APIs are the connective tissue of modern digital businesses. So much of the applications, software, and IT infrastructure we use every day is built on top of what was already there – and APIs (Application Programming Interfaces) allow developers to quickly connect to and use existing data, code, and systems. It has accelerated software development cycles, improved compatibility, and increased the functionality and features available to users. A tremendous amount of innovation, revenue generation, and ease of use has come about as a result of these clever bits of software connective tissue.
But the links that APIs provide to sensitive data and application business logic can also be exploited, providing useful entry points for threat actors to compromise and breach data and hijack application operations. There are now so many APIs in use on the web, with APIs set to account for more than 71% of web traffic by 2023, according to Imperva’s State of API Security in 2024 report. Threat actors are acutely aware that poorly secured APIs expose sensitive data.
For example, nearly half (46%) of all Account Takeover (ATO) attacks will target API endpoints in 2023. Another growing threat is “bad bots,” automated traffic that masquerades as regular API traffic to abuse API functionality to exfiltrate sensitive data. All of this points to the importance of businesses gaining better visibility into the APIs they use every day, as well as the permissions and access they have.
General Manager Application Security at Thales.
Top API Security Challenges
Like many other areas of a typical IT domain, visibility is a major challenge for security administrators around API security. They may have been created quickly by developers to meet a tight deadline and forgotten about – or are no longer actively used. Developers have visibility into what they have used, but security administrators outside of those circles often do not share that visibility. An individual piece of software can have hundreds of different APIs in play, some in use, some not – and these unknown or ‘shadow’ APIs within an organization can be difficult to detect.
Flaws in the way an API works can leave it vulnerable to abuse. This risk is particularly difficult to detect, as conventional security alerts are not triggered by seemingly “normal” API activity. One way to gain control over this is to use tokens assigned to trusted identities to manage access, or to set quotas on how often a particular API can be called and track usage over time. Establishing rules around throttling can help protect APIs from overuse.
Access to talent is another key factor when it comes to API security. According to the Postman 2023 State of the API Report, 38% of developers have less than two years of API development experience. Software developers aren’t necessarily incentivized to prioritize security when they’re working to tight deadlines and delivery dates. In addition to ongoing programs to find and recruit skilled professionals, companies may find that deploying an automated API security solution can help bridge the gap between the scale of the challenge and the lack of institutional expertise.
Towards a more secure API domain
The best first step is to prioritize discovering, categorizing, and maintaining an inventory of all APIs, endpoints, parameters, and payloads. Software can help with this by scanning an organization’s ecosystem and automatically categorizing APIs that process Personally Identifiable Information (PII) or Protected Health Information (PHI). In addition to tools to assist with this auditing and categorization, organizations should also consider using API Gateways to more effectively route future API calls. These can also help organizations measure and manage API consumption rates, but must be used in conjunction with a Web Application Firewall to ensure complete security of all API endpoints.
As threats from malicious bot traffic and business logic abuse continue to increase, IT leaders must also look at their APIs as a potential threat vector for their organizations – and proactively secure them. By looking at the bigger picture and integrating elements such as a Web Application Firewall (WAF), API Protection, DDoS prevention, and Bot Protection in tandem, organizations can better protect data and increase their resilience.
We have highlighted the best firewall software for you.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here:
