APIs are the connective tissues of modern digital companies. So much of the applications, software and IT infrastructure we use every day are built on what came before – and APIs (Application Programming Interfaces) allow developers to quickly connect to and use existing data, code, and systems. It has sped up software development cycles, improved compatibility and boosted the functionality and features available to users. A huge amount of innovation, revenue generation and user convenience has come about as a result of these clever pieces of software connective tissue.
But the links that APIs provide to sensitive data and application business logic can also be exploited, providing useful entryways in for threat actors to compromise and breach data, hijack application operations. So many APIs are now in use across the Web, with APIs constituting over 71% of web traffic in 2023, according to Imperva’s State of API Security in 2024 report. Threat actors are keenly aware of the opportunity that poorly secured APIs pose in enabling access to sensitive data.
Almost half (46%) of all Account Takeover (ATO) attacks, for example, were aimed at API endpoints in 2023. Another growing threat is that posed by ‘bad bots’, automated traffic that impersonates normal API traffic to exploit the functionality of APIs to exfiltrate sensitive data. All this points to the importance of businesses to get a firmer grasp on the APIs they’re using every day, as well as the permissions and access they have.
General Manager Application Security at Thales.
Top API security challenges
Like so many other areas of a typical IT estate, a big challenge faced by security administrators around API security is visibility. They might have been created quickly by the developers to help meet a tight deadline and forgotten about – or are no longer in active use. Developers will have visibility of what they’ve used, but security administrators outside of those circles often do not share that visibility. An individual piece of software might have hundreds of different APIs in play, some in use, some not – and these unknown or ‘shadow’ APIs within an organization can be hard to detect.
Flaws within how an API works can make it vulnerable to exploitation, with this risk being particularly challenging to detect because conventional security alerts won’t be triggered by ostensibly ‘normal’ API activity. One way of regaining control here is by using tokens assigned to trusted identities to help manage access, or by placing quotas on how often a particular API can be called, and tracking its use over time. Establishing rules around throttling can help protect APIs from being used excessively.
Access to talent is another significant factor when it comes to API security. According to the Postman 2023 State of the API Report, 38% of developers have less than two years of experience developing APIs. Software developers aren’t necessarily incentivized to prioritize security when working to tight deadlines and delivery dates. Alongside ongoing programs to find and recruit skilled professionals, businesses may find turning to an automated API security solution can help bridge the gap between the scale of the challenge, and the lack of institutional knowledge.
Towards a more secure API estate
The best first step is to prioritize discovering, categorizing, and keeping an inventory of all APIs, endpoints, parameters, and payloads. Software can help here to scan a given organizations' ecosystem – as well as automatically categorizing APIs that are handling Personally Identifiable Information (PII) or Protected Health Information (PHI). Alongside tools to assist with this auditing and categorization, organizations should also consider using API Gateways to route future API calls more effectively. These can also help organizations meter and manage API consumption rates – but must be used alongside a Web Application Firewall to ensure full security of all API endpoints.
As threats from malicious bot traffic and business logic abuse continues to grow, IT leaders must also look at their APIs as a potential threat vector for their organizations – and proactively secure them. By looking at the bigger picture, and integrating elements such as such as a Web Application Firewall (WAF), API Protection, DDoS prevention, and Bot Protection in combination, organizations can better protect data and enhance their resilience.
We've featured the best firewall software.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
