Digital transformation has ushered in a new era of devices, applications and online services. And though apps get most of the credit, application programming interfaces, or APIs, provide the underlying connectivity between software and services that make it all possible. As any developer will confirm, APIs enable organizations to streamline workflows, develop new ways to support customers, and pursue new avenues to drive profit. However, despite the countless benefits, APIs also expand the attack surface. And API attacks have unfortunately been on the rise.
Thankfully, information security teams and business leaders alike are starting to understand that APIs present new security challenges. These are unique vulnerabilities that traditional tools like API gateways and web application firewalls can't address. For this reason, CISOs are betting big on dedicated API security solutions this year. Let's explore the top five reasons they're doing so:
Reason 1. Data breaches are getting out of control
Venmo, Peloton, Twitter, LinkedIn and Optus have all had pretty significant API-related security incidents in recent years. In fact, 76% of cybersecurity professionals admitted to experiencing an API security related incident in 2022. Why exactly? Well there are a number of reasons why the API vulnerabilities are being exploited at such an alarming rate.
Let’s explore some of main contributing factors:
Exploding API traffic
According to Akamai, API traffic now represents over 80% of the current internet traffic. That’s right, APIs are firmly solidified as the foundation for digital transformation. With the average enterprise managing over 15,000 APIs, it’s not hard to fathom such a commanding share of traffic. As further evidence, Cloudflare publicly confirmed that API calls are growing twice as fast as HTML traffic, making APIs “an ideal candidate for new security solutions aimed at protecting customer data.”
Two thirds of IT leaders, architects, and developers claim they are concerned with the prospect of API sprawl. And rightly so. While traffic volume is an important element of API sprawl, the two are not interchangeable. Sprawl refers to the distribution of your APIs across teams and environments. If your security teams lack visibility into APIs in production, I can almost guarantee that rogue and shadow APIs represent a large percentage of what’s deployed.
Obsolete security tools
Most of the companies I meet with assume they don't need dedicated API security because they have a WAF or API gateway. Are they important components of the API delivery stack? Sure. But the truth is, neither are designed to provide the security controls and observability required to adequately protect APIs.
Even Gartner confirms that, “traditional network and web protection tools do not protect against all the security threats facing APIs, including many of those described in the OWASP API Security Top 10.” Without adequate detection and response, security teams are going to be hard pressed to identify and remediate API attacks.
Now that you understand what's creating this situation, let’s not forget these incidents are getting expensive. Just last year, US businesses incurred between $12 billion and $23 billion in losses from API-related breaches in 2022, according to the Quantifying the Cost of API Insecurity report. All the more reason for CISOs to get a grip on their rapidly expanding API attack surface.
Reason 2. Regulators are cracking down on data compliance
Data compliance regulations are becoming more and more important in the digital world. With data breaches on a steady growth trajectory, regulators are increasingly focused on enforcing violations to protect the privacy of individuals and organizations. Companies have to be careful about how they store and process their data to ensure that data is not misused or leaked.
In order to stay compliant, you need to have a thorough understanding of what data you collect, how it's collected, who has access to that data and how that data is used. Keep in mind that there are many different types of data compliance regulations that can be found in the US, Europe, and Asia. From patient records to financial data, there are clear guidelines on how to properly protect highly sensitive data.
Some of the most notable you should be aware of include:
General Data Protection Regulation (GDPR)
Established by the European Union, GDPR protects the right for an individual to access their private data and understand how it has been collected.
Health Insurance Portability and Accountability Act (HIPAA)
National standards developed by the US government Health and Human Services Department for electronic health care and security.
Payment Card Industry Data Security Standard (PCI DSS)
An information security standard for financial and retail organizations that handle and process branded credits from the major credit card suppliers.
Personal Information Protection and Electronic Documents Act (PIPEDA)
Canada’s primary law regulating data privacy. PIPEDA provides governance for how for profit enterprises can collect, use, and disclose consumers’ personal information.
California Consumer Privacy Act (CCPA)
CCPA provides California state residents’ the right to know about the personal information a business collects, how it is used, and shared.
Keep in mind that this isn't an exhaustive list of data privacy regulations, which should let you know just how serious the situation is. To learn latest best practices on maintaining compliance, I highly recommend downloading Automate API Governance & Data Compliance with Noname Security.
Reason 3. Automation is critical for success
According to the 2022 Global Risk Report, developed by the World Economic Forum (WEF), 95% of cybersecurity issues could be traced back to human error. As if that wasn’t enough of a reason to seek automated tooling, the volume of APIs in production is just too vast for manual efforts.
For example, manual efforts to discover, document, migrate, refactor and remediate requires 40 hrs of effort per API. Now if the average enterprise is managing roughly 15,000 APIs, that’s 600,000 hours of manual effort. To make you feel better, it's only 25,000 days. If you’re only 12 years old and get started now, you may have a chance to be finished by your 80th birthday.
Beyond API discovery, modern anomaly detection is powered by artificial intelligence (AI) and machine learning (ML). And when coupled with other security products like security orchestration and remediation (SOAR) platforms and security information and event management (SIEM) systems, they provide the missing link for comprehensive incident response. CISOs can also utilize IT service management (ITSM) and extended detection and response (XDR) tools as needed.
Reason 4. Reputation is everything
Reputation is a key factor in the success of any business. It plays a crucial role in how people perceive your brand and it can help you to build trust with your audience. Keep in mind that your reputation isn’t a static measure. It can be built over time, but it can also be lost if you’re not careful. In order to build a solid reputation, you need a tenacious security team with integrated solutions that protect sensitive data without interfering with business outcomes.
In this economic climate, sensitive data will continue to be an attractive target for cybercriminals considering how lucrative it can be. But given the reality of slowing growth and shrinking revenue, it will be unacceptable for bad actors to prevail. CISOs and their teams must eliminate blind spots, implement iron-clad access controls, and mitigate malicious threats and other cybersecurity risks. Failure to do so could have dire consequences for both the CISO and the longevity of the business.
Reason 5. Security is required across the SDLC
CISOs that are serious understand that API embedding security controls across the software development life cycle (SDLC) is the only way to ensure APIs are protected from code to production.
Sandy Carielli, principal analyst at Forrester, confirms this notion as she stated, “API security, like application security overall, must be addressed at every stage of the SDLC. As organizations develop and deploy APIs, they must define and build APIs securely, put proper authentication and authorization controls in place (a common issue in API-related breaches) and analyze API traffic only to allow calls in line with the API definitions,”
However, of cybersecurity professionals surveyed in the API Security Trends 2022 report, In fact, merely 11% said they were testing APIs in real-time and just 28% said they test their APIs for security flaws at least once a day. And only 39% reported that they’re testing no more than once a week. With the rate of code developers are producing, it’s easier than ever for vulnerabilities to slip through the cracks. Especially if you aren't’ testing for them.
I encourage you to download API Security Testing For Dummies and expand your knowledge on the latest capabilities developers are using to remediate vulnerabilities before production.
After reading this article, it should be blatantly obvious to you as to why CISOs are focusing so heavily on securing APIs. You should be able to clearly articulate the business and technology risks companies of all sizes are facing. I sincerely hope you use this information to help you develop a strong API security strategy. Implement innovative technologies and automation tools that can help your organization identify and eliminate malicious threats.
If you need guidance on how to evaluate API security solutions, I strongly suggest you download the API Security Buyers Guide.