Digital transformation and the shift to hybrid working triggered a rapid rise in the use of APIs. Now, the associated risks are under the spotlight
During his years working in elite security cybersecurity units in the Israeli Defense Force, Salt Security Co-founder & CEO Roey Eliyahu saw firsthand how APIs can be a significant vector for attacks by cybercriminals.
Today, as enterprise businesses walk the path of digital transformation, web applications and associated APIs have multiplied rapidly. This dynamic ecosystem has increased the attack surface as well as the associated risk factors for many businesses.
The problem has become so severe that Gartner recently predicted that APIs would become the most frequent vector for cyberattacks on enterprise web applications in 2022.
“When you [have] a large attack surface that is dynamically changing, plus the fact that [businesses are] adding more sensitive data and that their security tools were not really designed to protect APIs the way they are today, the inevitable result is that we see more and more incidents every month,” Eliyahu observes.
This article, adapted from a presentation at our recent online event, CISO Champions, US, delves into the increasing risk posed to enterprises by the proliferation of APIs and looks at some of the key challenges when keeping APIs secure.
- Roey Eliyahu, Co-founder & CEO, Salt Security
- Curtis Simpson, CISO, Armis
How the Pandemic Led to Increased API Risk
Leaky APIs have already been causing problems for major international firms in 2021.
In May, a security researcher discovered that the account data and personal information of Peloton home exercise bike owners were freely available online via an API. And, in the same month, it was revealed that the credit scores of millions of Americans were viewable without authentication via an Experian partner API.
According to computer and network security firm Armis CISO Curtis Simpson, at least part of the problem was the rapid shift to working from home required by the pandemic, and the resulting increase in enterprise applications and associated APIs.
“What ultimately happened is when everyone went remote we ran into this challenge – we had to enable a lot of integrations that, again, were planned, but immediately,” Simpson notes. “So, what this ultimately turned into is that we went from a small number of APIs to 10x that number of APIs in a very short period.”
Of course from a risk perspective, such a large increase in APIs led to a significant increase in the potential attack surface.
“The world has drastically evolved,” Simpson observes. “And the attack vectors themselves go alongside how we’re actually integrating, sharing data, and passing data between systems.”
What are the Key Challenges When Keeping APIs Secure?
As we have said, the ‘new world’ of enterprise applications is characterized by a dynamic network of APIs in far greater quantity than have existed in the past.
The first stage of managing API risk is quite simply to map your existing APIs. While this may sound simple, Eliyahu notes that according to their analysis it’s common for 40% or more of a company’s APIs to be either undocumented or poorly documented.
“Once you have so many [APIs] – you have hundreds of thousands and they can change weekly or daily depending on where are you in your journey, it just results in a big gap in API visibility,” Eliyahu says.
Another key challenge in the modern API environment is the changing nature of the attacks. In the past, attackers favored one-off attacks targeting the apps themselves. Today, however, attackers are more likely to target the API, looking for vulnerabilities that can be exploited over the long term.
“Any data that typically belongs to one user, an attacker will try to probe and manipulate the business logic to access data of other users and exfiltrate data,” Eliyahu warns.
In fact, Eliyahu goes on to explain that without an overarching system to monitor all of the APIs and how data is being exchanged between them, it may be impossible to detect a breach until it is too late.
“If a solution does not have the full context of what data should be viewed by which users, what data can be modified by which user, and be able to see the bigger picture, not just one API at a time,” Eliyahu concludes. “[a breach may] simply be impossible to detect.”