The cyber-threat landscape is changing. We’ve seen this before, but this time it’s different. We are now facing a new type of threat that uses application programming interfaces (APIs) as a primary attack vector. These attacks are sophisticated and disruptive and have already spread across multiple industries.
According to a report from Gartner, this is the year that APIs will have become the leading attack vector for enterprise web applications. As businesses continue to move more of their operations to the cloud and more data moves into APIs, we’re seeing a big increase in API-based attacks. The Optus breach is only the latest example. In this piece, we briefly look at this present threat and precautionary measures that should be taken.
The Rise of APIs Has Been an Exciting Evolution
Organizations are using APIs to build complex applications that serve as the foundation for their business models since they offer an effective way to leverage the data and functionality delivered by an organization’s digital applications and services.
They are becoming more popular due to their ability to provide connectivity between disparate systems. For example, an API for a bank can allow you to access your account information from a mobile app or website. In addition, companies may use APIs for internal processes, such as billing or inventory management.
It’s not just about making things easier or faster; it’s about creating new opportunities for innovation and growth through integration with other platforms or services outside an organization’s control. But, as enterprises adopt APIs to serve as the core of their business models, they often overlook a critical aspect of API security.
API Misuse is a Major Threat Vector
The problem with APIs is that they are used by many applications and people. APIs can be used in so many ways, making them a prime target for hackers.
The trend of API-based attacks has grown significantly in recent years. These attacks are becoming increasingly common because they’re a path of least resistance for hackers to exploit – and they can be difficult to detect if your organization doesn’t have an adequate threat management process in place.
Reports indicate that 95% of companies have had an API security incident in the past 12 months, with API attack traffic growing by 681%. Another study shows that API vulnerabilities cost businesses up to $75bn annually.
Common threats to API security include:
- Malware and DDoS Attacks: Distributed denial of service (DDoS) attacks involve sending large amounts of traffic to a target website to overwhelm it, causing it to crash or become unavailable for use. DDoS attacks can be carried out by botnets – groups of IoT devices that have been compromised by malware and turned into bots that send requests back and forth. Other malware attacks include SQL injection and credential stuffing.
- Improper Assets Management: Older API versions make them open to attacks and data breaches. This is similar to improper documentation, which exposes sensitive data to unidentified threats and makes finding vulnerabilities that need to be fixed challenging. Attackers may find poorly protected non-production versions of the API, such as staging, testing or beta versions, and employ them in the attack.
- Misconfigured APIs: When a web application is configured in a way that exposes data and functionality that could be used in an attack, it is said to have security misconfiguration. Attackers may exploit improperly set-up API servers, including unpatched systems or unprotected files and folders. This includes incorrect HTTP headers, insecure default configurations, verbose error messages, etc.
We Need to Build More Secure APIs
Every organization must take every measure possible to secure their APIs at every level, including protecting them against external threats and insider misuse; otherwise, they risk exposing themselves to potential breaches like those experienced by Uber and Equifax in 2016 and 2017, respectively.
Organizations can do this by applying zero trust principles to API security. Application security teams should empower their endpoints equally to a state of threat prevention across all three – authentication, authorization and threat prevention. By doing this, hackers will have a harder time gaining access. It’s crucial to keep an eye out for anything odd while trying to safeguard your API or its users against security flaws. Security problems frequently manifest in unusual behavior, which doesn’t look correct. You can recognize and eliminate these dangers before they occur.
Organizations must also utilize API security solutions to recognize when one authenticated user attempts to gain unauthorized access to another user’s data to prevent BOLA attacks. This demonstrates the need for rigorous examination of all API authentication choices. Every API flow should evaluate its standard authentication process using an API security solution.
Conclusion
Worldwide statistics point to a clear trend: API cloud attack vectors are becoming more and more common as we move into the future. To truly protect their applications and users from malicious actors, today’s businesses must harden APIs against threats at every level of their organization.