Securing APIs and applications is crucial for today’s business networks. However, very few businesses really do anything to adopt it.

Salt Security reports that last year, 94% of businesses had security issues with their production APIs, and that of those, 20% had data breaches as a direct consequence of API security flaws.

API-related hacks have affected notable corporations including Experian, Peloton, and most recently the FBI. As part of the most recent API assault on the FBI, hackers were able to access a database of executives called InfraGuard. This database is used by private sector partners to communicate threat intelligence in collaboration with the FBI.

The imposter used the chief executive officer’s (C.E.O.) identity to apply for an InfraGuard account. Following FBI approval, the hacker retrieved user data through an exposed API using a Python script.

Over 80,000 cybersecurity and private sector stakeholders had their personal information compromised, including names, email addresses, employers, and social media user IDs, and this information was leaked on a hacker forum.

Application programming interfaces: a backdoor to data breaches

This event demonstrated the importance of application programming interfaces (APIs) in facilitating data flow between applications, microservices, and services, but also the risk that they provide when not properly secured, since they may give attackers access to sensitive user information.

The typical company has 15,564 APIs that need to be secured, and the demand for security professionals is outpacing the supply.

Man-in-the-middle attacks, or the theft of API keys and tokens, are common methods used by hackers to obtain sensitive data such as personal information (PII) and trade secrets (IP).

Access to the pipeline carrying desired information may be lucrative, as APIs are the glue that holds all devices and microservices together. As the world pushes forward with digital transformation, the cyber-risk environment around application programming interfaces (APIs) becomes more complex, according to Filip Verloy, field CTO EMA at API provider Noname Security.

The issue is not with API security per such, but with the fact that there are so many APIs in use in today’s workplace settings that security flaws are often overlooked.

Gartner predicts that by 2025, fewer than half of business APIs will be managed due to the fact that the proliferation of APIs will outpace the development of adequate API management technologies.

It is becoming more difficult for enterprises to safeguard and keep track of APIs as their usage grows, as stated by Verloy. As in the case of the Optus hack, “if attackers are trying their luck in sectors and firms they know are full with APIs, it is possible that they will locate an unauthenticated API.”

Token vulnerabilities provide difficulties for API security

In order to get access to the API’s underlying data, threat actors would often attempt to steal the API key and client credentials from unsuspecting users.

It is quite simple to bypass the authentication mechanisms used by many APIs. Some APIs, for instance, restrict user access to data sets via a combination of a secret key and an API refresh token. The client makes a request to the API, and the API verifies the client’s identity using a unique authentication key or credential, allowing the client to subsequently exchange data with the service.

The difficulty is that a hacker may eavesdrop on the conversation, steal the token from the client, and use the API without their knowledge if the call is not secured using HTTPS.

According to Fortanix’s chief product and strategy officer Faiyaz Shahpurwala, “multi-factor authentication is now the norm for human user authentication,” but APIs still depend on a single credential, which is commonly hard-coded as an API key.

In addition to this problem, Shahpurwala argues that APIs are an attractive target for attackers because of the access and information they give into the underlying system (i.e., what actions are allowed for authorised users and what system components are available through the API).

The only way for businesses to ensure that their customers are who they say they are is to instal stricter authentication measures like multi-factor authentication for token access.

Do you want to protect application programming interfaces? The controls come after the visibility phase

If a business is serious about API security, it needs a bird’s-eye view of all the APIs in use, both within and outside the company.

In order to do this, vendors like Salt Security and Noname Security provide tools that can automatically locate APIs, catalogue them, and detect vulnerabilities.

The necessity for open communication between development and security teams inside firms is also crucial.

According to Sandy Carielli, senior analyst, security and risk at Forrester, “Security teams will want to cooperate with their dev counterparts to create a strategy for deploying and upgrading APIs.” To get an accurate picture of the APIs deployed in their environment, “security executives should employ API discovery and inventory technologies.”

To control and reduce malicious traffic, Carielli recommends employing API gateways for authentication, authorization, and rate limitation in addition to a web application firewall (WAF) and bot management tools.

Deactivating zombie APIs (APIs that have been deprecated but haven’t been deactivated) and adopting role-based or policy-based identity and access management rules for creating, accessing, and maintaining APIs are two more measures that may be taken to reduce vulnerability.