Are Your Development Practices Introducing API Security Risks?

Why do 61% of decision-makers say that improving API security is a key priority? The unfortunate, and concerning reality is that cybercriminals use APIs as a pathway to organizations’ data and business logic, often right under their nose.

A study completed by the Marsh McLennan Cyber Risk Analytics Center found that as many as one in every 13 security incidents can be attributed to an API-related risk. Are you doing enough to protect your APIs, and the underlying data, from motivated attackers?

The volume of APIs businesses use will continue to grow rapidly in 2023 as organizations rely on them to exchange data between applications and data stores. Nearly half of all businesses have 50 to 500 APIs deployed, either internally or publicly, while larger enterprises can have over 1,000. Today, it’s estimated that API insecurity results in annual losses of $41 billion to $75 billion. As the number of APIs in production multiplies, expect to hear more about security incidents related to vulnerable APIs in the coming months.

Insecure Development Breeds API Security Risks

Often API-related security incidents stem from insecure development practices.

When I talk to DevOps and security leaders, I increasingly hear that the two organizational functions are collaborating because they recognize that even a simple vulnerability, like a misconfiguration, can expose their organization’s data.

Today, the critical issue with APIs comes down to visibility. Developers release them into production faster than the security team can review or catalog them. This makes it impossible to identify potential vulnerabilities and mitigate future risks.

In the retail industry, 3% to 5% of API traffic in the past year was directed to undocumented or shadow APIs, endpoints that security teams don’t know exist or no longer protect. While this percentage of traffic might seem insignificant, it represents a gap that a motivated cybercriminal can exploit to launch an attack and exfiltrate sensitive data.

Below are two common examples of insecure development practices that contribute to the rising level of API-related security incidents:

• APIs published without security review or controls: This practice creates shadow APIs that are invisible to the security team and API gateway. Shadow APIs have access to the same sensitive information that published, secured APIs do, but no one knows where they exist, what they’re connected to or who is accessing them.
• APIs not properly disabled: Deprecated or zombie APIs become a dormant breeding ground for cybercriminal activity, usually outside the purview of developer and security operations. These unmonitored APIs are equivalent to an unlocked window. Motivated criminals can sneak in to access data or execute more sophisticated attacks, often without the developer or security team ever knowing.

Successful security incidents will often exploit an API implementation vulnerability. For most companies, this kind of attack cannot be easily recognized through predictable attack patterns and can be nearly impossible to block. The only effective countermeasure is to use continuous API monitoring, where the threat intelligence is fed back to the DevOps team so developers can quickly amend the API implementation before it’s exploited.

Automated Threats Should Concern Every Developer

The volume of automated attacks targeting an API’s business logic will grow in 2023 as cybercriminals employ botnets to carry out attacks with malicious intent.

APIs are a prime target for such attacks because cybercriminals can overload the API endpoint with unwanted traffic. Ultimately, the attacker’s goal is to use the API as a blueprint to find internal objects or database structures to exploit. For example, a vulnerable API endpoint backend that connects to a frontend service can expose end users to risk. One researcher even discovered a way to abuse automobiles’ APIs and telematics systems to execute various tasks remotely, such as to lock the vehicle.

In the past, bot management technologies, like CAPTCHA, were developed to block bots’ access to web pages that were intended only for human users. However, that approach to security assumes that all automated traffic is malicious. As application environments have matured and multiplied, automation became essential for executing simple functions. Thus, it means organizations cannot rely on simplistic web application firewall rules that block all traffic from automated sources by default. Instead, they need to quickly identify and differentiate good and bad bot traffic.

While it’s unrealistic to slow down innovation for the sake of implementing security controls and policies, automated tools should be deployed to support secure development and enable application and service availability.

Be Proactive. Cybersecurity Risks Aren’t Going Away

The modern internet is a functioning ecosystem of APIs. As cybercriminals perfect their attack methods, they will threaten the stability of the online services we depend on daily.

Below are several tools and processes organizations can implement in 2023 to get API security risks under control:

• Implement an effective feedback loop: Designed to help DevOps and SecOps teams collaborate and mitigate API security risks, an effective feedback loop isn’t just a nice-to-have, it’s an essential first step in combating sophisticated business logic and object-level attacks. The feedback loop allows organizations to streamline application release workflows, enables developers to focus on delivering an optimal digital experience and provides security with visibility and control over the application runtime.
• Automation: This will be a key factor in ensuring that DevSecOps standards and practices are met at all stages of the development life cycle. Automation ensures that protection can keep pace with application changes by enabling DevSecOps teams to quickly take on more security responsibilities, including automated code analysis, compliance monitoring and threat investigation. Integration of automated security testing tools is often the first step. For example, static application security testing (SAST) and dynamic application security testing (DAST) tools can be used throughout the development process.
• Machine learning: When it comes to differentiating malicious and normal API traffic, machine learning is a valuable resource to help facilitate monitoring at scale. Otherwise, security analysts are left trying to correlate logs and determine when patterns of behavior are analogous. As many of the attacks targeting API libraries come from automated bots, organizations should look for a unified solution that uses machine learning to gain visibility into API traffic and detects and blocks malicious activity.

Developers need to work with security teams, adopting the same agile mindset to protect modern applications at the pace they are spun up and released.

An API is the perfect target for a motivated cybercriminal because it leads directly to data stores, and is often not protected with adequate defenses. When the API is exploited, the consequences include loss of customer and partner trust, potential compliance risks and impacts on the bottom line. This is why a majority of decision-makers and development leaders should be making API security a priority in 2023.