In our modern digital world, application programming interfaces (APIs) have become the backbone of our personal and professional Internet use. They enable a wide range of services, from our mobile applications to the Internet of Things (IoT) and banking transactions.
APIs make up 70% of all web traffic observed by content delivery network provider Cloudflare. Akamai puts this figure at 83% of all traffic it has observed.
Additionally, API usage keeps growing: the Salt Labs State of API Security Report Q1 2023, published in March 2023, found that the average number of APIs per customer grew 82% from July 2021 to July 2022.
This makes APIs one of the top attack vectors, Mayur Upadhyaya, CEO of Contxt, said during a presentation at Infosecurity Europe.
“First, vulnerable APIs can be exposed to the public internet, leading to enumerable identities and other known misconfigurations such as the ones that make the OWASP API Top 10. Then, poor authorization of API endpoints can lead to various security issues. Finally, permissive APIs are a significant risk to businesses when developers share more data than necessary or reuse APIs for multiple purposes.”
However, Upadhyaya said that API security solutions are not widely adopted yet. “As there is no clear owner of APIs within the enterprise, there is usually not a single stakeholder that will be responsible for protecting APIs and API security tend to be overlooked,” he added.
As a result, API security solutions have only been adopted by highly regulated industries, mainly financial services, bound to comply with regulations such as the EU’s revised Payment Services Directive (PSD2) and with standards like the Payment Card Industry Data Security Standard (PCI DSS).
Thankfully, things have recently started to change for the better, Upadhyaya continued.
For instance, IoT security regulations like the UK’s Product Security and Telecommunications Infrastructure (PSTI) bill and the EU Cyber Resilience Act have recently been adopted, meaning IoT manufacturers now have to conform to stricter standards of security, which include API protection provisions.
“We’ve also started to see more adoption pushed by the OpenID Foundation’s Financial-Grade API (FAPI) project, which they are trying to get pharmaceutical and healthcare organizations to implement,” he told Infosecurity.
Recent concerns around supply chain attacks and the cyber risks posed by generative AI have also highlighted how critical API security is.
“What we’ll need to see if we want effective API security practices, however, is to integrate them into a coherent API governance system within organizations. That’s why we launched a free API Maturity Model that organizations can use to assess where they are in their journey to secure the APIs they use,” Upadhyaya said.
Contxt is among the 14 finalists of the UK’s Most Innovative Cyber SMEs in 2023. The winner will be announced at Infosecurity Europe on June 21, 2023.