Protecting your organization from API security lapses: best practices to adopt
- Published: Thursday, 16 March 2023 08:36
APIs have become a mission critical tool for integrating enterprise applications; but this has been identified by cybercriminals as well as enterprise architects. Liad Bokovsky looks at the emerging issue of API security and resilience.
APIs have become a hot topic in digitally-focused organizations everywhere - in fact, 97 percent of enterprise leaders believe that APIs are an essential part of their digital transformation efforts.
While APIs deliver a wide range of important technology and business benefits, many API users now face heightened cyber security risks, such as data leaks, web attacks, and malicious code. But, with 70 percent of businesses failing to meet their API adoption targets, organizations have a lot to contend with to achieve success in their API-led digital transformation.
As a result of these various influencing factors, there has been a huge increase in API security breaches. For example, industry research has revealed that in 2021 almost all organizations faced some kind of API-related security incident. One of the most notable recent attacks was on T-Mobile, when between November 25, 2022 and January 5, 2023 a threat actor exploited an API to steal the personal data of 37 million postpaid and prepaid customer accounts.
In fact, this cybercrime strategy is nothing new. Back in 2018, an insecure API exposed the details of over 60 million USPS users, while another vulnerability allowed bad actors to access the data of 50 million Facebook users.
Delivering proactive protection
So, how can organizations identify their potential vulnerabilities and put better prevention and mitigation strategies in place? While API security lapses often occur as a result of poor documentation, excessive data exposure, and weak authentication procedures, there are some specific processes that API and security teams should adopt to deliver better all-around protection.
Using API gateways to control access
Given unsecured APIs can be so easily hacked, an API gateway that controls access is an essential component for any rounded security strategy. For instance, a good management solution will track API usage and users and detect any suspicious activity, and then alert managers to potential threats. But ultimately, businesses that prioritise defence and centralised API governance from the outset will significantly reduce the risk of a breach compared to those who adopt a reactive approach.
Picking the right API management solution
API management is a process that helps an organization create, publish, secure, and control its APIs across different environments. By using API management, organizations can benefit from a number of advantages. For instance, they can reduce complexity by unifying access to all of their API services across the enterprise while also driving productivity by allowing developers to easily find and reuse existing APIs instead of recreating them.
API management can also increase the effectiveness of digital businesses by allowing them to design, develop, publish, and analyse their APIs in a full lifecycle approach. Furthermore, an organization can protect its APIs from unauthorised access and ensure scalability and high availability with an API gateway.
Effective API security requires a combination of both technology and processes, so when choosing a management solution, partners should be able to demonstrate relevant experience and expertise.
Many organizations also find that it’s better to choose a solution with a central control interface that gives businesses full visibility of vulnerabilities. This allows system managers to find and secure all their APIs and endpoints across environments and vendors. By addressing this important issue, API security issues will not hinder business efficiency, growth, or innovation.
Achieving a win-win of speed and security
Despite the risks and vulnerabilities that APIs can create, organizations don’t have to sacrifice security for development speed or vice versa. The right API-level security strategy will balance both these factors, enabling teams to create outstanding digital experiences while also protecting data. Across today’s customer-centric digital organisations, innovation is key to success, and secure API strategies should not get in the way of delivering the online experiences customers expect.
In practical terms, organizations are also increasingly offering their development teams API catalogues managed via a single platform. This approach plays an important role in helping to balance governance and security with innovation and performance.
With cyber attacks and data breaches continuing to leave a trail of destruction and cost, attackers are increasingly targeting APIs in search of vulnerabilities they can exploit. To meet the challenges head-on, organizations with a comprehensive defence strategy and centralised API governance will be better equipped to withstand cyber attacks compared to those that lack proper governance protocols.
Liad Bokovsky, VP of Solution Consulting at Axway