There is a problem with API security – it isn’t working very well, and it’s largely down to credential leakage. Most security professionals are confident in their own API credential management; but at the same time, most of the same professionals admit to having experienced a breach effected through compromised API credentials.
In a survey of more than 400 US-based professionals (more than 90% of whom were developers or security people), 53% claimed to have suffered an API breach, while 77% claimed their company was very or extremely effective in managing their tokens. Only 3% believed they are not effective in protecting the credentials – and yet API breaches continue to rise.
The cause of this apparent contradiction is probably threefold: a lack of visibility into existing APIs, the sheer volume of APIs that are in use, and the amount of time already being spent on managing the credentials for those APIs. The survey conducted by Corsha discovered that 64% of companies are managing more than 250 API credentials across their network (with 3% managing more than 1,000).
This volume, and the company effort, is reflected in the amount of time spent on protecting them. Eighty-six percent of the respondents spend up to 15 hours every week provisioning, managing, and dealing with API secrets. That is time taken away from app development – making API secrets a costly and expensive exercise that still doesn’t work. Corsha costed this on an average developer’s salary of about $120,000 per year: “That means each respondent could be spending up to $44,460 per year on secrets management.”
There would appear to be no way of preventing API credential leakage. Corsha sees them being leaked from code repositories, versioning control, CI build systems, test artifacts and cloud environments. This problem is only going to worsen. Cisco predicts there will be more than 500 million new digital applications in 2023. “More applications means that the army of machines requiring API access will only catapult,” notes the report.
Credential rotation is one of the best manual practices to keep API secrets secret. Today, 27% of the survey respondents reported (PDF) that they rotate their API secrets only once per quarter, and sometimes only once per year. The strain on existing resources in a difficult economy combined with a growing API usage will make credential leakage more widespread, and credential rotation more problematic.
“The heavy administrative workload and exceedingly manual processes for maintaining good security hygiene around secrets management create significant opportunities for error or oversight,” notes Scott Hopkins, COO at Corsha.
“Security and engineering teams are forced to divert their attention away from forward-facing engineering to focus on secrets management, yet their organizations remain vulnerable to attackers both through lateral attacks and leaked or compromised API secrets to gain illegitimate access to sensitive data,” adds Jared Elder, Chief Growth Officer Corsha. “Data is everything and the potential risk from data breaches associated with leaked API secrets is clearly high and growing. Yet with an explosion of credentials to provision, rotate, and manage, the good guys find themselves constantly behind the eight ball.”
Corsha’s own solution to the problem is to add MFA to credential usage. This has several advantages. Firstly, since most of the APIs are internal on company networks, MFA from machine to machines is a form of microsegmentation that conforms to the principles of a zero trust architecture. This limits lateral movement by adversaries already in the network.
Secondly, one-time MFA from machine to machine is immune to one of the most successful MFA attacks used against humans – MFA fatigue attacks.
Thirdly, and perhaps most attractively, it removes the problem of credential rotation. Even if credentials are lost, stolen, or leaked, they cannot be used by adversaries who are unable to get through the MFA.
“That’s the problem we’re solving,” Anusha Iyer, co-founder and CEO at Corsha, told SecurityWeek. “If you have MFA in place, you don’t have to worry about the frequent rotation, and the same extensive hygiene of these static credentials.”
All the customer needs to do is place the Corsha proxy at a point where it can monitor the traffic. “We will see the traffic that is coming in with good credentials and good MFA tokens and allow it; and we’ll see the traffic that’s coming in with no MFA or bad MFA credentials and block it,” she added.
Bad credentials probably mean bad guys on the network – so Corsha’s solution increases both visibility and prevention. The core of the Corsha platform is a distributed ledger system. Corsha uses this as an out-of-band element in the generation and use of machine-to-machine MFA. “The process is analogous to Google Authenticator,” explained Iyer. “In one direction you’re keeping in sync with a seed on Google servers, while in the other direction you’re using that to check MFA credentials.”
Corsha was founded in 2018 by Anusha Iyer, and Chris Simkins. It is headquartered in Washington, DC. It raised $12 million in a Series A funding round led by Ten Eleven Ventures and Razor’s Edge Ventures, with participation from 1843 Capital in April 2022.
Other providers in the API Security space include, Cequence, 42Crunch, Traceable AI, Ghost Security, Pangea Cyber, Wib, FireTail, Salt Security.
Related: U.S. Postal Service API Flaw Exposes Data of 60 Million Customers
Related: Leaked Algolia API Keys Exposed Data of Millions of Users
Related: Leaked GitHub API Token Exposed Homebrew Software Repositories
