Though most of today's digital experiences are empowered by APIs, API security remains a top concern for most CISOs. With the spread of digital transformation across industries and the rise of malicious threats targeting APIs, there is a big gap between API security and actual needs, leaving organizations plagued by incomprehensible attack surfaces and a lack of proper security measures.
APIs are now at the center of digital experience, giving support for core features of mobile and web applications, micro-service architecture and regulations. According to Akamai's statistics, API requests account for 83% of all application requests and the number of hits is expected to reach 42 trillion in 2024. However, APIs have become a prime target for attackers as they are more vulnerable to attacks compared with traditional web forms. A prediction from Gartner that API abuse would be the most common attack type by 2022 also highlights the seriousness of API security issues, which arise from these challenges:
Migrating applications to the cloud increases attack surfaces
As cloud computing has come into widespread use, SaaS applications are increasingly migrated to the cloud and reaching more users, exposing APIs to the cloud. Compared with traditional data centers working in a single-point mode, both East-West and North-South traffic may become the attack surface of APIs.
API security is neglected to fuel innovation
Agile development is a popular method that focuses on individuals and interactions, working software, customer cooperation and response to changes. Although innovation efficiency and flexibility are increased, proper measures to ensure API security are ignored when building software.
Attack risks are incurred due to API invisibility
Since APIs are written by programmers, few people realize the existence and maintenance. On the other hand, unprotected APIs are vulnerable to attacks that could be triggered by network traffic, reverse code, and security vulnerabilities.
Security measures are missing due to underestimation of API risks
The likelihood and impact of API risks are seriously underestimated when running applications and thus APIs including third-party APIs are not adequately protected.
To implement API governance, proper management of API assets and attack surface need to be prioritized.
About API Exposure
API exposure can be classified into two types:
Type
Description
Data exposure through APIs
Data exposure occurs through internal APIs.
Data exposure occurs through partner APIs.
Data exposure occurs through zombie APIs.
Data exposure occurs through external APIs.
Data exposure occurs through trial APIs.
Data exposure through parameters
Data exposure occurs through sensitive parameters in APIs.
Data exposure occurs through backend parameters in APIs.
API exposure makes way for attackers to exploit insufficiently protected APIs, leading to unexpected security incidents such as data and permission leakage and API abuse.
Meanwhile, sensitive and backend parameters in open APIs can also be easily targeted and utilized by attackers.
Detecting API Exposure
1. Reduce risk exposure by automatic identification of API call relationships and comprehensive and continuous inventory of all APIs.
2. Reduce data exposure by continuous monitoring of sensitive data flows and custom sensitive data detection.
3. Identify unsafe operations by continuous sorting of access accounts and multi-dimensional recording of their behaviors.
The cornerstone of exposure detection is API discovery, which can be achieved using API Analytics. It enables you to discover and manage APIs, monitor exposure surface as well as view comprehensive information about sensitive assets (such as tag, risk level and status).
Note
API Analytics is currently in beta testing and only supports 3 domain names. To use this feature, submit a ticket.
