Security leaders say that many organizations have slowed down API production due to API security issues
CISOs point out that for the second time over last few months, researchers and organizations have sounded alarm on threats to the overall enterprise security due to insecure application programming interfaces (APIs).
Leaders have constantly said that their increased exposure to API-related breaches is a direct result of organizations continuing to avoid addressing the API liabilities similar to the application liabilities.
A large majority of the enterprises have suffered from an API-based problem in 2020. Most of them have acknowledged finding liabilities in their APIs, authentication problems, and identified issues due to bots and data scraping tools.
One of the most common API security incidents reported in the last year was identifying a liability in a production API. It highlights the fact that enterprises are using the “shift left” principles and embedding security controls much earlier into the development life cycle. Unfortunately, such efforts are still falling short.
Enterprises need to complement the security strategies that they implement during the build and deploy phase with runtime security.
The second most common incident was based on authentication issues – attackers were able to manipulate authentication to enable them to try and gain access to sensitive information.
Account misuse and denial of service attacks were other common problems, where threat actors launched a sufficient number of manipulated API traffic to try and disturb the apps behind the APIs. Security experts say that APIs present a drastic level of risk to enterprises. Hackers are taking complete advantage of the situation and current technologies and strategies are not providing the required protection.
APIs enable application components and applications to interact with each other on internal networks and more, over the Internet. At the initial stages, APIs were generally utilized on secure private communications channels and networks. In the current times they have become quite integral to enterprise measures to make legacy systems and internal applications and services available and accessible to partners, suppliers, third parties, business customers, etc., over the Internet.
An enterprise can have thousands of APIs that connect internal apps to the outside world and each other. Analysts point out how APIs can provide a direct path from outside to applications and critical data of an organization, if not secured properly.
Leaders observe that the most common method used by attackers to exploit API liabilities is by manipulating objects like user ID number- basically data that an API may have the authority to access.
Such hackers authenticate the app, start interactions by using their individual user ID and then shift the object to a different user ID in the middle of a subsequent API call. Post this; the attackers can easily access sensitive data associated with that of the other ID.
CISOs acknowledge that addressing such problems needs a solid API security strategy. It means having protocols required for protecting APIs across the complete life cycle. Enterprises need to have the controls to validate APIs during the build stage, deploy stage, and when they are deployed in production.
Enterprises should consider developing collaboration between the teams building APIs and the teams responsible for protecting the services and data to which APIs are connected.