| SecurityWeek’s Cyber Insights is an annual series discussing the major pain points for cybersecurity practitioners. These pain points differ year by year in line with the evolving cyber ecosphere: this year we include discussion on current pressures on the role of CISO, including the new SEC liability rules. Overall, Cyber Insights 2024 talks to hundreds of industry experts from dozens of companies covering seven primary topics. The purpose is to evaluate what is happening now, and to prepare for what is coming in 2024 and beyond. |
API Security Insights
Over the last few years, APIs have become a serious threat vector. The reasons are complex and almost unavoidable in today’s online economy. Applications are served to users and clients over the web, but need to be accessed by users, clients, and other applications. APIs are the route for this access – and cybercriminals are using it.
The quantity required is difficult to comprehend. “Research shows that the average business has hundreds of APIs in production, while some have more than a thousand,” explains Lebin Cheng, head of API security at Imperva. This is growing, fueled by ongoing digital transformation and the expansion of mobile computing. Reliance on APIs is growing faster than our understanding of the implications of that reliance. While APIs already provide a clear and present danger to cybersecurity, that current danger might well be surpassed by the future danger.
Clear and present danger
There are many reasons for the expansion of the threat to APIs. Some are listed below. Some can be mitigated, but others are unavoidably inherent. Nevertheless, if security measures are not adopted, the API threat will only increase in the future.
Accessibility
“API attacks have low barriers to entry as their documentation is publicly available information. Hackers easily exploit weaknesses, gain unauthorized access, and manipulate endpoints for data and system control,” says Andy Grolnick, CEO at Graylog. Doug Dooley, COO of Data Theorem, adds, “API attacks are likely to grow as the attackers target APIs as the most attractive entry points for large-scale data breaches.”
API sprawl
“The challenge is many organizations don’t have the right defenses or controls in place. They don’t know where their APIs are deployed or what data they’re accessing. This exposes them to risk in magnitudes that they cannot comprehend, or even begin to quantify,” says Cheng.
This existing API sprawl issue will only get worse in the future. “API attacks will continue to increase at an alarming rate in 2024 as organizations struggle to manage the chaos of API sprawl stemming from API-first innovation and digitalization,” adds Rago.
Need for speed and security focus in development
The huge demand for additional APIs as quickly as possible places great pressure on developers to deliver fast. At the same time, APIs are not part of their primary application development. “Expect an upsurge in application-level threats as hackers exploit the vulnerability of APIs, often neglected due to the focus on network-level security,” says Grolnick. Jason Kent, hacker in residence at Cequence Security, adds, “We will see compromises increase before the most significant changes in API security come.”
Neither this nor that
“API security remains a grey area between app development and security teams, and not yet a top priority for organizations. Unfortunately, it may take a significant attack to catalyze widespread adoption of API security despite its growing concerns,” suggests Grolnick.
Not all APIs are equally vulnerable
Online banking, mobile banking, and open banking have forced the financial sector to implement APIs. These tend to be more secure than most APIs — if only because the financial sector has more to lose and more resources to prevent that loss. “The API security market is likely to mature more rapidly in sectors such as financial services due to the higher financial and reputational risks associated with API attacks,” adds Grolnick. The implication is that APIs need not be as vulnerable as the majority currently are, given adequate incentives, understanding, and resources.
Clear and future danger
The threats to and caused by APIs will continue to grow and expand from their current 2023 level through 2024. The primary reasons include the ongoing and probably dramatic expansion of their use increasing the overall threat surface; new vulnerabilities emerging and their associated compromises; and increased use of automation (such as bots-as-a-service) by criminals.
Continued growth in use
“The API market will undergo tremendous growth in 2024,” suggests Ivan Novikov, founder and CEO at Wallarm. “This growth is further supported by the rising importance of APIs in mobile and web development, regulatory changes promoting open banking and financial APIs, and the booming e-commerce sector. These factors collectively underscore the essential role of APIs in connecting and enabling modern digital ecosystems.”
In short, the use of APIs is still expanding. “The adoption of APIs is far from its peak,” comments Kent. “With more and more development shops adopting frameworks that utilize newer API technologies, the concept that APIs are the infrastructure of the mobile internet will continue.”
The current threats to APIs will increase through market size, continuation of existing weaknesses, and greater focus from criminals. And, of course, we have yet to see what AI will bring to the API market. “The future of the API and API security markets, influenced by innovations in generative AI, may witness increased complexity and interconnectivity, necessitating a new class of advanced security measures,” warns Dooley.
Rago expands on the same theme: “In 2024, API production and usage will continue to increase, especially as many organizations in 2024 adopt more AI-driven processes and solutions in their business. AI needs data, and APIs are the vehicle for that data – and much of that data will be business critical or sensitive data. API sprawl is too risky in these scenarios.”
