Application Programming Interfaces (APIs) have become an integral part of the modern digital world. Used for everything from bank transactions and logins to control of smart devices and cloud platforms, they underpin an ever-increasing proportion of daily life.
However, while they offer a wide range of benefits for both organisations and users, they are also becoming an increasingly attractive attack vector for cybercriminals. Indeed, Gartner predicts that by 2024, API abuses and related data breaches will double and are becoming the most common attack vector.
APIs can be used to gain unauthorised access to core IT infrastructure and to mount a digital attack.
The security challenge is particularly acute when you consider the growing number of so-called ‘shadow APIs’ in use within many organisations. These APIs are not under the control of the IT department which means they tend to be unmanaged and unprotected.
According to a research report released by Cequence, the API Protection Report for the second half of 2022 there was a 900% increase in search attempts for shadow APIs compared with the first half of the year. The number of attempts worldwide in the six-month period was approximately 45 billion.
According to the report, one reason for the surge in activity during the second half of the year is that many organisations deploy new APIs to improve user experiences in the busy lead up to the December holiday season. They want transactions to be easy and seamless, leading to an increase in sales.
However, this environment also provides fresh opportunities for cyber attackers. They can use the large number of new APIs to test zero-day vulnerabilities which can then be exploited.
Challenge for telcos
Interestingly, the research report found the challenge of API security is particularly acute for telecommunications companies. This is because they are a high-value target as they have a wide attack surface and offer the prospect of gaining access to large numbers of end-user devices.
When compared with the retail sector, there were almost twice the number of tactics, techniques, and procedures (TTPs) mounted against telecom companies during the six-month period. Attackers targeted everything from legacy infrastructure top applications and devices.
Many of the API security challenges faced by telecoms operators stem from the fact that their network infrastructures have multiple points of entry. Many also operate a range of different services and brands which extends this attack surface even further.
The firms also have to grapple with backward compatibility. This is because they need to support older devices while also deploying features for new ones. This can lead to security holes that are exploited by cybercriminals.
Achieving effective protection
To achieve effective security, organisations across all sectors need to improve their level of visibility into all the APIs currently being used. Shadow APIs need to be removed or brought under the control of the security team rather than remaining hidden from view.
Three key steps required to achieve effective API security are:
- Discovery: From the moment that a new API is used by developers as part of their application development process, an organisation must have mechanisms in place that allow that API to be discovered and identified.Steps must also be put in place that allow a comprehensive audit of all shadow, hidden, deprecated, and 3rd-party APIs that are currently in use. Effective protection will not be possible until this process has been completed.
- Compliance: Once a full listing of all APIs has been compiled by the IT security team, there then needs to be a way to assess all APIs and determine their level of risk. The team can make use of API security testing tools that can ensure compliance with specifications.Also, there needs to be time invested in the detection and remediation of coding errors which can easily lead to vulnerabilities that can be exploited by attackers.
- Protection: APIs are attractive to cybercriminals as they allow high-speed communication with valuable back-end systems. Attackers can be relentless as they execute business logic abuse such as stolen credentials or broken authentication processes to exploit APIs.Security teams must ensure they have the ability to make use of threat intelligence data to quickly detect attempted attacks and block them before they can cause disruption and loss.
The power and flexibility of APIs means they are going to remain a core part of most IT infrastructures for many years to come. As a result, it is vital for organisations to ensure they have effective security measures in place to ensure they are not vulnerable to attack and the systems with which they are linked remain protected.