API Attack Numbers Are at Their Highest - Do You Have a Strong Security Plan in Place?
September 14, 2023

Bret Settle

API security should be a key part of any organization's security strategy today; however, it's often overlooked. APIs make up 83 percent of all web traffic, and they play a vital role in nearly all modern mobile and web applications, as well as containers and microservices. APIs are designed to be accessed by third parties, which exposes them to a broader spectrum of potential attacks compared to traditional web applications. And API attacks are increasing.

In 2022, API-based incidents cost organizations a staggering $75B, averaging $4.35M per breach. This number doesn't include the cost of fines or penalties, which can reach up to $1.19B.

Beyond these stark numbers, the true cost of these incidents is ultimately the impact on organizations' brand reputations. Recent widely publicized zero-day vulnerabilities like the infamous Log4J vulnerability
have highlighted the extent of the potential damage — a bad actor only needs to get one payload in to access databases and internal systems, install ransomware and more, without an organization knowing. Even big names with huge security budgets like T-Mobile, USPS, Facebook, Equifax, and Venmo have all experienced high-profile API breaches in the past. However, many companies still fail to adequately invest in API security measures until they have been breached and the damage to their reputation and bottom line is done.

When building a strong API security strategy, organizations must ensure they cover the three main pillars of API security: Prevention, Detection, and Response. The secret doesn't lie within one approach or tool, it's the ability to have multiple layers of defense.

Prevention: What proactive measures can be taken to prevent security breaches?

There are many ways to proactively plan for threats against APIs, including ensuring authentication and authorization are up to date. The combination of authentication and authorization provides the means to identify individuals attempting to access APIs and determine what they are or aren't allowed to access.

Other proactive measures include data encryption, which is the process of encoding data so only authorized users can access it. Threat modeling is another structured way to identify and evaluate potential risks. This gives an organization a clear idea of existing and potential security threats. Next, vulnerability scanning is an important step to identify any obvious problem areas.
Additionally, implementing API gateway software secures the traffic between an API request and its execution, acting as an extra layer of API protection.

Finally, having security awareness training for teams, where there is a higher degree of security literacy and everyone in the organization can think about security on different levels, provides another proactive step to defending against bad actors.

Detection: How can teams ensure they know when a breach has occurred?

Observability is the name of the game here. Security teams need to have visibility over a constant flow of information to ensure timely detection. Ideally, they should attain this degree of visibility through a single platform—one tool that provides access to comprehensive security data, enabling teams to examine various events as a unified perspective to oversee everything, organize data, and spot any anomalies.

However, not every organization will possess an all-encompassing solution for detection. This is why it's crucial to ensure you have tools that incorporate logging, monitoring, rate limiting, and behavioral detection capabilities. Logging creates a clear record of what's occurring in systems — every call to the API, every error, every failure, etc. Monitoring for alerts when unusual behaviors occur allows teams to decide if a response is required. The number of alerts can become overwhelming, so automating the response for certain conditions is key to keeping the review of alerts manageable. Rate limiting restricts the number of requests an API can handle, controlling legitimate users' interactions and safeguarding against malicious attacks. Behavioral detection uses machine learning to oversee API traffic, closely examining user behavior patterns.

Response: What can organizations do to stop a breach and mitigate its impact?

If an organization does fall victim to an API security breach, teams need to swiftly identify, contain, and remediate the threat, while still providing continuous service to the rest of their customers.

In the event of an incident, it's crucial that everyone knows how and when to act. Establishing an instant response plan allows the procedures and plans to be laid out for each employee. Implementing tools that work to automatically block a threat as it is detected in real time further brings detection and response pillars together to mitigate risks as they are identified.

Finally, threat intelligence is a crucial part of any response plan, as security teams must comprehensively grasp the attacker's motives, tactics, and objectives during the attack, allowing them to thwart future attacks and improve security.

Cybercriminals will continue to exploit vulnerabilities for personal and financial gain, but that doesn't mean organizations should make it easy for them. An organization's approach to API security should no longer be checkbox compliance, but instead a strategy that enhances observability into their APIs, mitigates against potential security threats, and ensures readiness to address any issues or threats that may emerge.

Bret Settle is Co-Founder and Chief Product Officer of ThreatX
Share this

Industry News

September 21, 2023

Red Hat and Oracle announced the expansion of their alliance to offer customers a greater choice in deploying applications on Oracle Cloud Infrastructure (OCI). As part of the expanded collaboration, Red Hat OpenShift, the industry’s leading hybrid cloud application platform powered by Kubernetes for architecting, building, and deploying cloud-native applications, will be supported and certified to run on OCI.

September 21, 2023

Harness announced the availability of Gitness™, a freely available, fully open source Git platform that brings a new era of collaboration, speed, security, and intelligence to software development.

September 20, 2023

Oracle announced new application development capabilities to enable developers to rapidly build and deploy applications on Oracle Cloud Infrastructure (OCI).

September 20, 2023

Sonar announced zero-configuration, automatic analysis for programming languages C and C++ within SonarCloud.

September 20, 2023

DataStax announced a new JSON API for Astra DB – the database-as-a-service built on the open source Apache Cassandra® – delivering on one of the most highly requested user features, and providing a seamless experience for Javascript developers building AI applications.

September 19, 2023

Oracle announced the availability of Java 21.

September 19, 2023

Mirantis launched Lens AppIQ, available directly in Lens Desktop and as (Software as a Service) SaaS.

September 19, 2023

Buildkite announced the company has entered into a definitive agreement to acquire Packagecloud, a cloud-based software package management platform, in an all stock deal.

September 19, 2023

CrowdStrike has agreed to acquire Bionic, a provider of Application Security Posture Management (ASPM).

September 18, 2023

Perforce Software announces BlazeMeter's Test Data Pro, the latest addition to its continuous testing platform.

September 18, 2023

CloudBees announced a new cloud native DevSecOps platform that places platform engineers and developer experience front and center.

September 18, 2023

Akuity announced a new open source tool, Kargo, to implement change promotions across many application life cycle stages using GitOps principles.

September 14, 2023

CloudBees announced significant performance and scalability breakthroughs for Jenkins® with new updates to its CloudBees Continuous Integration (CI) software.