API security covers all the practices and measures taken to identify vulnerabilities in Application Programming Interfaces (APIs) and protect them from malicious attacks. API’s are critical to enable software applications to share data – so they’re widespread. And that makes them an appealing target for threat actors.
New research by Salt Labs found that 95% of the organisations surveyed have experienced security problems in production APIs, and 23% have experienced a breach. Two thirds of organisations are managing more than 100 APIs across their networks, and API threats are on the rise – but only 7.5% of organisations describe their API security programs as ‘advanced’.
What are the key components of API security?
API security isn’t just one thing – it’s every aspect that contributes to the overall security posture of Application Programming Interfaces (and by extension, everything else that those interfaces interact with).
This includes:
Authentication and authorisation to ensure that API requests are legitimate.
Data encryption (including data in transit, and data at rest) to protect data from access by unauthorised parties.
Rate limited and throttling to control the number of API requests a client can make in a certain timeframe.
Input validation to ensure that data is legitimate and sanitised.
API gateways to restrict different entry point vulnerabilities.
Monitoring and logging of API activity in order to detect and respond to suspicious behaviour.
APIs are inextricable from the functionality of most digital services today – and they facilitate the transfer of sensitive data from one place to another, as well as enabling different pieces of software to interact with one another. So when an API is exposed, it can allow significant data breaches to occur; with the potential to expose information that could cause severe damage to the data provider.
Threat actors leverage diverse tactics to breach APIs
The Salt Labs report found that API security incidents more than doubled year on year. And attackers are leveraging a diverse range of tactics – with many bypassing authentication protocols completely (61%, in fact).
So authentication protocols are not enough to protect against API attacks. Threat actors bypass them by exploiting vulnerabilities (including Broken Object Level Authorisation, OAuth, and insecure API endpoints) to gain unauthorised access.
Surprisingly, 13% of attack attempts explicitly target internal APIs; so security has to be comprehensive, and not limited to public-facing APIs.
It’s also worth noting that 80% of API attack attempts leverage one or more of the OWASP API Top 10 methods. But in spite of this, only 58% of Salt Labs’ survey respondents focus on this list in order to strengthen API security. It’s a valuable resource for security professionals, detailing the most vulnerabilities that attackers are most likely to exploit. It’s clear that criminals are using this list to identify vulnerabilities they can exploit – so security teams have to match that awareness, and protect against those vulnerabilities.
Organisations must invest in API security
The API threat landscape will continue to grow, and organisations that don’t step up and invest in robust protection are putting their networks at risk. Now is the time to put API security measures at the top of your priority list – to protect sensitive data (and the future of your business) in today’s fast-paced digital ecosystem.
P.S. - Mark your calendars for the return of Black Hat MEA in November 2024. Want to be a part of the action? Register now!