By Parag Khurana
A report highlighted that nearly 83% of web traffic is API traffic, reflecting the widespread use of APIs across various sectors. Today, many applications rely on APIs or Application Programing Interfaces which are a set of rules and protocols that enable different software applications to communicate with each other. However, their proliferation has also opened Pandora’s box of security vulnerabilities that need urgent addressing.
The importance of securing APIs cannot be overstated, especially in the increasingly interconnected digital world. In fact, industry respondents agreed that API security is now a C-Level discussion. Regulations such as GDPR in Europe have provisions specifically addressing API-related concerns. Compliance with these standards isn’t just about avoiding penalties; it’s about building trust with consumers and stakeholders. This shift necessitates a responsive and proactive approach to API security.
Understanding the nuances of APIs
APIs come in many forms. The first category includes all the known APIs. They may not be totally secure yet, but they will be managed and to some extent protected. And because you know where they are, you can inspect and secure them with security measures that include web application firewalls, Zero Trust access, and more.
The second category comprises all the Shadow APIs – APIs that you don’t know about because you may not be aware that the applications that they feature in form part of your IT infrastructure.
The most high-risk are the so-called Zombie or Legacy APIs. These can be found in older, dormant, or deprecated applications. These APIs were likely activated when the application was first deployed, and then never shut down or properly protected. Insecure or inadequate authentication measures can be easily leveraged by attackers to send commands to the application and exfiltrate data.
The threat landscape of APIs vulnerabilities
The rising number of APIs and their direct access to high value data makes them a prime target for attackers – and this risk will only increase as more API-based applications appear. Our own research found that just under two-thirds (63%) of IT professionals have security concerns when implementing APIs, and 44% worry they don’t know where all the APIs are deployed or used.
Here are a few highly publicised incidents that took the API landscape by storm:
- X (formerly Twitter): In early 2023, Twitter was hit by a data breach, with hackers threatening to release 235 million user records after exploiting a zero-day API vulnerability. The incident left users, including celebrities and activists, vulnerable to hacking, phishing, and doxing.
- Microsoft: In July 2023, Microsoft revealed that a validation error allowed malicious actor Storm-0558 to forge Azure AD tokens, breaching 25 organisations, including government entities, for unauthorised email access.
- Meta (formerly Facebook): In 2018, it announced a significant data breach, affecting over 50 million accounts. This vulnerability allowed attackers to steal access tokens and potentially take over other accounts, adding to the Cambridge Analytica scandal, where Facebook’s APIs were misused to collect data from over 80 million users.
Building a robust defence
Security must be a core aspect of the development process and not merely an addition at the later stages. Implementing security measures from the beginning of the design phase ensures that vulnerabilities are identified and mitigated early, reducing the likelihood of costly breaches.
The critical step in securing API-based applications is visibility. The traffic inspection based approach through web application firewall is recommended. A web application security solution that includes machine-learning powered API discovery is ideal for tor locating and securing undocumented Zombie and Shadow APIs. Continuous monitoring, leveraging artificial intelligence, can detect anomalies faster and more accurately, facilitating immediate response.
Setting robust access controls for API-based applications to restrict API access to authorized users is necessary. And last, but not least, wherever possible, integrate security tools into the application software development cycle as early as possible.
The rising API-related threats are more than a technological concern. To safeguard this ecosystem, it’s recommended to implement rigorous API security protocols and consider utilizing automated threat detection systems. Continuous monitoring, regular updates, and user education are also essential elements in building a robust defense against these threats.
Ensuring API security today is investing in a safer, more reliable digital future. For deeper insight into the cyberthreats facing applications and how to defend against them one can read free available guides.
The author is country manager, Barracuda Networks (India) Pvt Ltd
