for enterprises to have tens of thousands or even hundreds of thousands of customer and partner facing APIs – and they may not have a good grasp of what those APIs are and what they do.”

Bridewell’s Tyler agrees, but thinks things are improving.

“The tools and testing techniques needed for assessing APIs have only more recently reached maturity. Automated scanners in particular are still very poor at identifying API security issues, which can lead to false negative results for those organisations running their own checks,” he said.

“Many of us in this industry are working to demystify many of the API-specific issues for the organisations we work with and we have seen great improvements in their overall API security approaches.”

Out of the loop

As is so often the case, API risk seems to have been allowed to snowball because security isn’t brought in early enough in the software development lifecycle.

“Unfortunately, many organisations have little to no oversight over their APIs given the pace of application development and the lack of visibility security teams have into development practices,” Imperva director of technology, Peter Klimek, told me.

“For example, APIs are often released into production before security teams can review and catalogue them. Such inadequate security practices lead to both ‘shadow’ APIs – an API that isn’t cataloged and is therefore invisible to the security team – and  “zombie” APIs, which haven’t been  properly disabled and are still accessible. Both of these can be a potential breeding ground for cyber-criminal activity.”

There’s no silver bullet to the challenge of escalating, API-driven cyber risk. But shifting security left, and protecting right through layered measures including encryption, API gateways, web app firewalls and zero trust approaches would seem like a good place to start.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s