The news of T-Mobile's security breach earlier this year was met with an air of inevitability in cybersecurity circles, particularly when it was revealed that an API was the culprit that exposed the sensitive data of 37 million of their customers. This event serves as a reminder of the perils that accompany the transition of many organizations towards a Cloud-first, API-first model. While this shift is undeniable, so too is the resultant API sprawl and the increased incidents of API-related cyber attacks and breaches.
A recurring narrative is emerging in today's digital landscape, characterized by organizations grappling with managing and safeguarding the growing number of APIs within their ecosystem.
Use the player or download the MP3 below to listen to Cybersecurity Awesomeness Podcast - Episode 5 — Chris Steffen and Ken Buckler from EMA discuss API Security.
At the 2023 RSA Conference, a survey conducted by Traceable brought some troubling facts to the surface about how organizations are handling their API security — a theme that has become ground zero in cybersecurity circles. The survey results were unsettling, indicating that a significant 40% of respondents were operating without an API security solution. Furthermore, 29% did not know whether their organization had any measure in place to secure APIs.
These results underscore the imperative for organizations to immediately secure the full breadth of their API ecosystem. This includes understanding how many APIs they have, where those APIs reside, and what those APIs are doing.
API Security Ownership Remains Fragmented
The issue of API security ownership is fraught with fragmentation among various teams, complicating the scenario further. According to the survey, the landscape is a mix of varying perspectives, with 38% of respondents assigning ownership to the CISO, while 25% stated that development and/or DevOps were the stewards of API security. A further 24% of respondents are in the dark about who holds this responsibility.
It's crucial that we address this uncertainty. This lack of clarity can foster serious blind spots in security coverage, potentially paving the way for API-related breaches. Creating a culture of shared accountability and fostering open communication between different teams can help address these gaps.
Battling API Sprawl
A staggering 66% of the survey respondents either grapple with API sprawl or are uncertain about their organization's competence in managing it effectively. Contending with API sprawl goes beyond API Discovery; it requires a comprehensive strategy encompassing security posture management, threat protection, and threat management. Absent these key pillars, any unknown API becomes a sitting duck for cyber attacks.
Adding another layer to this challenge are the so-called "Zombie APIs." These are outdated, ostensibly disabled APIs that continue to lurk in the shadows of the application infrastructure. They present an additional and often overlooked risk, being ripe for exploitation through a range of API attacks. The consequences of such breaches can be severe, extending from account takeover to fraudulent transactions. In the absence of diligent tracking and management, these Zombie APIs can be accessed easily to harvest data, often allowing malevolent activities to fly under the radar.
Failure to Baseline API Behavior
Among those organizations with dedicated API security solutions, a concerning 25% revealed that their solutions are unable to baseline API behavior. This leaves them blind to both normal and abnormal behavior and therefore, to any anomalies potentially indicative of an API attack. Even more alarming is the fact that half of the respondents confessed their uncertainty regarding the presence of such capabilities in their API security solution.
Baselining — the process of defining what constitutes normal and abnormal API activity — is the hinge of API security. This is ideally done with an API data lake at the core of the solution. It equips organizations with a deep understanding of API context, allowing deviations — possible indicators of an attack or malicious intent — to be spotted more easily. Without this, malevolent activities of threat actors could seamlessly blend into the regular traffic, making them much harder to detect and counter.
The Time is Now
What makes APIs so dangerous is that they present the largest attack surface we have ever encountered in the industry. In the past, hackers had to find ways of bypassing existing solutions, such as WAFs, DLP, or API Gateways, in order to find data and disrupt systems. Now, they can simply exploit an API, and obtain access to sensitive data, and not even have to exploit the other solutions in the security stack.
This is why more organizations need to take API security seriously and make it an integral part of their broader cybersecurity strategy.
Correcting some of the common challenges above begins with designating API security responsibility to a specific person or group. Rather than choosing between security and DevOps teams, many organizations are creating integrated DevSecOps teams to cater to their API security needs due to shared initiatives. No matter which group(s) your organization selects to own API security, make sure everyone involved is fully aware of their responsibilities and expectations.
Breaches of unmonitored, unsecured APIs can also be prevented with a complete API security solution — one that includes security posture management, threat protection and threat management, across the entire software development lifecycle. Once the solutions and responsibilities are in place, organizations should consider a Zero Trust approach to API access. This can actively reduce the attack surface by minimizing or eliminating implied and persistent trust for APIs.
At the end of the day, successful cybersecurity is not about reacting to threats, but proactively mitigating them. Ensuring robust API security is an essential component of this proactive approach.