Anyaberkut | Istock | Getty Images
Organizations are seeing a rise in cybersecurity attacks against application programming interfaces (APIs), the mechanisms that allow software components to communicate and exchange data with each other using a set of rules and protocols. The question is, are they prepared to defend against these assaults?
A November 2024 report by cloud provider Akamai Technologies, based on a survey of more than 1,200 IT and cybersecurity leaders in the U.S., U.K., and Germany, found that 84% said their organizations had experienced an API security incident in the past 12 months. Only 27% of respondents knew which APIs return the sensitive data that attackers seek.
The research shows that while API attacks are rising, visibility into API risks that open doors for attackers is declining. The average cost to remediate API incidents was $591,400 in the U.S. In sectors such as financial services, the average was $832,800.
As the foundation of modern software development, APIs facilitate inter-application communication and fuel digital transformation, research firm International Data Corp. said in a report, and this critical role has broadened the attack surface, making APIs a prime target for cybercriminals. In addition, the explosion of intelligent, artificial intelligence-infused applications only increases the use of APIs, introducing new threats, IDC said.
“There are many paths for threat actors to derive value from API exploits, whether that’s working their way through side channels for deeper system access, or simply freeloading off the services to which the keys grant access,” said Josh Koenig, chief strategy officer at managed hosting provider Pantheon. “As more APIs are put to use, this is a class of vulnerability that is increasing and will likely only pick up pace in the years to come.”
Hard-coded API credentials and cybercriminals
One of the biggest API vulnerabilities comes from trying to manage the total surface area, Koenig said. “With the proliferation of APIs, it’s easy for companies to lose track, much like how many struggle to keep track of their web portfolios,” he said.
As a result, companies fail to protect APIs properly and end up with security vulnerabilities.
One of the biggest risks is the potential for accidental leakage of credentials. “It’s extremely common for developers to hard-code API credentials into code, and that makes the credentials much more vulnerable to being accidentally disclosed,” Koenig said. “Once a threat actor has a valid API key, they can start doing damage rapidly.”
And cyber criminals know about API weaknesses and are taking advantage.
“APIs serve as vital conduits for data exchange and functionality execution between applications and services, making their widespread usage an enticing target for malicious actors,” said Jim Mercer, program vice president at IDC.
“The sheer volume and diversity of APIs in use and the complexity of modern software ecosystems create numerous entry points for exploitation,” Mercer said.
As companies increasingly rely on APIs to facilitate seamless integration and connectivity, ensuring strong security measures becomes paramount to safeguarding sensitive data and preserving the integrity of a digital infrastructure, Mercer said.
“Yet most organizations are hard-pressed to locate all the APIs in use and manage their security exposure,” Mercer said. “It is essential to maintain an accurate API inventory with context-based threat details. Detecting API endpoints across the active application landscape provides a comprehensive view that static scans may overlook.”
By proactively identifying unexpected changes in the API inventory, businesses can preempt the emergence of shadow or vulnerable APIs, enhancing overall security posture, Mercer said. “This can be done by establishing a [normal] baseline of API behavior and comparing it against actual activity to uncover potential security vulnerabilities,” he said.
Having good visibility of APIs is a key to securing them. “Whether it’s the APIs you run or services you integrate, having full visibility across your digital ecosystem is more than half the battle,” Koenig said. “Network management tools can help with this at a very large scale, but a surprising amount of value can be had by having teams do a simple exercise to list out the APIs that are part of their work.”
Another good practice is to implement a gateway, Koenig said. “For the same reasons that it’s considered best practice to put your websites behind a web application firewall, an API gateway is a must-have for any organization operating APIs as part of their service offering,” he said. In addition to the security capabilities that deter bad actors, most gateway products help manage common pain points such as curtailing their use by well-intentioned but over-eager managers.
Mercer advises that companies take a layered approach to API security that includes API design, testing, inventory, gateways, and advanced runtime protections. APIs need to be secured across the software development lifecycle, he said.
Training staff is an important step. “Increase awareness of API security within your organization that includes developer and security team training, to get them working together as a team to secure your APIs,” Mercer said.
