Why is it Essential to Secure APIs?

If you use the internet, you will use APIs (Application Programming Interfaces) to perform everyday tasks like internet banking, checking out the weather, using an AI-connected app, and going through Know Your Customer (KYC) checks. APIs are everywhere; they help connect the internet, share data, and add functionality to other applications. As such, they are an ideal target for cybercriminals.

Cyberattacks that target APIs cause system outages and data loss and have broad financial implications for any company affected. One option for securing an API is to use an API gateway.

What is an API?

An API (Application Programming Interface) is a tool that allows applications and services to communicate with each other to share data or functionality. APIs are used within the broader internet, including connecting and communicating between web and mobile apps and IoT devices. As such, APIs are everywhere, with almost all businesses (98% of executives) believing that APIs are critically important to their digital transformation.

APIs comprise a set of tools that may be off-the-shelf programming libraries or open source. They share data with other software systems using protocols such as HTTPS.

APIs often exist within complex API ecosystems, with reliance on third parties, creating a broad attack surface. The average number of APIs used to power an application is between 26 and 50.

Due to the reliance on APIs and the number of APIs powering the Internet and applications, API sprawl has created security issues.

The Problem with API Sprawl

The proliferation of APIs has led to them becoming uncontrolled and outside of the direct management of an organization, leading to:

• A lack of visibility means that IT teams do not know what APIs are used and if they are properly configured.
• Unreliable API connections are caused by misconfiguration of APIs, leading to security gaps and potential app outages.
• API endpoints may be unsecured and unknown.

What is API Security?

APIs are increasingly popular targets for cybercriminals. The use of multiple APIs within a critical system offers an ideal playground for hackers. API insecurity can lead to massive cyberattacks that impact millions. For example, an API vulnerability at Facebook exposed the personal data of around 540 million users. The root cause was poor privilege management and the over-permissioning of third-party APIs.

Evidence for API as a target comes from Akamai Technologies, which recorded over 150 billion API attacks yearly. The researchers noted that this was a 32% increase in API security attacks. Access control and authorization are a prime focus of API attack techniques, with research from Cloudentity finding that 44% of organizations have experienced API authorization issues leading to a privacy breach, data leakage, or other exposure.

New technologies are bringing new API vulnerabilities into play, with AI-driven SaaS increasing the attack surface. Shadow or Zombie APIs, which represent unmanaged APIs within an organization, are further adding to uncontrolled and insecure endpoints.

The API ecosystem is creating massive problems for companies worldwide, with security often complicated by an extended, uncontrolled API mesh.

The result is that APIs become an ideal target for attackers looking to steal data, cause chaos, and disrupt business operations.

Cost of Cyberattacks Caused by Insecure APIs

DDoS

Cyberattackers can use unsecured APIs to help carry out Distributed Denial of Service (DDoS) attacks. API DDoS attacks target APIs, flooding them with malicious requests and disrupting the API service. The result is that web apps and other services, including IoT devices, become unusable. DDoS attacks cost an SMB, on average, $6,000 per minute; attacks typically last an average of 39 minutes, taking the total cost of the attack to $234,000.

Cybercriminals Taking Control of Your Website

API attacks include SQL Injection attacks, which are used to compromise a company's database. Data breach costs run from $120,000 to $1.24 million for an SMB, according to The Verizon Data Breach Investigations Report.

API vulnerabilities can be exploited, allowing cybercriminals to control systems, manipulate data on websites, and even take full control of a website. MitM (Man in the Middle) attacks can insert malicious code or steal data during transfer.

Sensitive Data Theft

API insecurities can allow attackers to access data. Sensitive data loss, privacy violations, noncompliance fines, and reputation damage all follow. Experian experienced a major API-related cyberattack that affected tens of millions of Americans. The API vulnerability was traced to weak authentication and security misconfiguration. The attackers were able to use publicly known data, like a person's name, to query the API access credit scores without proper authorization.

The noncompliance costs associated with the level of data breach can be phenomenal. Even breaches with smaller numbers of exposed data records can be costly. Lehigh Valley Health Network, for example, paid a $65 million class action settlement when 600 patients' and employees' data was exposed.

OWASP Top API Attacks

The industry body OWASP keeps track of API security issues. In its Top Ten API Security Project, OWASP provides guidance on the most vulnerable areas of an API. The top three most commonly exploited areas of an API, according to OWASP's Top Ten analysis, are as follows:

• Broken Object Level Access (BOLA): API access control validates user access. If this access control is not correctly implemented, an attacker can manipulate API object identifiers to gain unauthorized access to sensitive data. An attack on Uber APIs used BOLA to access the personal information of Uber drivers and riders.
• Broken Authentication: If authentication is improperly implemented, attackers can impersonate API users to access sensitive data.
• Lack of or Improper Authorization: Poorly enforced authorization at the object property level can expose information or leave the information open to manipulation by attackers.

Other API security issues involve misconfigurations and API software vulnerabilities, both of which are exploitable by cybercriminals.

How Can an API Gateway Protect an SMB from API Attacks?

An API Gateway offers a way to manage and protect any APIs that your business depends upon. As a SaaS, an API Gateway sits as a single point of contact between clients (e.g., browsers and apps) and the services they need to access.

An API Gateway provides a single pane console that IT teams and other authorized users can use to manage and control APIs; this centralized API management reduces API sprawl and controls the use of Zombie APIs. An API Gateway also provides security features to protect APIs from attack. Typical security features offered by the gateway include the following:

Note that monitoring the dark web for signs of leaked company data can help reduce the risk of follow-on cyberattacks. Dark web monitoring tools, like Sentinex, also provide deep insight into the dark web to determine whether attackers are targeting your company.

FAQs