Application programming interfaces (APIs) have seen their status rise from the domain of a programming tool to the proverbial icing on the cake to top off a digitization business plan. APIs enable business leaders to enable workflows across organizational boundaries, connecting siled enterprise systems and providing a controlled way for external business partners to access data and services.
The API and the code accessible through the API must be secure. All vulnerabilities should be patched as soon as they are discovered; otherwise, any application accessing the API will inherit this security flaw.
In the open source world, GitHub recently introduced an automated alerting mechanism to allow developers to address vulnerabilities in open source components their code uses. Such mechanisms allow consumers of these components to receive an alert if the component poses a security risk and requires a fix or workaround. This is essential if organizations require end-to-end auditability covering a software BOM for all software components used in a finished product.
API security is a subset of software development that is secure by design, where strong processes are in place to minimize coding errors that lead to vulnerabilities, and a defined pipeline to resolve security issues quickly. But the pace of software development — and that includes developing and modifying code accessible through published APIs — can cause unsafe code to creep into production systems.
In April 2022, Dynatrace commissioned Coleman Parkes to conduct a global survey of 1,300 CISOs at large organizations with more than 1,000 employees, which highlighted the risks organizations face in developing and deploying code. . The survey found that two-thirds (67%) of CISOs say developers don’t always have time to scan their code for vulnerabilities and apply a fix before it goes into production. Only 27% of CISOs surveyed say they are fully confident that applications have been fully tested for vulnerabilities before going into production.
Discussing the findings, Bernd Greifeneder, Chief Technology Officer at Dynatrace, said, “There are always opportunities for vulnerabilities to slip past security teams, no matter how strong their defenses. New applications and stable legacy software are prone to vulnerabilities that are detected more reliably in production.
Vulnerabilities need to be patched quickly, but developers also need to keep their code up-to-date to take advantage of the latest and greatest technologies or to meet new business requirements. One difficulty is that as the functionality accessible through the API changes, the actual API may require modification because the data it needs (i.e. the parameters a programmer needs to provide to the API) and the data it returns to the application that accesses it, may need to be adapted according to the new functionality.
The challenge for the API developer is that any modification can potentially break any application that uses the API.
Software development teams can often not take care to support API backwards compatibility, warns Stephen Feloney, vice president of product, continuous testing at Perforce. “An API that worked before may not work as it should in an updated or completely new version,” he says.
With each new version of an API, additional parameters may be required, results may be delivered in different formats, and even when developers maintain backwards compatibility, older APIs may continue to work, but only for a limited time, explains Feloney, adding, “Teams consuming APIs may ignore new API changes until a sudden outage occurs.”
If this happens, Feloney says, software development teams must track the failure to its source to find the root cause of the problem and verify that documentation is up to date, which can be a time-consuming and costly process. The same is true when a component the API relies on is updated. Teams avoid unexpected API failures if they track code dependencies and API changes, Feloney says.
Implications for API Security
When surveying 350 of its customers, Salt Security found that the average number of APIs per customer increased by 82% over the past year, from 89 in July 2021 to 162 in July. 2022. Over the same period, overall API traffic per customer increased by 168%, indicating that API usage is also exploding.
Worryingly, attack activity has continued to keep pace with this dramatic growth in API usage and now accounts for 2.1% of overall API traffic for Salt Security customers. Its survey also found that malicious API attack traffic jumped 117% over the past year, from an average of 12.22 million malicious calls per month to an average of 26.46 million. of calls.
More than half (54%) of respondents admitted to having had to slow down the rollout of a new application due to an API security issue. Additionally, the growing regulatory focus on sensitive data leaks is impacting profitability, and the public is taking notice. In fact, nearly a third of respondents admit to having been exposed to sensitive data or a privacy incident within their production APIs in the past year, a sharp increase from 19% ‘last year.
Commenting on the findings, Nick Rago, Technical Field Manager at Salt Security, said: “Many API attacks today are carried out by authenticated entities who have the authority to use the API they are attacking and the do it in a slow, slow way that escapes all rhythm. limit traffic controls.
According to Rago, existing security measures used by API gateways, web application firewalls and identity providers do not provide adequate protection against this growing attack surface. “To stop attacks, companies need a purpose-built API security strategy,” he says.
Key features of such a security strategy should include continuous visibility into the attack surface, as well as the ability to discover new and changed APIs, contextually understand API behaviors to accurately detect and stop API attacks and abuse at runtime, and address vulnerabilities in the build. phase.
Most organizations have now embraced the wave of using APIs to provide flexible connectivity between systems, making it easy for developers to get started and build digital products. But securing and monitoring APIs is a crucial step in operationalizing APIs.
Brian Otten, vice president of digital transformation enablers at Axway, also believes that companies need to manage the lifecycle of their APIs. “API delivery has a distinct lifecycle that includes, but is not limited to, unified API monitoring from a security, availability, and performance perspective,” he said. “In addition, capabilities focused on cataloging and managing day-to-day APIs, as well as controls related to standards, governance, and testing.”