Shay Levi, co-founder and CTO at Noname Security, also expects to see continued expansion of the API market. “APIs are the connective tissue for the digital world and show no signs of slowing down,” he says. “As technology has advanced and we’ve seen this explosion in API use, we’ve also seen the creation of new and rapidly growing threats to organizations across the globe as malicious actors see the opportunity with APIs.”
New vulnerabilities and new compromises
APIs are the lifeblood of e-commerce and an interactive internet, allowing users and processes to communicate with corporate web applications. They fuel communication and data exchange. They provide competitive advantage and are directly tied to profitability — and as such, their use will continue to grow. In 2024, this growth will likely outpace companies’ ability to apply adequate security. The result will be a continuation of known weaknesses and the introduction of new vulnerabilities. This combination will lead to an increase in attacks and breaches.
“The compromises we see today are directly linked to poor practices and require focus to correct,” comments Kent. But moving faster, adding new developers, and generally focusing on features, means that security will often be the second-tier priority. “We will see compromises increase before the most significant changes in API security come,” he continued.
“New vulnerabilities in APIs will likely continue to emerge due to evolving API threats, expanding attack surfaces of cloud-native applications, and the rapid usage of AI playgrounds creating Enterprise AI assistants,” suggests Dooley.
Dr. Kanwar Preet Singh Sandhu, global head of strategic initiatives with the cybersecurity business group at TCS, notes that API vulnerabilities have nearly tripled since 2016. He sees little indication that this will slow in 2024 given the overall threat surface of expanding usage. At the same time, the attack surface of individual APIs is increasing. “Technology is rapidly evolving, and adoption is at breakneck speed. The new development languages, API specifications, and frameworks will introduce new vulnerabilities. API complexity is increasing and leading to a large attack surface which is prone to new vulnerabilities arising from complex and highly integrated architectures,” he warns.
Novikov adds, “As the number of APIs used by organizations multiplies, with millions of public APIs already in existence and increasing rapidly, the attack surface broadens significantly. This escalation, combined with the evolving sophistication of cyber threats, where attackers continuously adapt and find new methods to exploit systems, signifies that new API vulnerabilities will emerge as a substantial cybersecurity concern.”
And the threat is here to stay. Kent adds. “Just like we have had SQL Injection in web applications since it was named SQL Injection in 1998, we will forever have flaws in web technologies. Any time you build a complex system that any user may add input to, the user can manipulate the system. Our goal is to keep guardrails around what an application consumes and emits; but those guardrails are constantly tested, and new ways to exploit flaws are often found.”
“Compromises will grow as attackers target APIs as the most attractive entry points for large-scale data breaches,” warns Dooley. Sandhu adds, “Given the increasing reliance on APIs, and the historic trend of it being amongst the most preferred threat vectors, there is near certainty that the risk of API-based compromises will continue to grow.”
Bots-as-a-Service
Bots-as-a-service (BaaS) already exists as a subset of the overall Crime-as-a-Service criminal underworld. There is little doubt that this service will or already has expanded to API-attacking bots.
Initially BaaS concentrated on web scraping, a legally grey area. Users provide the URL they wish to scrape, and the service takes care of deploying advanced bots for access. “This convenience,” suggests Antoine Vastel, head of research at DataDome, “has inadvertently elevated the threat against APIs, as attackers can now leverage sophisticated bots without needing in-depth bot knowledge.”
He explains that the BaaS concept is ideal for large scale API attacks. “BaaS circumvents all basic API security measures. It employs techniques like proxy rotation, rate limiting per IP, and location-matching of residential proxies to minimize detection risks. Additionally, BaaS manages fingerprint forging, using real automated browsers or scripts for low-level fingerprints (e.g., TCP/TLC fingerprinting) to generate WAF signatures. BaaS also adeptly handles CAPTCHA passing, significantly boosting the success rate of requests.”
As with all the as-a-service criminal offerings, BaaS can be viewed as democratizing elite cybercriminality. “Using BaaS, non-bot experts can harness sophisticated and less-detectable bot-attack techniques to effectively target and enter APIs,” he continued. The accessibility of advanced bots via BaaS will increase the number and complexity of bot-attacks facing APIs, thus raising the security threat they face in the future.
Adding AI to the mix will further complicate and expand the threat. “Traditionally, identifying and exploiting complex, one-off API vulnerabilities required human intervention. AI is now changing this landscape, automating the process, and enabling cost-effective, large-scale attacks,” warns Levi.
Apple’s approach to APIs
“Apple iOS will need to officially support third party app stores in EMEA starting next year, bringing a new threat surface that organizations will need to consider,” says Kern Smith, VP Americas, sales engineering at Zimperium. How Apple will do this is currently largely conjecture, but Smith has several suggestions.
