DEVOPSdigest

The world of online services has revolutionized daily life, enabling tasks like grocery shopping and booking travel to be completed via mobile apps. Google Cloud's State of API Economy report found that more than 50% of retailers have indicated that APIs accelerate innovation, and 36% indicated that APIs are a strategic asset that can create business value.

This functionality not only benefits end-users but also facilitates interactions between various services, creating a vast API ecosystem. This interconnectedness means that a single API can be used by multiple services, creating a complex web of dependencies. While this enhances the overall user experience and provides businesses with greater flexibility and efficiency, it also opens up new avenues for security gaps and unseen vulnerabilities within the API supply chain.

Increasing Reliance on APIs

In the 2024 Gartner API Strategy survey, 82% of respondents reported that their organizations use APIs internally, while 71% also use APIs provided by third parties, such as SaaS vendors. Today, the average organization manages over 1,000 APIs, according to Treblle's Anatomy of an API report. This growth is mirrored by a 61% increase in the number of developers utilizing APIs in recent years. Postman's 2023 State of the API Report also indicated a growing trend of non-developers, including chief technology officers, managers, and directors, utilizing APIs more frequently.

. OWASP's API Security Top 10 list highlights these rising risks, issuing a stark warning about the growing threats targeting APIs. Akamai's 2024 State of the Internet report revealed that APIs were the point of entry for a staggering 44.2% of web attacks aimed at commerce organizations and 31.8% of attacks against business services, directly validating the concerns raised by OWASP and demonstrating the urgent need to address API security risks.

Driving Innovation and Risk

APIs are specifically designed to share a company's most valuable data and services, making them an attractive target for malicious actors. In January 2024, an exposed Trello API compromised data of over 15 million users by linking private email addresses to Trello accounts and later that year Dell experienced a breach affecting 49 million customer records due to an API vulnerability, where attackers exploited a partner portal API to access fake accounts.

Recently, a non-exploited vulnerability was discovered within a popular Travel Service that could have enabled attackers to take over victim accounts with a single click. Such an attack is called an "API Supply Chain Attack," in which an attacker chooses to attack a weaker link in the service's API ecosystem. While the takeover could occur within the integrated service, it likely would have provided attackers full access to the user's personally identifiable information (PII) from the main account, including all mileage and rewards data. Beyond mere data exposure, attackers could perform actions on behalf of the user, such as creating orders or modifying account details. This critical risk highlights the vulnerabilities in third-party integrations and the importance of stringent security protocols to protect users from unauthorized account access and manipulation.

Vigilance, governance, and explicit control of APIs are essential for safeguarding against security gaps and vulnerabilities within API ecosystems. Organizations must prioritize investing in comprehensive API tools and software that support the entire API lifecycle. This includes identifying and cataloging all APIs in use to ensure visibility and control, continuously assessing and improving the security posture of APIs to mitigate risks, and implementing robust security measures to detect and respond to potential threats targeting APIs. By adopting a holistic approach to API management, organizations can effectively mitigate risks and enhance the security of their ecosystems.

While APIs have become a prime target for malicious actors due to their widespread use and critical role in modern applications, the landscape of defense mechanisms is evolving rapidly. Organizations around the world now have access to an unprecedented array of tools, research, and information designed to bolster their security posture. Additionally, ongoing research in the field is uncovering new vulnerabilities and attack vectors, enabling security professionals to stay ahead of potential threats. This wealth of resources empowers organizations to implement more effective security strategies, ensuring the integrity and confidentiality of their API-driven services.