API Security in 2023: What You Need to Know for Effective API Security

By Filip Verloy, Field CTO EMEA, Noname Security.

  • 1 year ago Posted in

Research across 2022 validated Gartner's previous prediction that, by 2023, APIs will become the most frequent attack vector for threat actors globally. Indeed, this is the year that companies will no longer be able to ignore the risk posed by insecure APIs. For a business to design and execute an effective API security strategy, it is essential to understand what the API security landscape will look like in 2023.

APIs Are Data Pipelines That Will Continue to Attract More Attackers

The continued move to cloud-native applications will expose both infrastructure and application APIs. API hacking will continue to be a popular threat vector, as they become a critical pipeline in modern organisations for those looking to access sensitive data.

 

Whether through a mobile application or website, APIs interact with business logic and allow adversaries to understand exactly how a company is processing information and data. This makes APIs a major area of vulnerability for organisations.

 

Top API Security Risks of 2023

Organisations are using more solutions to secure every potential entry point from cybercriminals. Security teams have a lot to manage, and such tasks can quickly become complex and difficult to manage. APIs are increasingly being used to drive integrations between the various existing security solutions – minimising the oversight required to maintain security across the organisation.

 

The adoption of newer API protocols will pose some challenges for existing vendors, and the use of API translation layers between older protocols and newer ones will increase the attack surface in unexpected ways.

However, to mitigate the ever-evolving risks, the API security category will also continue to expand in 2023. Current definitions of API security can include capabilities offered by network elements (API Gateways, Web Application Firewalls, Load Balancers, etc.). This is in addition to the capabilities offered by new entrants that gate test API implementations, monitor APIs at runtime, and perform posture management of infrastructure and more.

 

In 2023, we will likely see a continued progression of API security into other areas, like API identity and access and data security.

Top Security Attack Sectors

As the digital transformation continues across multiple industries, APIs are making digital visions a reality and enabling manufacturers to adopt newer technologies and move away from heavy-lifting manual tasks with automation.

 

Our recent API security report showed that the manufacturing sector experienced more API security incidents than any other sector that was surveyed. As manufacturing organisations continue to embrace and adapt to the fourth industrial revolution, the sector will see an increased focus and dependency on using APIs to establish those environments.

 

As a result, it is likely that the manufacturing industry and sectors relying on large machinery, such as utility providers, will become the riskiest attack sectors in 2023 and beyond.

Financial Services Sets the Pace in API-led Transformation

API-led banking initiatives are at the centre of today's digital transformation in financial services by increasingly becoming the primary software enabler for critical business processes and sensitive data exchange.

 

Open banking standards, real-time payments, crypto wallets, and a range of FinTech services offerings continue to push the industry towards API-first and cloud-friendly technologies. This transformation creates new attack surfaces, regulatory risks and data loss potential legacy controls are poorly equipped to handle.

In 2023, the accelerated transition to real-time payments via public internet channels and the move from batch file transmission to API calls will create new risks and vulnerabilities for the financial services sector.

Meanwhile, financial institutions will increase their pursuit of ancillary API-led services, such as pricing, quantitative analytics, ML services and others which present them with a range of business accelerants at lower costs and faster delivery times. This cycle of continuous innovation propels the use of APIs across the sector. However, the speed at which both fintech and traditional banks are bringing these services to market introduces new security concerns.

Securing APIs is crucial

The accelerating use of APIs and digital transformation initiatives will continue to shine the spotlight on API security in the finance and manufacturing sectors. However, all organisations must ensure that their APIs are secure, regardless of industry.

Key steps to achieve an effective API security strategy include:

More robust API security practices

Better maintenance of accurate inventories

Ensuring companies have accurate information into which APIs control and exchange sensitive information and processes, mainly where third parties are concerned.

Frequent and accurate API security testing, particularly in pre-production and when working with third parties.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.