Cybersecurity 101: Taking Steps to Secure APIs

By Liad Bokovsky, VP, Solution Consulting, Axway.

  • 2 years ago Posted in

Today’s cybercriminals are relentlessly targeting organisations large and small, looking for every and any opportunity where poor or immature security practices give them a foot in the door. With 39% of UK businesses confirming they’ve already been the target of a cyberattack in 2022, application programme interface (API) attacks are emerging as a major problem for today’s digital enterprises.

Providing access to critical data and systems, software components and microservices, APIs have become the ‘connective tissue’ that powers today’s modern applications. But as the use of APIs grows, hackers are taking advantage of poorly secured and managed APIs to commit API traffic attacks and infiltrate and steal exposed data – everything from names, emails, and physical addresses to account numbers and more. For example, last year LinkedIn suffered a significant breach which saw criminals use LinkedIn’s API to steal data from around 700 million LinkedIn users. With Gartner predicting that APIs will become the top infiltration attack vector for enterprise web applications in 2022, organisations need to act now if they want to avoid API security lapses that could expose sensitive data or leave their services open to DDoS attacks.

The pros and cons of APIs

While APIs have tremendously improved access to applications and services in software architectures, the accelerating pace of digital transformation means their massive growth in usage has created some significant security challenges. According to a recent Gartner report, the percentage of third-party APIs used in applications is projected to grow by around 30% - up from less than 10% in 2021. It’s a trend that’s set to expose organisations to a host of potential vulnerabilities that include unencrypted data transport, cross site scripts and malware code injection.

Added to which, enterprises are now introducing a massive number of APIs at scale and speed. Implementation haste and API sprawl are both contributing to a rising number of unmanaged and poorly secured APIs that create openings for highly damaging API traffic attacks. So much so that API security lapses rose an astounding 681% in 2021.

Since APIs open up network-accessible interfaces that may not have been previously exposed, securing APIs and getting to grips with all aspects of API management and governance should be a top priority for any organisation looking to participate in the API-first economy.

Let’s take a look at three key steps tech leaders and CISOs should take to secure their APIs.

1 Take control with API gateways

Investing in the right API gateway will be critical for ensuring that only authenticated users can access backend APIs and establishing rules around how data requests are handled. Providing threat protection from hackers, malware and/or anonymous outsiders to prevent DDoS or SQL injection attacks, an API gateway should be able to work with existing authorisation mechanisms and provide centrally managed access rights to each individual method of an API.

An effective API management solution will monitor API uses, alerting managers to any unusual or suspicious behaviours that could indicate a threat actor is at work. Combined with centralised API

governance, this enables organisations to bolster their defence-first strategies in a highly structured manner.

2 Put the right API management solution in place

API security requires a combination of technologies and processes. Because APIs are unique to every individual organisation, businesses need to have a detailed view of all their APIs and deep understanding of their behaviours. This will be vital for ensuring that API design, implementation and management are done properly, that security practices are optimised, and that any API back doors are closed.

With the right API management platform in place, organisations should be able to discover and secure all their APIs and endpoints across all environments and vendors. Utilising a central control plane that makes it possible to spot vulnerabilities and adjust quickly.

3 Finding a balance between speed and security

The complexity of API security could potentially put the brakes on innovation, but that doesn’t have to be the case. With the right API management foundation in place, organisations can enable an API-powered architecture that supports the development of new open services without compromising on consistent security and governance.

For example, offering developers a catalogue of APIs all managed via a single platform can significantly accelerate the delivery of new services through a ‘build once, reuse many times’ strategy. What’s more, creating a secure portal that enables developers to discover and consume interoperability APIs can help cut compliance risks and costs by automating what was previously a manual onboarding process.

Innovate with confidence

Cyberattacks and breaches are big business and APIs represent a rich target for attackers who are aggressively targeting APIs, on the hunt for any vulnerability or weakness that will provide an entry point for their activities.

As organisations ramp up their implementation of APIs, security cannot and must not be an afterthought. Those companies that have a defence-in-depth strategy, together with centralised API governance, will be able to withstand a hack more confidently than those without the proper governance protocols.

Utilising an API management platform that delivers all the visibility, monitoring and strong authentication procedures that needed to avoid API security lapses will enable organisations to boost their agility when it comes to delivering new digital experiences for customers – while keeping their data safe.

By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical...
By Danny Lopez, CEO of Glasswall.
Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...