Stephanie Best of Salt Security

Long gone are the days where only software and high-tech companies use application programming interfaces (APIs) for business, writes Stephanie Best, Director of Product Marketing at Salt Security.

Today, almost every company, regardless of sector, uses APIs, relying on them for their everyday operations. APIs have become crucial to the digital economy, enabling the accelerated and seamless services that customers have come to expect from modern businesses.  However, as API usage has gathered pace, increasing exposure points for organisations’ critical data, API security has also climbed up the agenda for business leaders.

In fact, the latest Salt Security State of API Security report shows that nearly half of businesses believe that API security has become a C-level discussion over the past year. API security has clearly become a business issue – not just a security issue. Organisations must meet customer expectations and maintain their competitive advantage, while simultaneously ensuring that they adequately protect the APIs driving these new services.  So, how can businesses sufficiently defend the ever-growing API attack surface?

Understand the API attack problem

APIs, by their very nature, require constant changing and updating all the time – they’re not something that can go unchecked for months on end. And with every update comes the possibility of an unexpected outcome. Yet, as we know, security teams are already overstretched, understaffed and lacking sufficient budgets, so the prospect of continuous monitoring may seem daunting for many.

However, as the C-Suite’s eyes turn towards APIs as a business issue, with findings suggesting that highly regulated industries such as technology, financial services, and energy/utilities companies are where execs are keeping the closest watch, it’s not an area that can be ignored.

API attackers don’t necessarily need to be incredibly smart with their attacks; APIs are very manipulable. APIs are built to pass data, including highly sensitive information and they’re fairly easy to attack. Take for example the Experian incident that allowed unauthorised access to credit score and other highly sensitive information just by entering easily obtained personal information. What’s more, many open attack vectors can be found on the dark web.

Moreover, as in almost all aspects of cybersecurity, attackers have gotten smarter. In addition, in the case of API protection, traditional tools, such as WAFs and API gateways, haven’t been built for detecting and defending against API attacks.  Paired with an increase in attackers – which have risen by over 400% in the last few months – it’s no surprise then that traditional tools are struggling to keep up.

Traditional tools are one step behind

Web Application Firewalls (WAFs), gateways and log analysis provide some API protection; however, they cannot spot or defend against today’s business logic-based API attacks. WAF alerts are known to be relatively ineffective for API security because they use proxy architectures to apply signatures that detect only well-known attacks such as SQL injection (SQLi), cross-site scripting (XSS), and JSON injection. WAFs cannot stitch this data together. Similarly, API gateways rely on traditional protections such as encryption, authentication, authorisation, and rate-limiting. Analysing log files is tedious and relies heavily on overworked and overstretched cybersecurity teams, by which time attackers have usually made off with the data.

 Traditional tool stacks relied on by many businesses, like the ones listed above, are not built to look at context over time. One activity in and of itself is not binary, it is not good or bad. Blocking chunks of the chain based on a binary good/bad system does not do enough to protect data. However, it’s not easy for an organisation’s security team to look at reams of logs to find these things specifically. In fact, it’s almost impossible, given complexities brought by the likes of shadow APIs, which traditional tools don’t even pick up on.

It’s important with API security that we pay attention to strings of activity that show unusual patterns of malicious or potentially harmful activity over time. This is why businesses must invest in tools that can look at, monitor and analyse large amounts of traffic over periods both in production and runtime. Data from Salt Labs shows that up to 78% of attacks come from seemingly legitimate users but are attackers who have maliciously achieved the proper authentication.

Approaching API security

Fortunately, as the C-suite has started to take notice of the importance of API security, many organisations have placed API security front and centre of their security plans. The biggest causes of concern for businesses include APIs which expose PII or sensitive data, being able to stop attacks, and being able to meet compliance or regulatory requirements.

Businesses who want to implement a strong API security strategy should first start by understanding what APIs they have within their environment. Many organisations simply don’t realise how many APIs they’re already working with. For security teams, documentation is hard to keep up with – especially when APIs are constantly updating and changing. Most companies have API activities in their network that they don’t even know about. The first step is ensuring you have an accurate inventory of all of the APIs in your infrastructure.

After understanding an organisation’s API landscape, teams can look at which APIs are being actively attacked. This phase is regarded as threat prevention. As attackers utilise APIs to do attacks over time, having visibility of strings of activity is crucial. As mentioned earlier, there’s no way to make an informed decision about what’s good or bad without looking at the bigger picture. Patterns of activity need to be demonstrated to avoid legitimate traffic being blocked, which would cause disruption for customer experience and potential frustration.

It’s hard to anticipate the future of APIs, so it’s important to run pre-production security testing alongside drift analysis. By cross referencing what’s different with existing documentation and what’s different to expected, organisations can protect themselves against threats before they become a problem. Even more ideal is to take the lessons learned from actual attack activity and leverage the learnings to harden the APIs being attacked – essentially turning attackers into pen testers.

API security as an ongoing battle

API security must be viewed as an ongoing programme and not a one-time exercise. The lifecycle of an API is lengthy and there will always be new activity and updates that could potentially expose it to manipulation or threat activity. As such, APIs need to be constantly kept an eye on within the environment, monitored for which sensitive data is being passed and they must be protected before problems arise. As customers demand more data and digital capabilities from businesses and as businesses themselves modernise their own operations, API security has bubbled to surface among decision makers. With the right API visibility and security, customers and businesses alike remain protected and operational.