The API Economy and Accelerating the API Security Disconnect A Cybersecurity API Special with Noname Security
The API Economy and Generative AI Growth
It may surprise you to learn that API calls now represent over 80% of internet traffic today! This is reflective of our globally growing API economy which facilitates digital services and data exchange through APIs to generate value for business and increasingly society too. APIs apply everywhere - from microservices and cloud-native architectures to command-line tools and enterprise code.
Catalysts for this API traffic surge include the acceleration in digital transformation across verticals. Notably cloud and edge adoption are primary drivers as everything moves closer to where data is generated and consumed. Let’s not overlook the growth in machine to machine communications, AI innovation, system automation, software defined paradigms, and the rise of low-code tooling to support both programmability and connectivity too.
The list goes on!
API benefits include faster integration, shortened developmental life cycles, and can accelerate time-to-market. This has resulted in more agile innovation, higher quality feedback loops, sustained customer loyalty and a superior competitive advantage for organizations that leverage APIs. With data living everywhere, a solid API strategy is fundamental to help facilitate the holistic end-to-end process of insight driven transformation. Additionally, at a time when ‘doing more with less’ is fast becoming a global clarion call across sectors, APIs are a superb asset for leveraging the very most from your existing technology too.
Additionally, at Mobile World Congress 2023 Barcelona, the largest and most influential connectivity event in the world, the criticality of APIs was centre stage. I saw first-hand the launch of the Open Gateway – a foundation of open APIs that is designed to facilitate the work of developers whilst also catalysing a new revenue source for operators too. More on this milestone event here - and to come live from MWC23 in Las Vegas in September GSMA
But today’s growing API economy has also been making the news for other reasons. Bad actors are exploiting vulnerabilities within API infrastructures that do not focus on encryption, authentication and authorization and when you consider that organisations of enterprise scale have on average 15,564’s API’s each, the dependency and impact potential is clear to see. Indeed, Noname Security finds this rises to a staggering average of 25,592 APIs in place for large enterprises, here meaning organisations with over 10,000 employees.
Drilling into this threat vector further, a recent Gartner report put API Security at a ‘tipping point’ following the rise of API attacks in the hybrid work transition post pandemic, with our evolved ways of working and the explosion in development for more applications and service APIs – which resulted in an evolution in tactics from bad actors too! Putting the scale into context, Noname Security research finds that 3 out of 4 senior cybersecurity professionals in the UK and the US report that their organization has experienced at least one API related security incident in the last 12 months – this study is freely available here. Additionally, new insights from Akamai reveal that 1 in every 5 attempts to gain unauthorized access to user accounts is now achieved via API interfaces vis a vis user-facing login pages.
Recent risk examples include the attempted ransomware attack on Twitter in January 2023 with threats to release an eye-watering 235 million user records, alongside the T-Mobile, Experian API and Log4j vulnerability incidents. Additionally, as recently as July 2023, the US Patent and Trademark Office (USPTO) disclosed an API-related data security incident involving domicile information in trademark filings between February 2020 and March 2023. A superb resource from OWASP regards the leading API security risks in 2023 in available here. Taking this all into consideration, it is no wonder perhaps that Corsha recently identified that some 86% of organizations are spending up to 15 hours a week provisioning, managing and dealing with API challenges.
So what are the key challenges and areas of disconnect underpinning this? As possibly today's most misunderstood cybersecurity threat factor, this is an area I had the pleasure to discuss in a Tomorrow’s Tech Today podcast special live now here. I am joined by Karl Mattson, CISO and Filip Verloy, Field CTO, both at Noname Security which works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and API Security Testing.
API Challenges – The New Security Battlefield!
When we reflect on this rapidly evolving security threat vector, it’s important to consider holistically and start from the beginning – API creation. Here we see limited standards and with many also being unique standards too, the propensity to contain vulnerabilities is clear to see, negating the secure consumption of APIs and therefore their all-important scalable adoption and monetization. When it comes to API development, gaps include lack of rate limiting for authentication attempts and lack of focus on the error responses given by APIs for failed login attempts which can then leak user information, additionally Security Misconfiguration is a common exploit category.
Recommended by LinkedIn
In the podcast we discuss the rapid rise in API security incidents, across a variety of reasons including Authorization Vulnerabilities, Web Application Firewall, Sprawl and Dormant/Zombie APIs. We also explore differences by vertical, and expanding on this further, here are a couple of examples from different sectors. First, is the steep rise of automated attacks such as credential stuffing that are targeting APIs within financial services where use and adoption is not only accelerating, but in many cases, actually catalysed by regulatory requirements such as the EU’s revised Payment Services Directive (PSD2).
And as an alternative example, lies the challenges of more legacy-based sectors such as manufacturing, energy and utilities, which are also increasingly being targeted as explored here and heralds the rise of new risks, for example the move from malware to kill-ware. Indeed, the Noname study found the top two industries reporting API security incidents are Manufacturing (79%) and Energy & Utilities (78%). Additionally, once compromised, it is relatively straightforward to change an API’s functionality, making it the renegade insider that turns to work on the side of the intruder – it's imperative to make the invisible visible in regards to this evolving threat!
