API security must be a core tenet of any enterprise cybersecurity defense

A digital padlock on a blue digital background.
(Image credit: Shutterstock / vs148)

In today’s rapidly evolving digital landscape, where businesses rely on technology more than ever before, Application Programming Interfaces (APIs) have emerged as the linchpin of modern enterprise operations. These digital connectors enable applications to seamlessly communicate with each other, shaping the way organizations conduct business. From customer-facing mobile apps to intricate B2B data exchanges, APIs are the invisible threads that weave the digital fabric of our interconnected world.

Despite their pivotal role, API security often remains a critical blindspot for many organizations, as underscored by the 2022 MailChimp data breach, where attackers accessed API keys to create custom email campaigns.

The growing role of APIs

APIs have been essential to the digital ecosystem, fostering connectivity, enhancing efficiency, and driving innovation. With apps and AJAX-enabled websites becoming the norm, most communication between applications and the web now occurs via APIs. This shift from static HTML-based interactions to dynamic API-driven communication has revolutionized the way businesses operate in the digital realm. APIs not only enable efficient data exchange but also enhance the user experience by allowing real-time interactions and personalized content delivery.

However, with this growing reliance on APIs comes an alarming rise in their attractiveness to cyber adversaries. The State of the Internet report by Akamai reported a record number of application and API attacks in 2022, underscoring the pressing need for robust API security measures. In addition to the surging frequency of attacks, they are growing in complexity. Cybersecurity risks associated with APIs include potential data breaches, unauthorized access and exposure of sensitive information. These threats not only pose significant financial risks but also damage a company’s reputation and erode customer trust.

Richard Meeus

Director of Security Technology and Strategy for EMEA at Akamai.

Why APIs are so vulnerable to attack

As the digital ecosystem expands, so does the complexity and potential vulnerability of APIs. Recent insights from a survey conducted by Akamai Technologies and the SANS Institute shed light on a concerning reality: less than half of respondents, of which all were application security professionals, have implemented dedicated API security testing tools. Even more disconcerting is the fact that only 29% possess API discovery tools, leaving a vast portion of APIs within these organizations, invisible and unprotected.

Understanding why APIs are vulnerable is crucial for building effective defenses. Firstly, APIs can be intricate, with numerous endpoints and potential interactions, increasing the attack surface and providing criminals with multiple opportunities to exploit vulnerabilities. Secondly, poorly implemented authentication and authorization mechanisms can enable unauthorized access to sensitive data through APIs, making them prime targets for exploitation.

Additionally, APIs often evolve rapidly to meet changing business needs, which can introduce new security challenges if updates aren’t thoroughly tested for vulnerabilities. A significant number of organizations are unaware of the extent of APIs in their systems, resulting in a lack of visibility that makes it challenging to protect something when its existence is unknown. APIs can be like Lego bricks strewn on the floor: if you step on one without knowing it’s there, it can hurt. Lastly, organizations often underuse the security controls embedded in Distributed Denial of Service (DDoS) and load-balancing services, leaving APIs susceptible to attacks. To mitigate these risks, businesses should actively implement comprehensive security practices, such as rate limiting, authentication mechanisms, and traffic analysis tools.

Addressing API security challenges

To fortify API security, organizations must adopt a comprehensive approach that starts with API discovery and inventory management. Accurate inventory management is essential for gaining insights into the breadth and scope of an organization's API landscape - you cannot protect what you can’t see!

Robust authentication and authorization mechanisms must be implemented to exert control over API access, ensuring that only authorized users and applications interact with them. It’s imperative to prevent abuse, where authenticated users might access data that isn’t theirs. Continuous monitoring of API traffic and the maintenance of detailed logs are imperative for detecting and responding to suspicious activities. Regular security assessments and user education further enhance API security, preventing unauthorized access and data misuse, and ensuring the right users get access to the right data.

Security testing of APIs should be conducted regularly, employing a combination of automated and manual methods, including penetration testing. Employing robust API security solutions, including Web Application Firewalls (WAFs) and API gateways, can also provide an additional layer of defense against DDoS attacks.

APIs are the lifeblood of modern digital ecosystems, facilitating innovation, streamlining business processes, and enhancing customer experiences. However, their widespread use also renders them prime targets for cyberattacks. API security must ascend to the forefront of an enterprise’s cybersecurity defense strategy. Vulnerable APIs have emerged as one of the most common access points for cyberattacks, making it imperative for organizations to fortify their API security posture.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Richard Meeus

Richard Meeus is Security Technology and Strategy Director for Akamai's EMEA region.