Two separate reports concerning application programming interface (API) security suggests that attacks against them are starting to increase in terms of both volume and severity.
A survey of 1,629 cybersecurity professionals conducted by Ponemon Institute on behalf of Traceable AI, a provider of a platform for securing APIs, finds nearly three-quarters (74%) work for organizations that suffered three or more breaches involving APIs in past two years.
Meanwhile, an analysis of cybersecurity breaches in 2022 conducted by FireTail, another provider of a platform for securing APIs, found only 12 publicly recorded breaches involving APIs, with six more being disclosed thus far this year. However, the average mean size of API data breach exposure is over 10 million records per incident. With the total cost of a single breached record being $180, the total cost of API security breaches easily can be as high as $85 billion, the report found.
The top two categories of data breaches involving API security are authorization at 135 million records, or 28% of all records breached and authentication at 105 million records, or 22% of all records breached.
The Traceable AI survey shines a light on how challenging API security has become. Organizations on average have 127 third-party API connections, but only a third (33%) are confident in their ability to manage external threats, the survey finds. Nearly half of respondents (48%) are already trying to come to terms with API sprawl. Well over a third (39%) are challenged by keeping track of their organization’s inventory of APIs.
Despite an increasing number of API related breaches, however, only 52% of respondents felt the urgency to understand the most vulnerable APIs based on a security risk profile. A slightly higher percentage (54%) deemed the identification of sensitive data-handling API endpoints as a high priority.
There are two fundamental issues that result in not enough attention being paid to cybersecurity. The first is the too many cybersecurity and IT are under the impression that existing tools such as web application firewalls (WAFs) will sufficiently protect their APIs even though the Traceable AI survey finds 57% of respondents are aware traditional security solutions such as WAFs can’t effectively distinguish genuine from fraudulent API activity. Only 38% said they can’t discern intricate context between API activity, user behaviors, and data flows. Despite that lack of visibility, however, vendors such as Palo Alto Networks maintain API security is for all intents and purposes an extension of a more robust approach to application security. Each organization will need to decide for itself what approach makes the most sense but either way there clearly needs to be more attention paid to API security.
The second issue goes to the heart of the cultural disconnect between the developers that create APIs and cybersecurity teams that are at least nominally responsible for securing them. Most developers don’t have a lot of cybersecurity expertise so the odds there will be vulnerabilities in APIs that can be easily exploited are fairly high. Unfortunately, far too many developers don’t alert cybersecurity teams when APIs have been added to production environments so the number of externally facing APIs is usually a lot higher than cybersecurity teams are aware exist. In addition to those rogue APIs, there are also a fair number of so-called Zombie APIs that are no longer being maintained but can still be exploited by cybercriminals to exfiltrate data.
There’s no doubt that the number of APIs that will need to be secured in the months ahead is going to exponentially increase. The challenge and the opportunity now is to get ahead of that explosion by embracing more robust DevSecOps practices for APIs now versus trying to secure an expanded attack surface after it’s already being exploited.