API Security: An Emerging CISO Pain Point
As API usage increases, API attacks are also becoming more prolific. Many CISOs realize their API security needs a reality check.
The API economy is no stranger to many of us. Without two applications or databases communicating and sharing data through APIs, the digital experiences we have grown accustomed to, such as getting a text message when your Uber has arrived, are impossible. Building a business that relies on APIs has brought success to many companies.
Because APIs are becoming increasingly valuable to businesses, the usage of APIs has reached an all-time high. In the 2020 State of API Survey by Postman, 84.5% of participants stated that APIs play a significant role in digital transformation initiatives. Even more interesting is that a third (30.6%) of the survey respondents said that APIs played a role in their ability to respond to COVID-19.
If we look at the historical data, there is a clear uptick in enterprise API adoption. In the 2019 Gartner API Usage and Strategy Survey, 98% of participating respondents either use APIs now, are implementing APIs, or plan to use APIs in the coming year.
While internal APIs are standard at many technology-driven organizations, external/public-facing API use is rising. According to ProgrammableWeb, the largest and most complete Web API directory, there were over 24,000 active Web APIs in June 2021. In comparison, there were less than 2,000 a decade ago.
With the increase in API usage, API attacks are also becoming more and more prolific. Many CISOs realize their API security needs a reality check. As businesses use APIs to establish more connectivity and transfer data, API cyberattacks often lead to data breaches, where sensitive medical, financial, and personal data are exposed.
For example, in March 2020, hackers used insecure APIs behind the website findadoctor.com to scrape information on 1.4 million doctors in the U.S. It turned into a disaster for doctors and healthcare staff who were busy saving lives amid the pandemic. Other large organizations, such as Instagram, Venmo, USPS, Capital One, and Gitlab, have also experienced attacks linked to broken, insecure, or exposed APIs in recent years.
Developers have several options to build APIs today. They can choose from older protocols like SOAP, which is based on XML format, to current API standards like REST, which utilizes lightweight JSON format. Over the last few years, newer protocols like GraphQL (built by Facebook) and gRPC (built by Google) have also emerged as dependable alternatives.
For security practitioners, developing a deep understanding of these protocols and how application requests get fulfilled is critical. The modern microservices interact with each other and with other 3rd party providers using well-defined API call structures. Consider a request sent to an IP-addressable API endpoint to fetch the bank account details of a customer. This request might have some visible parameters (called GET parameter in REST APIs) like user_id, name, and hidden parameters (called POST parameter in REST APIs) like password, last four digits of social security, etc.
Such a request goes through an API Gateway gatekeeper and then gets routed to the internal servers where that particular data is stored. After that, some query on the backend fetches data from data stores, and the response is sent back. In this end-to-end process, there are multiple attack vectors that web applications need to be protected from, like high frequency of API calls, access to unauthorized data, SQL injection attacks, and others, including the OWASP top 10.
Through our conversations with CISOs, we heard six pain points they're experiencing protecting their APIs.
Detecting API threats: Enterprises don't know the complete inventory of their APIs. Unmonitored "shadow APIs" are the source of increasing security risks and governance challenges.
Enforcing a protection perimeter: Modern application architecture trends (e.g., mobile access, microservice, hybrid cloud) complicate API security. There is rarely a single "gateway" to enforce protection.
End-to-end API traffic tracing: Widespread use of internal APIs adds the requirement to secure internal usage ("east-west" API traffic) to the requirement to secure usage coming from outside the organization ("north-south" API traffic).
The number of manual security configurations needed for each added API
A large amount of change management for new APIs: New APIs are deployed quickly without proper documentation, governance, and change control.
Sometimes-fractured relationship between DevOps and Security: 30% of APIs were deployed without input from IT security due to the lack of collaboration between DevOps and Security teams.
We expect enterprises to increase budget allocation to protect their APIs in the upcoming years. From ML/AL to behavioral analytics, API security vendors are developing differentiated technology to address API security concerns. Through monitoring API traffic, vendors help enterprises identify abnormal API usage and potential threats and recommend policy enforcement before any attacks.
While API security vendors have an edge in offering API protection solutions today, they will face increasing competition from "API security as a feature" offerings from players in other cybersecurity categories such as web application firewall, identity, and access management, as well as API management.
Overall, the surge in API traffic in recent years made API security one of the top security concerns for enterprise CISOs. As a result, it represents one of the fastest-growing markets within cybersecurity, and startups are innovating swiftly to maintain their edge and capture this market.
Winners in API security will be companies capable of expanding API security features to a broader security platform.
Process Tempo's API Security Threat Remediation Application is an award-winning, comprehensive API solution that goes beyond technology to help minimize the threat caused by API security vulnerabilities.
Process Tempo helps bring together a combination of capabilities - a program, technology, and team of experts - to address the risk caused by API vulnerabilities appropriately. Instead of merely identifying problems, it tracks the organization's ability to resolve them. It provides a command and control structure that delivers the necessary insights and accountability to see each vulnerability move through the remediation process.
This program is backed by executive sponsorship, supported by cross-industry experts, and enabled by state-of-the-art technology. ReactFirst works as the perfect accompaniment to your existing API strategy, providing the transparency, oversight, and control into the API Remediation process your organization needs as the risk around API vulnerabilities grows.
Talk to us to see if Process Tempo's API Security Threat Remediation Application is a fit for you and whether it can help boost your API Remediation efforts into one you can trust.