Securing APIs While Navigating Today’s Booming API Economy
Executive summary
- Application programming interfaces (APIs) help exchange critical data and connect different systems; they enable businesses to access data, functionality, and services from other companies, platforms, or devices.
- In the past decade, the number and complexity of APIs have significantly increased. They are now more scalable, monetizable, and widespread.
- The API economy has boomed because of the quick and easy access to application data in a modular manner. This access has empowered developers to create new apps that use this data, while the data providers reap commercial benefits from their APIs.
- Securing APIs is the biggest challenge in today’s changing threat landscape. Strategically leveraging APIs — and keeping them safe — is not just a trend but a powerful tool for success.
Overview
An API is similar to a server at a restaurant. The server is versatile, listening to your order, proceeding to the chef, collecting the specified food items, and returning to you with your request. An API is also versatile, handling requests from various clients on behalf of users. These clients can be web browsers, mobile apps, or devices in the Internet of Things [IoT], and the API processes these requests with its internal logic and returns responses to the client.
APIs are pervasive and present in nearly every app on your smartphone or tablet. They connect to remote APIs to fetch new content, deliver notifications, and execute tasks. If you delve into your browser's developer tools and open your favorite website, you'll likely be fascinated by the multitude of API calls happening in the background. These calls are the result of a complex web of interactions, with multiple microservices communicating through internal APIs on the server side.
Increased API use and capabilities = more risk
The proliferation of APIs is leading to the development of increasingly advanced applications that improve and magnify our capabilities, but they also come with magnified risks. Relying on APIs for essential everyday functions makes us more susceptible to attacks. APIs become more vulnerable to attacks the more they’re used. As organizations use more APIs, there is an increased likelihood that they will have a blind spot, whether it's not being able to discover all their APIs or to monitor all of them effectively.
And attackers are constantly performing reconnaissance to find an API that has gone unprotected. The convenience and simplicity that APIs offer developers also make them susceptible to exploitation by malicious individuals. It's crucial to understand that privacy and user data protection laws, like the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA), impose legal obligations on businesses to safeguard user data, and being aware of these obligations is a responsibility we all share.
API economy: Promises and potential
The API economy is not just a trend, but a powerful tool that holds immense potential for businesses in various industries. In healthcare, APIs are revolutionizing patient care by seamlessly integrating electronic health records across different providers. In retail, APIs are enabling personalized shopping experiences by integrating customer data from various sources. The significant impact of digital connectivity and integration fuels this growth.
APIs provide numerous advantages in promoting innovation, supporting digital transformation, and enabling smooth integration among various systems and platforms. APIs are more than just a tool; they are the key that unlocks a world of possibilities for developers. They empower developers to innovate and create new applications or features, providing access to functionalities, data, and services that are not developed in-house.
Standardized communication fuels innovation
APIs standardize communication protocols and data formats to ensure compatibility among diverse systems and platforms. Integrating with third-party APIs allows businesses to broaden their offerings, generate new sources of revenue, and access untapped markets.
The API economy offers substantial potential for firms to innovate, expand their market presence, enhance efficiency, and improve customer experiences. Strategically embracing APIs enables organizations to effectively navigate digital transformation and tap into emerging technologies to achieve sustainable growth in a competitive environment.
Challenges in the API economy
The Kong 2023 API Impact report analyzed the overall contribution of APIs to the economy and their role in boosting economic growth. They predicted that by 2027, APIs will have a worldwide economic impact of $14.2 trillion.
The API economy, while offering substantial benefits, also presents several challenges that organizations must urgently address to maximize its potential. APIs, if not properly secured, can expose sensitive data, leading to breaches.
Reports validate the importance of API threats
Akamai
Akamai's 2024 State of the Internet report on API threats not only brings attention to the various attacks directed at APIs, including traditional web attacks, but also highlights the proactive measures being taken to address these risks.
This report underscores the risks that API misuse poses in common problem areas such as posture and runtime challenges. A total of 29% of web attacks targeted APIs over the 12 months from January through December 2023, indicating that APIs are a focus area for cybercriminals. The report further mentions that business logic abuse is a critical concern, as it is difficult to detect abnormal API activity without having first established a baseline for API behavior.
Gartner
In May 2024, Gartner published a Market Guide for API Protection, which states that the average API breach results in at least 10 times more leaked data than the average security breach. However, high-profile API incidents are more common than ever.
OWASP
The Open Web Application Security Project (OWASP), a nonprofit organization known for its list of top 10 security risks, released an updated version of API-specific risks, the OWASP API Security Top 10 in 2023, which not only recognizes the unique threats posed by APIs but also validates the importance of this issue in the industry.
Common posture and runtime problems
Akamai monitors and evaluates 20% to 30% of global internet traffic, which involves processing more than a trillion content requests daily from users in more than 200 countries and regions. Akamai collaborates with businesses worldwide to gather comprehensive data on API use and to conduct sophisticated behavioral analysis to detect security weaknesses and signs of API misuse. Based on Akamai's observations of API activity, two main issues typically arise: posture and runtime problems.
API implementation flaws can lead to posture problems, while runtime problems are urgent threats or behaviors, often of a critical nature, that demand immediate attention.
