The need for robust API security is growing rapidly in response to the increasing dependence of organizations on APIs for their digital operations.
With 70% of respondents to a report expecting to use more APIs in 2023 than last year, this presents a heightened challenge for API security, which only comprises about 4% of the testing efforts at organizations today.
The 4th annual State of the APIs Report collected insights from more than 850 global developers, engineers, and leaders from across the technology community spanning over 100 countries including the US, the UK, Germany, and India.
The increased API usage is especially prominent in telecommunications, which is projected to rise to 72%, up from 59% last year. This is followed by smaller, yet still considerable, increases in the fields of technology and professional services.
Mark O’Neill, VP analyst, and chief of research for software engineering at Gartner, correctly predicted in 2021 that by this year, API breaches would be the number one threat vector for web applications.
“Part of the reason for that is because with mobile and web apps, along with any other type of modern application that you’re using, it all involves the use of APIs,” O’Neill said.
Gartner research has estimated that by 2025, fewer than half of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools and “security controls try to apply old paradigms to new problems.”
This vast number of APIs floating around the organization is further complicated by multiple teams building and managing APIs all while using different cloud platforms and frameworks, according to O’Neill.
“When you have different platforms where your teams are building and deploying APIs, there’s no one place to put the gateway, which is a problem for traditional API management solutions,” O’Neill said.
To secure this wide API landscape, many companies have put up multiple gateways, which means that now there are more gateways in front of APIs, but it created a new problem of learning how to manage all of these gateways together.
“Many clients have asked us for a federated solution that would work across different API gateways and allow teams to have a single picture of their API traffic and to have a single control plane for management and security, but at the moment, that is a gap in the market,” O’Neill said.
A single federated solution would allow users to set up authentication and authorization schemes across different APIs, ensuring that only the right users have access to the right resources. It also enables administrators to set up rate limiting and other security measures, such as IP white/blacklisting, to protect against malicious attacks.
With such a solution, teams would also gain visibility into API performance and usage, allowing teams to identify and address potential security issues quickly.
A hodgepodge of APIs in use
The other problem APIs present for API management solutions is that there are many different types of APIs in use.
The API jumble often consists of REST, Webhooks, Websockets, SOAP, GraphQL, Kafka, AsyncAPIs, gRPCs, if not more.
“If you look at a typical organization that has deployed API management, they may believe that all of their APIs are being managed on one platform,” O’Neill said. “But typically, there are a lot of other APIs that they have that are part of web applications, part of mobile apps, and they’re not managed, they’re effectively under the radar for that organization. And these are the ones that get breached.”
The APIs to watch out for in particular are GraphQLs, according to O’Neill. Users can do very wide and deep queries on data, which can also be their downside because it’s difficult to set up proper access control rules. The complexity of the query can make it hard to predict what data will be accessible.
Additionally, the use of variables in queries can make it difficult to prevent malicious users from exploiting the API. GraphQL APIs are often stateless, which means that security teams need to ensure that all requests are properly authenticated and authorized. These types of APIs are also new so many organizations are just building up their security teams’ skills around GraphQL and graph APIs in general.
Another challenge is to consider where all of your APIs are coming from.
While internal APIs were still the most common API type developers reported working on for their organization, more developers in 2022 reported working on partner-facing or third-party APIs than the year prior. In addition, the SaaS applications that developers utilize also often use their own set of APIs.
The percentage of developers who reported working on partner-facing and third-party APIs grew by almost 5% in 2022 compared to 2021, according to the 2022 State of the API report. This change was even more dramatic with partner-facing APIs in industries like technology, which grew by nearly 10%.
One hotspot of security issues tends to be around the APIs that require access to data: customer data, preferences, and all sorts of account information. Issues also surround APIs that run a function to do something because often that requires a transaction, so payment information might be at risk, O’Neill said.
“One is the whole area of loyalty cards where you get points for making purchases, traveling, and so on. Those involve many APIs. So you have an API to look up how many points a certain person has or you have an API to spend the points. We’ve seen security breaches where attackers have been able to find people who have accrued many points and then spend those,” O’Neill said. “Often the person is not aware, because they simply were not aware that they were running up all these points in the first place, and then they’re not aware when they get spent.”
Best practices for API security
The first step for ensuring API security is to catalog all of the APIs in the organization and to have an inventory. Often, companies only look at their existing API gateway to see what APIs are registered there, but even multiple gateways don’t paint the complete picture, O’Neill explained.
“The way that we advise people to do this is to see what APIs your business depends on,” O’Neill said. “So those of course can be your own APIs, but they can also be important to APIs that you’re consuming from third parties as well. It’s going to be a problem if those APIs suffer a security breach, if they are unavailable, or if they are just simply changing and creating breaking changes. So API discovery is a hard problem because you have to look in multiple places for the APIs.”
One approach is to simply ask the internal product managers who are then speaking to engineering leaders about what APIs the teams are building.
There are also some solutions on the market that enable users to tap into application firewalls in the infrastructure at the CDN level to look at the traffic and see what API calls are happening.
“That approach can in many ways be too late because those APIs that you’re discovering are already in production. But still, it’s better than not discovering them at all,” O’Neill said.
Using APIs to increase security
By collaborating with APIs, organizations can become more secure as a whole. One such example occurred in the Open Banking Initiative that started in Europe but has since spread in popularity to North America.
The Open Banking Initiative began in January 2016, when the Competition and Markets Authority (CMA) in the UK issued a directive ordering the country’s nine largest banks to open up their customer data to third-party providers.
Since then, it has become valuable because it has allowed financial institutions to create Open APIs that outside organizations and their third-party developers can leverage, according to MuleSoft in a blog post.
Rather than opening up the APIs to attack, the initiative enabled a secure form of data exchange that accelerates collaboration with outside organizations and has decreased the risks associated with screen scraping, a technique used by programs to extract data from the human-readable output of a computer application.
Screen scraping is insecure because it requires customers to provide third-party aggregators with login credentials and it also pushes significant traffic to servers with every “scrape.”
Open Banking initiatives offer financial institutions the opportunity to safely collaborate with third-party developers through APIs. Unlike screen scraping, this secure data exchange is API-enabled and does not strain or overload servers.
Market forecast for 2023
Cyberattacks and data breaches don’t pause with an economic slowdown. When prioritizing security investments, security leaders should continue to invest in security controls and solutions that protect the organization’s customer-facing and revenue-generating workloads, as well as any infrastructure critical to health and safety for those organizations in industries such as utilities, energy, and transportation, according to Forrester in its Planning Guide 2023: Security & Risk.
“API-first is the de facto modern development approach, and APIs help organizations create new business models and methods of engagement with customers and partners. However, security breaches due to unprotected APIs and API endpoints are common and no single type of tool fully addresses API security,” the guide states.
API management tools address authentication and authorization issues, while API-specific security tools are used for scanning and discovery. Additionally, some security tools extend further to provide runtime protections and microgateways to protect against API attacks. Traditional security tools such as WAFs and bot management solutions are also expanding to cover these attacks, the report added.
Gartner’s O’Neill said that he is seeing large vendors take steps forward in providing strong API protection and are acquiring some of the smaller specialist vendors that have come along for API protection as well.
According to the 2022 State of APIs report, 69% of developers said that they expect to use APIs more in 2023 while 25% said that they expect about the same. Only about 6% stated that they expect less or they didn’t know.