The adoption of application programming interfaces, more commonly known as APIs, has increased dramatically in recent years. In many ways, APIs are now the backbone of the Internet. The reason? APIs are an essential component of digital transformation, enabling applications, containers, and microservices to exchange data and information quickly so consumers experience more convenience on their digital devices.
According to a report from Forrester Research, commissioned by Imperva, 78% of organizational decision-makers believe adopting APIs is important for their company to stay competitive, especially for connecting with customers (88%) and improving data ownership and management (83%). Half (49%) of organizations have between 25 and 250 internally published APIs, and 60% have the same number of public APIs. These numbers are expected to increase over the next year.
However, the increasing volume of APIs will create more opportunities for bad actors. An API is a valuable target for cybercriminals because they’re a pathway for hackers to access vast amounts of sensitive data, such as customer information or business-critical data. Further, APIs serve as a blueprint for cybercriminals. They can act as a map to internal objects and even internal database structures that bad actors can exploit.
The vulnerabilities hackers can use to exploit APIs are also on the rise. One of the key drivers for this is insecure development practices. Too often, APIs are released into production faster than a security team can review and catalog them. In some cases, the security team doesn’t even have full visibility of all the APIs that are developed and released, making it impossible to secure them.
Two examples of insecure development practices:
- APIs are published without security review or controls. This can create shadow APIs that are invisible to the security team and API gateway. The issue with shadow APIs is that they have access to the same sensitive information that published, secured APIs do, but no one knows where they exist or what they’re connected to.
- APIs are not properly disabled. Deprecated or zombie APIs become a dormant breeding ground for cybercriminal activity, usually outside the purview of developer and security operations. These unmonitored APIs are analogous to an unlocked window. Motivated criminals can sneak in to access data or execute more sophisticated attacks — often without the developer or security team ever knowing. This is the underlying risk factor that becomes a software supply chain attack.
Another threat are bad bots, according to Lynn Marks, Senior Product Manager at Imperva.
“APIs will become the prime target for bad bots in 2023. In pursuit of sensitive data, cybercriminals will put more focus on vulnerable API endpoints that connect directly to an organization’s underlying database. Because API security defenses often overlook automated threats, bots will become a persistent challenge next year and generate more scrapping attacks on individual APIs that lead to data leakage.”
Shifting Left
To meet the rising tide of API cyber threats, Lebin Cheng, Head of API Security, at Imperva, says Security Operations, Platform Operations, and DevOps will increase collaboration, enabled by maturing automation tools and processes.
SecOps teams must partner with DevOps in the creation and execution of their security strategy. This requires new technology and processes to help bridge the gap between these two teams, to help establish a frictionless relationship where both sides get what they need to be successful. Developers need to be able to move fast and innovate, and security needs full visibility into API behavior to monitor for suspicious activity and react as soon as something nefarious happens.
The first step is to create an effective feedback loop between DevOps and SecOps teams, designed to help these teams work in concert to get API security risks under control. This feedback loop allows organizations to streamline application release workflows and enable developers to focus on delivering an optimal digital experience while providing the SecOps team visibility and control over the application runtime.
Automation is a key factor in ensuring that DevSecOps standards and practices are met at all stages of the development lifecycle. Automation ensures protection can keep pace with application changes by enabling DevSecOps teams to quickly take on more security responsibilities, including automated code analysis, compliance monitoring, and threat investigation.
Integration of automated security testing tools is often the first step – for example, static application security testing (SAST) and dynamic application security testing (DAST) tools can be used throughout the development process.
Machine learning is also a key requirement, says Lynn Marks.
“Machine learning will be needed to differentiate normal API behavior from malicious traffic and to understand what data should be transmitted through the API. Therefore, organizations will be challenged to mitigate automated attacks targeting their API libraries until bot management and API security are used in concert.”
As development and security teams embrace a more agile and collaborative way of working, they will seek out security solutions and services that are equipped to enable their business to grow and scale quickly, says Karl Triebes, SVP and GM, Application Security, Imperva.
“Business leaders will no longer be able to slow innovation for the sake of implementing security controls and policies. Instead, they’ll seek out and partner with vendors that support secure development and enable application or service availability.”
Agile development and the use of APIs are here to stay. In 2023, security teams will need to learn how to work alongside developers, adopting the same agile mindset to protect modern applications at the pace they are being spun up and released. Until security is embedded into the development lifecycle, cybercriminals will continue to exploit vulnerable APIs to exfiltrate sensitive data in greater volumes.
Try Imperva for Free
Protect your business for 30 days on Imperva.