According to Akamai SOTI report, the most common posture issues include:
- Shadow endpoints (i.e., unattended or outdated endpoints)
- Unauthenticated resource access
- Sensitive data in a URL
- A permissive cross-origin resource sharing (CORS) policy
- Excessive client errors
Common runtime problems include:
- Unauthenticated resource access attempts
- Abnormal JSON property
- Path parameter fuzzing attempts
- Impossible time travel
- Data scraping
API security strategy and best practices
Malicious actors have been exploiting the API vulnerabilities described in the OWASP API Security Top 10 and those vulnerabilities are often linked to programming errors or misconfigurations. The high frequency of reported data breaches involving APIs indicates that hackers exploit these vulnerabilities, actively explore API systems, and conduct reconnaissance to identify specific APIs for exploitation. This investigative activity, combined with the automated risk of data scraping, suggests that APIs have become the new avenue for data breaches.
The potential consequences of successful attacks are severe, including damage to the brand and reputation, exposure of sensitive data, loss of customer trust, and potential compliance and legal issues. Depending on the jurisdiction, this could result in a heavy financial loss, underscoring the need for immediate action to mitigate these risks.
Frequently Asked Questions (FAQ)
API security is not just a variation of “traditional” application security; it requires a distinct approach. Application security is concerned with protecting the entire application, while API security is specifically focused on safeguarding the APIs that enable data exchange in modern applications.
The most significant difference between an API and an application is the user base. APIs are built for software applications, while software applications are built for human interaction. This underscores the importance of having different security controls for each. Gartner highlights this by stating that “traditional network and web protection tools are insufficient to defend against the diverse security threats that APIs face, including many of those outlined in the OWASP API Security Top 10.”
Visibility and early identification of vulnerabilities
Having a clear view of your environment and understanding normal activities and data distribution across APIs is the first crucial step in safeguarding against data breaches caused by API vulnerabilities. This involves securing all APIs with appropriate security controls, implementing automated measures to respond to and prevent attacks, and notifying the security operations team.
Early identification of vulnerabilities in the API development process not only leads to faster resolution but also significant cost savings. DevOps security practices are designed to address security issues before they escalate, thereby reducing the time and resources needed for mitigation.
Prioritize security
The concept that prevention is better than cure is as relevant to software development defects as it is to medical illnesses. The IBM System Science Institute quantifies this, stating that the cost to rectify a bug discovered during implementation is roughly six times higher than one identified during the design phase.
Implementing robust security practices is not just about protecting sensitive data; it's also about preventing potential damage to reputation. By prioritizing security, organizations demonstrate commitment to customers and the situation's urgency, helping them to retain customer loyalty and avoid reputational damage.
Future innovations in API development
API development is changing significantly due to the emergence of low-code and no-code platforms like APIDNA, Mendix, and OutSystems. These innovative solutions enable developers to build and integrate APIs with minimal traditional coding, thereby creating new opportunities for rapid development. With APIDNA, for example, developers can simply drag-and-drop prebuilt API components to create their own APIs.
The API-first approach
The API landscape is expanding, with the number of developers using APIs increasing by 61% in recent years. The 2023 State of the API Report by Postman indicates a growing trend of non-developers, including chief technology officers, managers, and directors, entering the API industry. This trend underscores the strong interest of leaders in adopting an API-first approach.
In the next 12 months, organizations will either increase their investment of time and resources into APIs or maintain the current level. Importantly, 53% of CEOs anticipate increased API investments in the coming year, providing a reassuring outlook for the industry's future.
The Postman report found that only 51% of respondents in the government and defense sectors are using artificial intelligence (AI) tools, such as machine learning algorithms and natural language processing systems, making them the least likely industries to do so. A few respondents mentioned concerns regarding security risks and corporate restrictions on sharing data with third-party AI tools.
Rapid evolution of APIs requires robust security
The rapid evolution and expansion of APIs have created a new and urgent challenge: securing this prime opportunity for exploitation. APIs will continue to play a central role in companies' digital transformation. According to Akamai's 2024 State of the Internet report, 44.2% of web attacks that impact organizations in the commerce industry targeted APIs, followed by organizations in the business services industry at 31.8%.
This emphasis on commerce is due to various factors, such as the complex nature of the industry’s ecosystem, heavy reliance on APIs, and large amounts of sensitive customer data. The escalating number of API attacks underscore the pressing need for robust API security in all companies.
Conclusion
The significance of APIs has shifted from being a development technique to becoming a driver of business models and a topic of consideration in boardrooms. APIs must be handled as products as they are crucial in enabling digital transformations. Adapting an established company to the digital economy requires significant effort, but all that effort will be futile if the company’s mindset remains unchanged.
In today's heavily API-reliant environment, in which critical business outcomes are dependent on APIs, it is more important than ever for organizations to establish and execute a robust security strategy. This strategy must encompass thorough and up-to-date documentation, transparency into the complete API inventory, secure API design and development, and security testing that addresses business logic gaps.
By securing APIs, businesses can unlock new revenue opportunities, increase operational efficiency, and deliver excellent customer experiences. Implementing robust security in all stages of API development empowers businesses to navigate the evolving digital landscape with confidence and success.
Visibility into your APIs
Akamai API Security provides complete visibility into your APIs with continuous discovery and monitoring. All discovered APIs are subjected to a risk audit to identify common vulnerabilities, and analytics are used to detect threats and logic abuse within this rapidly expanding attack surface.