Even though many enterprises are now focusing on API security, there are still significant API security gaps. Dark Reading’s 2021 Secure Applications Survey highlights that 41% of respondents treat APIs the same as Web applications, and only 23% of respondents have a dedicated process for evaluating API security.
The lack of API security maturity is why it isn't surprising that API leaks and exploits make headlines on a frequent and consistent basis. In addition to industry maturation, there are several common misconceptions and misunderstandings that are keeping enterprises from holistically protecting their API environments. Let’s explore 5 of the most common reasons enterprises fail at closing API security gaps.
1. Dangerously Narrow View of “API Security”
API security is making headlines with journalists, analysts, and security vendors all jumping into the fray. However, in context, “API security” is almost exclusively positioned in the media as API attack prevention. Yes, API cyber-attacks are very real. And we’ve all seen Gartner’s prediction:
“Gartner predicts that by 2022, application programming interface (API) attacks will become the most-frequent attack vector...”
APIs are so critical to the business today that design errors and simple misconfigurations can put sensitive information and company reputations at risk, which was the case with Experian and Peloton. Additionally, these honest mistakes can easily be exploited by bad actors exposing even a deeper layer of risk to the company than a standalone attack. Instead of an attacker breaking through a locked door, they may be able to simply walk through an open doorway.
A broader definition and understanding of API security is required.
What is API Security?
API security refers to protecting the integrity of your digital environment from API vulnerabilities, API misconfigurations, and API cyber-attacks.
It’s not about protecting your APIs from an attack; it’s about protecting your digital environment and your data from all the risks associated with APIs. As simple as this shift in mindset may seem, it has significant implications to security strategies, processes, and tooling.
2. Exponential Threat of an API Breach
The nature of APIs is to connect and to communicate. Applications, services, and databases are connected by a sprawling mesh of APIs. If an API is compromised, it’s often difficult to even identify what other APIs, data, and systems could have been exposed or exploited.
The rate of new API deployments exceeds an enterprise’s ability to keep up with API testing and security. Each day the API attack surface grows, and new misconfigurations find their way into production environments. As hyperbolic as this sounds, it is the reality for enterprise organizations. Without a rapid change in their API security strategy, it is only a matter of time before more enterprises fall victim to API security vulnerabilities and attacks.
3. Flying Blind in an Ever-Changing Landscape
“How many APIs do you have?” is a question that most enterprises can’t answer. And if they do answer with a specific number, it’s likely wrong.
Most enterprise business units use APIs. Many teams develop APIs. Other teams are in charge of managing the deployment of APIs. And security is either a shared responsibility or given to yet another team to sort out. The end result is a lot of APIs slipping through the cracks. Enterprises do NOT have a complete inventory of APIs, and it isn’t uncommon for 30% of APIs to be unknown or unmanaged.
And of the known and managed APIs, there is often limited visibility into the communication and behavior of the APIs. “Which APIs are private and which are public?” “Which APIs are communicating sensitive information like credit card numbers and social security numbers?” Many enterprises have an intent for their API management, but validating the API behavior is still a difficult and time-consuming process.
4. Limited API Security Functionality with Traditional Tools
Most enterprises have invested in WAFs (web application firewall) and API gateways to secure their web applications and manage their APIs and API assets; however, these tools alone are insufficient at achieving API security.
As stated in Dark Reading’s application security survey cited at the beginning of this article, 41% of enterprises try to secure APIs in the same manner they secure web applications. WAFs, for example, are designed to address the Top 10 Web Application Security Risks in the OWASP Top Ten. OWASP, in 2019 released the API Security Top Ten, which has very little overlap with the original OWASP Top Ten. Additionally, WAFs and gateways do not have D.A.R.T. (Discover, Analyze, Remediate, Test) API Security Strategy functionality.
WAFs and API gateways are necessary components of an enterprise's tech stack but need to be paired with modern API security solutions to identify API misconfigurations and prevent API cyber-attacks.
5. Confusion Around API Security Ownership
With so many teams playing a role in the creation, consumption, and management of APIs, there is often confusion about which teams are responsible for API security. Is it the development team that writes the code for the APIs that is responsible for security? Is it the platform team that deploys and manages APIs across gateways and clouds that is responsible for security? Or is the CISO and their team responsible for enterprise API security?
Each enterprise has a different structure and/or a way of sharing responsibility; however, it can be loosely defined and poorly understood. Without a clear ownership structure of API security, API security vulnerabilities will continue to slip through the cracks and more effort will be placed into finger-pointing than eliminating API risks.
What to Expect from API Security Vendor
There are a number of new API security solutions that can be used to help overcome the challenges listed above. Give extra consideration to API security solutions that:
- Don’t use agents or sensors — cloud-first and API-led environments struggle with in-line solutions. Agent-based architectures are a legacy way of thinking that introduce more complexity, performance, issues, and risk. Out-of-band architecture provides deeper visibility and less operational friction.
- Provides Easy API Integration with clouds, WAFs, and gateways — a good API security solution should connect with your existing infrastructure and enhance the security capabilities of other systems in the environment, not compete against them.
- Can be deployed on-prem or as a SaaS — be sure you have the option to deploy on-prem or within a cloud so the data never leaves the environment, or as a SaaS so you can manage multiple clouds and instances from a single portal.