API security is a growing concern for many organizations as APIs become a fundamental part of their digital strategies. APIs are used to share data with internal stakeholders and enable brand-new API-as-a-product offerings to form. APIs power event-driven microservices architectures and enable the composable enterprise to take shape. However, as the value of API-based connections rises, so do new threats.
In recent years, we’ve seen an alarming increase in API attacks. For example, Salt Security discovered an impressive 681% rise in API attack traffic in mid-2022. Many APIs lack the proper authorization controls, leaving weak HTTP methods open for exploits by hackers, who often exfiltrate mass amounts of data undetected. And as the number of APIs increases, sprawl concerns are beginning to emerge, along with shadow or zombie endpoints. There is also the urgency to protect sensitive data and comply with new global data regulations.
Due to these concerns and others, there is a newfound urgency to protect APIs from escalating threats. As a result, in 2023, API security is becoming a top concern for cybersecurity professionals at large. Below, we’ll outline some of the most common API vulnerabilities that persist today and zoom in on methods to mitigate them. We’ll consider what’s to come in API security within this year and beyond, and outline some best practices to keep your API strategies safe from abuse.
One of the main challenges associated with APIs is weak access control. If APIs are improperly configured, they can easily fall victim to Broken Object Level Authorization (BOLA). OWASP’s API Security Top 10 places BOLA as the #1 threat facing modern APIs. BOLA means that authorization controls are nonexistent or implemented improperly — this could, for example, allow a hacker to switch out a unique identifier in the HTTP call to access resources from another account, or even manipulate data. Unauthorized access to sensitive data goes against the rule of least privilege and leads to data overexposure.
Furthermore, many APIs have weak authentication methods in place. Some are still using HTTP Basic Authentication, but most have graduated to adopting API keys associated with each developer or app account. Even then, API keys have been proven to be insufficient for appropriately delegating identity. Furthermore, API keys for cloud-native tools can easily be stolen or accidentally left exposed in public repositories.
Another potential risk associated with APIs is insufficient logging and monitoring. As the number of APIs balloons within an organization, it can be challenging to distinguish regular API traffic from malicious bots or hackers performing reconnaissance to identify gaps. Insufficient logging and monitoring thus present a potential risk, since it leaves APIs unattended and more opaque when addressing misuse.
To ensure API security, organizations need to start by understanding their surface area. It’s a good idea to audit the number of active APIs within your organization and keep track of new integrations in a common catalog. Doing so not only enhances the discoverability of internal services but helps ensure they aren’t forgotten. Seeing the greater software lifecycle and having a deprecation policy in place from the start can also ensure APIs don’t ever devolve into unmaintained shadow IT.
Next, it’s good practice to implement advanced authentication and authorization policies. Applications utilizing API connections should require multi-factor authentication. Furthermore, it’s a recommended practice to go beyond HTTP Basic Authentication and API keys to use open standards like OAuth and OpenID Connect. This will ensure that API requesters, whether they are humans, devices, or servers, are properly authorized and that their identity is traced throughout a zero-trust software ecosystem. Most secure APIs adopt an API gateway and use management solutions that encrypt data in transit and rate limit use — all helpful vectors to reduce threat.
As investment in APIs continues to increase, organizations must prioritize intelligent API security and take steps to secure their APIs from escalating threats. In the coming years, IT will have to grapple with new threats surrounding emerging API styles like GraphQL, and institutions in the finance and healthcare sectors will be under pressure to open data securely to comply with upcoming regulations.