As the leader of an innovative security company whose mission is to help organizations stop API-related attacks that can cause fraud, it’s exciting to see our organization grow based on increased customer adoption. Unfortunately, that also means that threat actors have developed a new type of attack, frequently targeting attack vectors exposed through new application development methodologies. We saw it in the client/server era, we saw it (and continue to see it) in the public cloud adoption era and we see it now, in the API first development methodology era.
As we survived each of these eras, the lessons learned were (we hope) documented so that we might avoid the threat in the future. In an effort to help accelerate that codification process for API first organizations, here are three API security gaps we are seeing frequently in our customer discussions, and what business leaders should do to address them before they are exposed or discovered by threat actors.
Trend 1: Most API security incidents are human errors.
No surprise here – humans make errors, as evidenced by the recent spate of API specific incidents (e.g., Peloton, ClubHouse, Experian) that were the result of coding or configuration mistakes. I expect 2021 to be the year of API security incidents. As API usage continues to explode, errors are made and attackers realize how easy they are to target for malicious use.
My recommendation to any business leader is to implement a top-down Secure API Coding directive that includes the following elements: First, train your developers on secure API coding practices. Second, implement an API specification framework that your team can use to enforce consistent coding practices. Third, encourage collaboration – this is not a security only problem…it’s a business problem. Finally, go beyond pen testing and implement functional API tests that can uncover flaws before publication.
Trend 2: APIs are everywhere.
APIs are not new. Designed originally for machine-to-machine interaction, APIs are now used in all manner of development, dramatically changing how applications are developed and deployed. Each API, public facing and internal, represents a possible security gap, making the importance of an API inventory critical. In some of my conversations with customers, they understand the value of an API inventory, but have stopped short by excluding 3rd party APIs.
We encourage them to reconsider, pointing out the risk a 3rd party API represents. Case in point – an intrepid attacker found a whitelisted 3rd party translation service API and used it to launch an automated attack (that was mitigated). As a business leader, part of your API security initiative to your team needs to make clear that all APIs, internal and public facing, from the edge to the data center to your container environments, must be tracked and monitored. You cannot protect what you cannot see.
Trend 3: Malicious bots are big business.
Not long ago, executing an automated bot attack required some technical expertise. Today, it’s easier than ever for anyone to launch an automated malicious attack targeted at vulnerable APIs. These attacks might result in fraud, like account takeovers, or might be shopping bot attacks designed to purchase high demand items while creating a bad experience for your loyal shoppers and tying up your infrastructure resources. You can rent a bot, or subscribe to bots-as-a-service where all the back-end technical work is done. Just pick your target and go. This means that our customers, particularly those in the retail space, are faced with an even higher volume of (potentially) malicious traffic, directly impacting your bottom line.
As a business leader it’s critical that your team understands the impact bots have across your entire organization. It’s not just a fraud or security problem. Ecommerce, marketing, PR, brand management, legal, and even HR dealing with employee frustration – all are being impacted by automated, malicious bots. The collective understanding can help ensure you implement the most effective solution.
Make no mistake, the steps above will not eliminate attacks that can result in fraud. However, they will help you reduce the number of API security gaps that are exposed to the public, resulting in a stronger overall security posture.