More than a few of us have heard of application programming interfaces (APIs) before but might lack the context to define what they are. Let’s rectify that now. In the words of IBM, an API is “a set of defined rules that explain how computers or applications communicate with one another.” The benefit of using APIs is that they enable organizations to have their products and services communicate with those of third-party developers, business partners, and other entities. This means of communication has revolutionized the way modern web applications function today.

It’s therefore no wonder that organizations value APIs as highly as they do. Per GlobeNewswire, 55% of API industry experts and enthusiasts said that API integration is “critical” to their business strategy. (Nearly three in 10 respondents said API integration was “somewhat critical.”) What’s more, 60% of survey participants articulated their belief that API integration will significantly affect customer upgrades and/or renewals in the coming years.

Keeping API Security in Mind

In their enthusiasm, however, organizations must remember to not overlook the security of their APIs. Here are four things they specifically need to keep in mind.

1. API Security Incidents and Attacks Are on the Rise

According to Security Magazine, 91% of organizations suffered a security problem involving their production APIs in 2020. Vulnerabilities accounted for most of those security incidents at 54%. They were followed by authentication issues, bot/scraping, and denial-of-service attacks at 46%, 20%, and 19%, respectively. The number of API attacks also increased for organizations in the second half of 2020, growing from 50 attacks per month in June to 80 by December.

Things didn’t get easier for organizations in the first half of 2021. On the contrary, API attack traffic rose by 348% in that period. That’s double the growth rate of overall API traffic in those six months, as reported by BetaNews.

2. Certain Vulnerabilities Pose More of a Threat to APIs than Others

“Vulnerabilities” is a catch-all term for an array of weaknesses that undermine organizations’ API security. Some are more prevalent than others depending on the year. In its Top 10 Web Application Security Risks for 2021, for instance, the Open Web Application Security Project (OWASP) named “Broken Access Control” as the top threat. This vulnerability covers instances where attackers exploit authentication flaws to gain unauthorized access to sensitive data, view files, or change access rights.

Broken Access Control leads into another vulnerability, “Sensitive Data Exposure.” The weakness consists of instances where attackers compromise credentials, Social Security Numbers, medical data, and other personally identifiable information (PII).

3. Many Organizations Lack a Mature Strategy for Addressing These Risks

The reality is that many organizations don’t have a mature security strategy for dealing with vulnerabilities like Broken Access Control and the security incidents they cause. Indeed, ChannelVision shared a report in which nearly half of organizations admitted to using a web application firewall or API gateway to identify potential API attackers. An additional 12% admitted that they had “no way” of identifying an attack. All told, just 39% of organizations said that they had more than just a “basic” security strategy for their API program.

4. Organizations Can Do Certain Things to Minimize API Security Risks

In the report cited by ChannelVision, organizations cited a lack of resources and personnel as the most common excuse for not having a mature API security strategy at 30%. But free resources are available for organizations to use that minimize the security risks discussed above. Assets include the Salt Security API Security Checklist.

Here’s what the resource recommends when it comes to addressing Broken Access Control:

When considering API security best practices for authentication and authorization, remember that you must account for both user and machine identities. Externalize your access controls and identity stores wherever possible, which includes mediation mechanisms like API gateways, user and machine identity stores, IAM solutions, key management services, public key infrastructure, and secrets management.

As for Sensitive Data Exposure, the Checklist emphasizes the importance of using data encryption selectively, avoiding sending too much data to clients, and adjusting for threats where encryption is not a mitigation.

Where This Leaves Organizations

Organizations can’t expect their API security concerns to go away anytime soon, as APIs themselves are predicted to increase over the coming years. So too is API management. For example, Business Wire noted that the global API management market is expected to grow at a compounded growth of 33.2% from now until 2025, a year where it’ll reach $6.8 billion.

This forecast reinforces the need for organizations to act now and take seriously the security of their APIs. They can then use their more advanced security strategies to protect the growing number of APIs they’ll be managing a few years from now.

• About
• Latest Posts

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

Latest posts by David Bisson (see all)

• 4 Things to Know About API Security - October 22, 2021
• Visibility: The Key to Analyzing and Detecting Threats in Your Kubernetes - April 28, 2021
• How RHCOS Can Help You Secure Your Cluster’s Node Images - March 28, 2021