Why Should Organizations Be Concerned About API Security?
October 26, 2022

Stephanie Best
Salt Security

APIs form the connection between digital users and organizational services such as online banking and e-commerce. Personal identifiable information (PII) and many other types of sensitive data pass through tens of thousands of APIs daily, whether users are simply joining a Zoom meeting or online shopping.

Living in an API-dominated world poses unique challenges and risks to companies of every size. With ever-increasing digitalization, business leaders must look at traditional security measures in place and assess if they still adequately protect the organization from growing API threats.

Why Should Companies Be Concerned?

Recent research from Salt Security showed that 94% of organizations had experienced security problems in production APIs in the past year, with 61% lacking any API security strategy or only having a basic plan. These numbers are quite concerning, and the data from these reports emphasize how crucial early security implementation is within the API lifecycle.

APIs have become a foundational part of an organization. The research shows that the average number of APIs per customer grew 82% over last year, up from 89 in July 2021 to over 162 in July 2022. During that same period, overall API traffic per customer grew 168%.

With companies constantly developing and launching new APIs, the right security measures must be put in place to best mitigate risk. Security teams must be aware of this expanding attack surface and understand the unique vulnerabilities of APIs in order to protect themselves from increasing attacks.

Many security leaders erroneously believe their existing security stack can protect their APIs and often underestimate their risk. While their current stack is still needed throughout the Software Development Life Cycle (SDLC) and all serve a purpose, they cannot detect most of the "low and slow" behavioral API security threats.

Traditional security solutions, such as WAFs and API gateways, might work against basic attacks but don't protect against the increasing quantity and complexity of API attacks. These traditional tools provide foundational security capabilities and protection for conventional applications; however, they lack the context needed to identify and stop attacks that target the unique logic of each API.

If businesses don't have visibility into their APIs over time, they can't understand their full business exposure or adequately prioritize their risk management.

How Can Organizations Begin to Protect Their APIs?

Teams must be educated about API security

Various resources are available to help organizations thrive in an API-security-driven world. For example, OWASP offers multiple courses, white papers, and live demos to help organizations with their API security goals. The OWASP API Security Top 10 list represents a critical first step in API security and gives organizations the knowledge they need to understand the top API security vulnerabilities and how API attacks differ. 62% of all API attack attempts use at least one of the security vulnerabilities outlined in this important list, yet, according to Salt Security's Q3 State of API Security Report, many organizations don't utilize this valuable resource.

Business leaders must educate their teams about API security best practices. They need to ensure that authentication and authorization controls have been appropriately established and implemented. They should stay informed about recent and well-known API security incidents to learn what caused the issues and how to prevent them within their own organization.

Organizations need to assess their current level of risk

With API security risks becoming more and more prevalent, companies must also understand where their vulnerabilities and gaps in security strategies and programs may exist.

This starts with API discovery. Shadow, or unknown APIs, and zombie, or outdated APIs represent top API security concerns. According to our research, 42% of organizations list zombie APIs as their top API security concern. As companies build new APIs, they often fail to deprecate older versions, which can leave them vulnerable. Companies need to have a complete inventory within their API ecosystem to adequately defend themselves.

Attack surfaces are continuously growing and becoming more complex. Companies must be able to apply API discovery practices on applications running on-prem and in the cloud. It only takes a single unknown API to present a potential security risk.

Companies should start with runtime protection and then shift left

Companies already have APIs running throughout their environment, and those APIs need protection right now. By continuously monitoring APIs and establishing runtime protection, organizations can immediately start protecting their critical services and assets from threats.

Most attacks on APIs target gaps in logic flow. Because pre-production API testing and scanning can't spot these gaps, you must have API visibility in runtime. Unfortunately, our research finds that only 30% of organizations remediate API security issues in runtime. With 94% of organizations experiencing API incidents, this needs to change! Runtime protection delivers immediate insights to speed up API threat detection and response.

Shift-left helps organizations think strategically about improving their security posture as they move forward in the future. However, shift-left strategies can never be a total replacement for runtime protections.

Applying shift-left practices supports your API security strategy by integrating API security findings back into the development process. By establishing security guidelines and parameters at the start of the development process, shift-left capabilities can help safeguard assets yet to be developed and strengthen future APIs.

Companies must tap the power of cloud-scale big data and artificial intelligence

To identify the "low and slow" approach of API attacks requires deep context over time; API attacks can take weeks and months to unfold. An API security solution must have the ability to correlate activities across millions of APIs and users and provide real-time analysis of that data. Only cloud-scale big data combined with AI can capture this depth of context and provide the insights needed to spot normal versus potentially malicious API behaviors.

API Security Must Be a Top Priority for All Companies

Reliance on APIs is continuing to grow as APIs become ever more imperative to organizational success. However, current security tools and processes can't keep pace with new API protocols and attack trends. Organizations must move from traditional security practices and last-generation tools to a modern security strategy that addresses security at every stage of the API lifecycle and facilitates increased API security collaboration across teams.

Companies need to remember that everyone can be a target, no matter how big or small a company may be. Attacks on APIs are becoming more widespread as cyber criminals continuously become more tactful with their techniques. That's why it's even more critical than ever to make sure that your APIs are as well-protected as other elements of your applications.

Stephanie Best is Director of Product Marketing at Salt Security
Share this

Industry News

March 21, 2023

OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.

March 21, 2023

Oracle announced the availability of Java 20, the latest version of the programming language and development platform.

March 21, 2023

Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.

March 16, 2023

Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.

March 16, 2023

CAST AI has announced the closing of a $20M investment round.

March 15, 2023

Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.

March 15, 2023

OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.

March 14, 2023

DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.

March 14, 2023

CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.

March 14, 2023

Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.

March 13, 2023

Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.

March 13, 2023

Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.