Apple will strengthen its privacy focus in APIs. “For instance,” says Smith, “starting in spring 2024, developers will be required to provide an approved reason for using certain APIs that collect sensitive user data, such as location data and contact information.” The Privacy Manifest — in which developers disclose how their apps collect, use, and share user data — will be updated to require more detailed information including the specific data types collected, the purposes for collection, and the sharing of data with third-party partners.
New speech synthesis APIs will be introduced. “These APIs will provide developers with greater control over the pitch, timbre, and rhythm of synthesized speech, enabling them to create personalized and engaging voice interfaces,” he suggests.
Accessibility APIs will be enhanced to improve the usability of iOS apps for users with disabilities.
Apple will also continue its focus on AI. “New APIs are being introduced that make it easier for developers to integrate machine learning capabilities into their iOS apps. This will enable developers to create more intelligent and personalized experiences for their users,” he adds.
Apple’s expected focus on APIs in 2024 illustrates both the value and danger of APIs. It is providing users with enhanced user experiences, while simultaneously strengthening guardrails against API misuse. “Apple is making significant strides in the areas of privacy, transparency, and innovation through its API development efforts,” concludes Smith. “These changes are designed to enhance user privacy, empower users with more control over their data, and provide developers with powerful tools to create more immersive, personalized, and accessible iOS apps.”
Is ‘security by design’ a solution for API security?
“Security by Design as a concept is the most effective way to limit API vulnerabilities as it is akin to laying a strong foundation instead of retrospectively doing patchwork later on to plug the gaps,” claims Sandhu. “Security By Design can reduce vulnerabilities as security is proactively applied as a foundational principle to prevent security issues.”
The concept of security by design is a cornerstone of current government concern. It is related to the drive to make product providers more responsible for product breaches. If product developers can be persuaded or coerced into being more concerned about security during the development process, the result will be more secure products. The theory is sound — but there remains a question over whether it can successfully be applied to API development.
One problem is that APIs are not applications per se, but conduits to allow third parties access to an application. Nobody doubts the need for a secure by design approach to API development, but its overall value is less clear.
Levi is optimistic and believes it will improve API security. “The best time to think about security,” he says, “is at the beginning stages when developers are writing code. One way to do that is to ‘shift left’ to stop vulnerabilities from reaching production, innovate faster, and ensure compliance with evolving regulatory requirements.”
Anurag Gurtu, CPO at StrikeReady, adds, “The secure by design concept can limit vulnerabilities but requires a cultural shift in development practices and more robust security testing.”
Dooley provides a common security response: ‘Yes, but…’ Yes, a secure by design development process “can help identify and address potential vulnerabilities throughout the development process,” but, “without deeply understanding and aligning the organization’s risk-appetite with the technology leaders’ processes, these security safety rails can often be ignored or bypassed in pursuit of profits and agility.”
Novikov is not optimistic. He acknowledges that it is a critical development strategy in reducing vulnerabilities, but adds, “It cannot fully eliminate risks, particularly in the context of API leaks and API abuse attacks.” These attacks exploit legitimate functionalities and authorized access, making them challenging to prevent through design alone.
“Secure by Design focuses on embedding security in the API development lifecycle, which includes implementing robust authentication, authorization, encryption and input validation,” he continues. “However, API abuse attacks often manipulate these legitimate functions in unintended ways.”
His point is confirmed by Wallarm research, which (in November 2023, and based on real-life incidents) listed the top ten API threats – with ‘injections’, ‘authentication flaws’, ‘cross-site issues’, and ‘data leaks’ as the top four.
This echoes Kent’s point: ‘Any time you build a complex system that any user may add input to, the user can manipulate the system.’ One problem, he suggests, is the rate of change. “You must remember the speed at which applications change. Designed correctly and implemented well today may not mean secure tomorrow… These types of designs are challenging to get right and ensure they are future-proof.”
Security by design is, and remains, the best way to deliver the most secure APIs possible. The reality of the world, however, suggests the theory will be far from perfect in practice.
Summary
APIs have emerged as one of the most critical areas of modern computing. They are being developed and deployed at speed. But the need for APIs is still expanding through digital transformation, cloud-based services, new sales assistant chat bots, and increasing reliance on IIoT — so, development and deployment will continue to expand.
Companies need APIs to provide competitive advantage and are viewed as key to increasing profitability. This places pressure on developers to produce more and faster. Such pressure often leads to errors and omissions, and since developers are not security specialists, security is a common omission.
The API attack surface is expanding and will continue to expand. API vulnerabilities will continue to grow, both in the number of known weaknesses and the introduction of new vulnerabilities. AI will help criminals find these vulnerabilities and exploit them at scale.
The only conclusion possible is that API attacks are a clear and present danger that will worsen in 2024.
Related: Applying AI to API Security
Related: API Flaw in QuickBlox Framework Exposed PII of Millions of Users
Related: JumpCloud Says All API Keys Invalidated to Protect Customers
Related: 10 Steps to Help Secure Your APIs
