API security is the process of protecting APIs from attacks . Just as applications, networks, and servers can be attacked, APIs can fall victim to many different threats. Most modern web applications rely on an API to function, and an API allows external parties to access it, introducing additional risk to the application.
API security is a hot topic for two main reasons. First, we live in an API-first world, as they have become the backbone of the digital economy and power nearly every aspect of modern applications that businesses and consumers use every day.
Second, APIs are extremely difficult to secure, largely because they are used everywhere and are difficult to track.
The sprawl of APIs creates not only security problems, but security problems as well. This is how and where the API is used. They are used in critical infrastructure and business operations and throughout the digital supply chain.
Unfortunately, developers don't pay enough attention to why APIs are a targeted attack vector, but with API security top of mind for most security professionals, this disconnect is growing.
In fact, in Salt Security's State of the CISO report, 70% of CISOs are now taking API security more seriously than they have been in the past two years, and more than 90% expect to take API security more seriously in the future.
Why threat actors have the advantage
These numbers are up from past surveys, in part because threat actors are paying more attention to API attacks than ever before.
Adversaries know how difficult it is to protect APIs. They recognize exactly where the challenges lie: API proliferation, the growth of third-party APIs, and exactly how APIs are used, and they're exploiting security flaws.
Another problem security professionals face is that APIs change frequently, which can be a boon for threat actors.
According to Salt Security's State of API Security Report, more than half of respondents said their APIs change monthly, and one-third said their APIs change weekly.
Partly due to this frequent change, APIs are not well documented, making it difficult to know how and where they are used. Without this information, security professionals are at a loss as to how best to implement security.
Threat actors have an advantage because of how APIs are tracked. Attack traffic is disguised as real traffic. When someone does something bad to our API, it's hard to decipher and tell.
In the past, attack patterns were tracked with a certain degree of predictability, using techniques that could look for specific sequences of known patterns or signatures and block attacks.
This is very different from API attacks, where reconnaissance can take weeks, giving attackers ample time to find additional vulnerabilities and cause significant damage.
Attacks against APIs are also different in that they are multi-step, logic-based attacks. This means that when you don't know how to use the API and the attack is based on business logic, you may not have the tools in your web defense arsenal to understand when something bad happened against your API.
As threat actors continue to target APIs as a preferred attack vector, security teams are tasked with finding ways to thwart these efforts.
The gut reaction is often to shift left testing strategies, but Largo warns that this may not be the most effective approach. The problem with automated scanning is that APIs are often viewed as web applications and do not address the threats surrounding APIs.
To build an effective API security system, you must understand your API. When an API goes into production, you have to learn to assume that what goes into production has some business logic vulnerabilities associated with it that create the risk of zero-day attacks.
At the end of the day, we must recognize that API risk is an unavoidable reality in production, but now is the time to develop a strategy to slow adversaries' use of APIs as an attack vector.