APIs – Overcoming the Risks
Holistic visibility of your infrastructure is critical. Knowing exactly what is calling your API is key to protecting your mobile channel from scripts and bots, ensuring only genuine mobile app instances can use it. Indeed, Noname Security research found that 74% of respondents have not completed a full inventory of all APIs in their systems, or lack a comprehensive knowledge of which ones could return sensitive data. This was especially true in highly sensitive verticals such as healthcare and financial services. Noname Security research identified the most common cybersecurity gap to be dormant APIs, ones that have been ostensibly replaced yet do remain in operation.
Additionally, deploying edge protection, ensuring data encryption in transit and at rest (especially to negate security misconfiguration issues) and employing always-on monitoring, alerting and reporting is key – indeed, community knowledge sharing is an imperative to improve collective cyber threat intelligence. Performing regular incident response and disaster recovery exercises alongside regular penetration testing to identify vulnerabilities, security gaps and flaws is also highly recommended.
‘You can design an API you believe to be super secure, but if you do not test it, then a cyber-attacker or bad actor somewhere will do it for you’. Sally Eaves
Education also has a vital role to play and supporting this please see this recommended freely available training course by Corey J. Ball at the APIsec University which covers tools and techniques for analysing, testing, and identifying API security issues including lab setup, API reconnaissance, endpoint analysis, scanning APIs, API authentication attacks, exploiting API authorization, testing for improper assets management, mass assignment, server-side request forgery, andinjection attacks. Additionally, an excellent resource on API vulnerabilities and how to address them is available here.
Governance is also equally critical. The EU has introduced the NIS2 Directive which is designed to build-in a high common level of cybersecurity across the region, recognising its criticality to ensuring the stability and resilience of its economy, society, and democracy. From an API perspective, compliance necessitates a holistic and comprehensive API security program including measures across authentication, authorization, encryption, monitoring and ongoing management. Additional regulatory considerations include the EU Cyber Defence policy, EU Cyber Resilience Act and Digital Operational Resilience Act (DORA). An excellent resource on the implications of NIS2 is available from Noname Security here. And as reminder, for more on this dynamic field, don’t forget to check-out the Tomorrow’s Tech Today podcast here with Karl Mattson, CISO and Filip Verloy, Field CTO of Noname Security –
All feedback and follow-on questions are most welcome!
Many thanks, Sally
About the Author
A highly experienced chief technology officer, professor in advanced technologies, and a global strategic advisor on digital transformation, Sally Eaves specialises in the application of emergent technologies, notably AI, 5G, cloud, security, and IoT disciplines, for business and IT transformation, alongside social impact at scale, especially from sustainability and DEI perspectives.
An international keynote speaker and author, Sally was an inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the "torchbearer for ethical tech", founding Aspirational Futures to enhance inclusion, diversity, and belonging in the technology space and beyond. Sally is also the chair for the Global Cyber Trust at GFCYBER.
Top 20 industry analyst, advisor, strategist, and B2B thought leader helping companies disrupt themselves and their industries, leverage technology in innovative ways, grow share of voice and share of market.
1yThis was a fantastic episode Sally! And hopefully anyone reading/watching/listening immediately makes a note to do an inventory of the APIs running across their organizations!!
Passionate Researcher & Entrepreneur | Biotech Innovator | Advocate for Life Sciences & Healthcare Advancement | Driving Deeptech Breakthroughs | Championing Ethical Innovation | Chief Diplomatic Officer, MSi
1ySally Eaves A decade ago, I spearheaded the development of a cutting-edge tech platform, a job search aggregator, and our business model was primarily reliant on APIs (90%), yielding substantial profits & gratification. Our paramount concerns were safety and cybersecurity. However, as time has elapsed, I find myself contemplating the feasibility of maintaining this approach in the face of potential risks that may now be more prevalent indeed.
Chaos Coordinator at The Social Buzz Lab: A Strategy First Digital Marketing Team helping brands, companies and individuals build Buzz on social media for over 15 years. Fueled by coffee and a love of marketing.
1yVital information here, Sally. I am not at all surprised by the large percentage of respondents/companies that do not have an inventory of the #API’s in their systems. I appreciate you sharing this; looking forward to the podcast.
Director Global Conferences & Events | Relationship Building Specialist
1yAlways insightful Sally Eaves thanks for sharing the knowledge.
Technology Risk | Site Reliability Engineering | AI | Data Engineering | Blockchain Tech | Metaverse
1yThank you Sally Eaves. I liked the part where you highlighted the risks and how we can build solutions for them. Last but not least, loved the below statement. I believed, all software engineers using API, should embed this into their development culture. “You can design an API you believe to be super secure, but if you do not test it, then a cyber-attacker or bad actor somewhere will do it for you”