The importance of API security in the age of generative AI

Security padlock and circuit board to protect data
(Image credit: Getty Images)

Business businesses increasingly rely on application programming interfaces (APIs) to enable seamless communication and integration between various systems and services. These APIs form the building blocks of online communications used both internally and externally, helping organizations push the boundaries of innovation. A prevailing concept throughout cybersecurity is that organizations cannot protect what they cannot see, which is particularly true for any organization's API security journey. However, largely due to the growth of Generative AI (GenAI), which has enabled developers to create applications and APIs faster than ever at a vast scale, new risks are being created that current technology is not equipped to keep pace with.

The growth of Generative AI has revolutionized the creation and deployment of APIs, facilitating rapid prototyping, testing, and deployment and significantly accelerating the development cycle. While this accelerated development fosters innovation, it also introduces new risks that current technology may struggle to mitigate. The sheer volume and speed at which APIs are being generated can outpace traditional security measures, creating potential vulnerabilities.

In the context of GenAI, the rapid proliferation of APIs can create a broad attack surface that is challenging to defend. Given the dynamic nature of APIs, particularly those generated through AI, organisations face several challenges in keeping track of their APIs. Continuous updates and changes can make compliance difficult and traditional security tools may not be equipped to handle the evolving API landscape. To ensure security and compliance, organizations must adopt robust API management strategies, including comprehensive visibility, discovery, governance, threat detection and mitigation of all APIs.

Eric Schwake

Head of Product Marketing at Salt Security.

API security has many stakeholders

API security is a shared responsibility among several stakeholders within an organization including developers who are responsible for implementing secure coding practices and adhering to security guidelines during API development; security teams who are tasked with monitoring, assessing, and mitigating security risks associated with APIs; operations personnel who ensure that API deployments are secure and compliant with organizational policies; and finally, business leaders who are ultimately responsible for fostering a culture of security, allocating necessary resources, and integrating security into every stage of the API lifecycle.

The involvement of multiple stakeholders in API security, as with many disciplines, can introduce several challenges that organizations must address to ensure a secure and efficient API ecosystem, stemming from varying priorities, responsibilities, expertise levels, and communication channels amongst them. These can be effectively managed through clear communication, collaboration, ongoing training and the adoption of robust security frameworks and tools. By taking a proactive approach, organizations stand a better chance of ensuring their APIs remain secure, compliant - and resilient - against evolving threats.

Risks of inadequate API security and non-compliance

Unsecured APIs are a prime target for attackers, posing a significant risk to organizations from data breaches stemming from unauthorized access to sensitive data. These can result in significant financial and reputational damage, as attackers exploit vulnerabilities to gain access to critical systems. Furthermore, non-compliance with regulations can result in legal consequences and fines.

Relevant regulations include GDPR, for privacy protections, HIPAA to protect medical information and PCI DSS that looks after cardholder data. In the financial sector, the revised PSD2 in the EU mandates that banks and financial institutions open their payment services and customer data to third-party providers through APIs. Therefore, PSD2 profoundly impacts API security, driving the need for robust authentication, encryption, access controls, and continuous monitoring. For financial institutions and third-party providers, ensuring API security is a compliance requirement and a critical component of protecting customer data and maintaining trust.

It's also essential to stay informed about emerging regulations like the NIS2 Directive, which expands cybersecurity requirements for critical infrastructure providers from October of this year. Additionally, API security is increasingly tied to broader Zero Trust standards and initiatives, emphasizing the importance of strict access controls and continuous monitoring.

Enhancing API security maturity to counter common mistakes

Many organizations struggle with API management due to a lack of comprehensive inventory. Without a complete inventory of APIs, it is impossible to identify and address vulnerabilities. Moreover, APIs are often deployed without meeting robust security standards, exposing them to exploitation. As mentioned, traditional security tools may not keep pace with the dynamic nature of GenAI-generated APIs.

To increase the maturity of their API security programs, organizations should consider adopting a comprehensive API security platform that allows for continuous visibility, discovery, posture governance and behavioral threat detection. Additionally, to bring together dispersed stakeholder groups, making a concerted effort to integrate security into the development lifecycle through designated policies, particularly regarding GenAI, will help embed security throughout the entire API development process. Finally, by conducting regular security assessments, organizations can consistently evaluate the security posture of APIs to identify and mitigate vulnerabilities.

The convergence of GenAI and APIs creates both opportunities and challenges for organizations. By proactively addressing API security concerns and working amongst stakeholders to improve collaboration, communication and governance as well as leveraging API-specific technical controls, organizations can harness the power of GenAI while safeguarding their critical assets and data. Ensuring robust API security is essential for protecting sensitive information, maintaining compliance and fostering a secure business environment without compromising on innovation.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Eric Schwake is Head of Product Marketing at Salt Security.