Application programming interfaces (APIs) are increasingly central to modern enterprise computing key concepts in software development from simple programs to the most advanced design and architectural considerations that have become the connective tissue of the digital world.
An API provides an interface that allows software developers to programmatically interact with software components or resources outside of their own code, applicable everywhere from command-line tools to microservices and cloud-native architectures.
However, the growing use of APIs gives attackers more ways to break authentication controls, exfiltrate data, or perform disruptive acts. By nature, APIs expose application logic and sensitive data such as personally identifiable information (PII). Meanwhile, existing security tools often struggle to detect and mitigate API-specific threats, leaving organizations vulnerable to compromise, abuse, and fraud.
A recent report from Traceable AI revealed that 60% of organizations have faced an API-related breach in the last two years, with 74% of these enduring three or more incidents. Only 38% of businesses can discern intricate context between API activity, user behaviors, and data flow, with 57% stating that traditional security solutions are unable to effectively distinguish genuine from fraudulent API activity.
Most tellingly, 61% of surveyed organizations anticipate rising API-related risks in the next two years as they deal with an average of 127 third-party API connections, with just 33% confident in managing external API threats.
API security is becoming increasingly important
API security is rising up the agenda for many organizations and within the cybersecurity community. “API security is now a hugely important consideration, with unsecured or misconfigured API’s representing a great opportunity for threat actors to gain access to a targeted network,” Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, tells CSO.
In 2023 and beyond, API security will become increasingly imperative as organizations continue their trend toward cloud services, enabling the digitization of large data sets, services, and products. “With this move, the attack surface of susceptible APIs increases, so the requirement to harden API services — and protect business operations, customers, and data — will be more important than ever,” Morgan says.
Jeremy Snyder, CEO and co-founder of security company FireTail, tells CSO that at the recent Black Hat USA conference he spoke with several people in the travel industry who said that the points.com API security issues are causing many in the sector to start taking API threats seriously. “Similarly, the automotive industry is now viewing connected cars and autonomous vehicles as smart devices with large volumes of telemetry data. Security disclosures and API-based proof of concept exploits have given this industry reason to examine API security more closely as well,” he says.
Here are six notable initiatives, programs, and resources launched this year to help improve and develop API security.
GSMA launches open network API initiative
In February, the global mobile trade association GSMA unveiled the GSMA Open Gateway — a framework designed to change the way the telecoms industry designs and delivers services in an API economy world, including cybersecurity.
“By applying the concept of interconnection for operators to the API economy developers can utilize technology once, for services such as identity, cybersecurity or billing, but with the potential to be integrated with every operator worldwide,” says Mats Granryd, director general of the GSMA.
The GSMA Open Gateway Memorandum of Understanding (MoU) is supported by some of the world’s largest and most innovative mobile network operators including BT group, Vodafone, AT&T, Verizon, and Orange.
Traceable AI releases API security reference architecture for zero trust
In June, security startup Traceable AI released API Security Reference Architecture for Zero Trust, a guide for integrating API security into zero trust security initiatives, which have traditionally focused on network-level controls/identity access management. The architecture is aligned with the NIST Zero Trust Architecture, a publicly available, vendor-neutral framework widely adopted by government entities as well as by many leading cybersecurity vendors.
By leveraging the NIST framework, the architecture ensures compatibility, interoperability, and adherence to industry standards, making it a reliable and trusted resource for organizations implementing zero trust for their APIs, Traceable AI said. The guidance outlines:
- The key tenets and definitions of zero trust translated for APIs.
- What zero trust needs to account for at the API level.
- How organizations can operationalize API security in their zero-trust deployments.
F5 publishes free API security best practices eBook
In June, F5 published API Security Best Practices: Key Considerations for API Protection, a free eBook outlining the various API security challenges and risks organizations face along with strategies for security and risk teams to strengthen API security in their companies.
“APIs facilitate a decentralized and distributed architecture with endless opportunities for third-party integration that fundamentally changes the calculus for security and risk teams,” the eBook read. F5’s security guidance includes continuously monitoring and protecting API endpoints as well as reacting to a changing application lifecycle.
CISA, partners issue cybersecurity guidance on web application access control abuse
In July, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the US National Security Agency (NSA) issued a joint cybersecurity advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities.
IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web API, specifying the user identifier of other, valid users. IDOR attacks are one of the most common and costly forms of API breaches, and requests succeed where there is a failure to perform adequate authentication and authorization checks.
OWASP updates top 10 API security risks list
In July, the Open Worldwide Application Security Project (OWASP) published the API Security Top 10 2023 list, detailing the 10 biggest API security risks posed to organizations. It was the first time the API-specific risk guidance had been updated since its launch in 2019, part of OWASP’s API Security Project. “Since then, the API security industry has flourished and become more mature,” OWASP wrote.
The primary goal of the OWASP API Security Top 10 is to educate those involved in API development and maintenance, for example, developers, designers, architects, managers, or organizations. The latest API security list is:
- Broken object-level authorization
- Broken authentication
- Broken object property level authorization
- Unrestricted resource consumption
- Broken function level authorization
- Unrestricted access to sensitive business flows
- Server-side request forgery
- Security misconfiguration
- Improper inventory management
- Unsafe consumption of APIs
Salt Security launches STEP program to strengthen API security ecosystem
In August, Salt Security launched the Salt Technical Ecosystem Partner (STEP) program, an initiative aimed at integrating solutions across the API ecosystem and enabling organizations to strengthen their API security postures. The program is designed to move businesses to a risk-based approach for API testing, help focus scanning efforts on priority APIs, and reduce friction for DevOps and DevSecOps teams.
Partners include dynamic application security testing (DAST) firms Bright Security, Invicti Security, and StackHawk, and interactive application security testing (IAST) company Contrast Security.
“To deliver a strong AppSec program, developers need access to best-of-breed technologies that simplify finding and fixing vulnerabilities before deploying code to production,” said Joni Klippert, CEO of StackHawk. Given the explosive growth of API development, he added that teams prioritize and automate security testing for their APIs and do so in a way that seamlessly integrates with developer workflows.