This guest blog was contributed by Rick McElroy, Principal Security Strategist at VMware
As the cybersecurity landscape continues to evolve, so do the types of attacks cybercriminals are using to infiltrate organizations. While ransomware and zero-day exploits remain popular attack vectors, the targeting of application programming interfaces (APIs) is on the rise.
In recent years, we saw major organizations suffer from API-related security incidents, with nearly 25% of attacks now compromising API security. This poses the question, why are API vulnerabilities being exploited at this steadily increasing rate? Recent data shows that within the first half of 2022, API attacks experienced a whopping 168.80% increase over the same period in the previous year. Cybercriminals are launching these aggressive API attacks in order to gain a foothold within an environment so they can steal credentials and acquire data.
A look behind the API curtain
APIs are critical to modern-day businesses as they communicate information within and between applications. As technology has evolved and the amount of data being processed increases steadily, it would be impossible to achieve the scale needed to process this volume of data without the use of APIs. They allow for massive amounts of flexibility when creating new services or making changes to existing services, which is imperative for modern businesses. APIs originally existed behind the curtain, less accessible to cybercriminals. However, as microservices, containers, and cloud-based services have become commonplace, the number of exposed APIs—and attacks against them—have increased.
APIs allow for automation, orchestration and coordination of services across multiple domains. In a simple sense, a security team may be using APIs to integrate their security products in a way that achieves better results and efficiencies. In a much more complex setting like the financial sector, the use of APIs fuels banking and trade transactions. As a result, API security has become a critical component of application security. Teams must not only understand the function the APIs are supposed to provide but also the business logic behind them.
Understanding the Risks
VMware’s Threat Analysis Unit recently observed several significant threats against APIs such as injection attacks and Denial of Service. This increased number of threats can be attributed to the sheer amount of APIs and the variety of roles they play within an organization, causing them to be extremely complex and ripe for cybercriminals to target. These findings suggest the attackers’ end goal is not only to compromise API security but also potentially plan to leverage it in order to distribute additional, often destructive attacks, also known as progressive API attacks.
Additionally, when it comes to supply chains and APIs, there is a downstream decency risk to any organization. If they go down, your service also goes down, so this risk must be accounted for during the design phase of any security structure.
Bolstering API security
When creating a robust security plan, several best practices for securing APIs include the following:
Leave no API unturned: Some say ignorance is bliss, but not in terms of API security. As internal and external APIs proliferate, tools are necessary to help reduce the complexity of API-related tasks. Many organizations are implementing API gateways and API portals to make it easier to manage APIs.
Dig deeper into API threat detection and response: Security teams need to look for threats deep within the application and API data payload, as recent attacks and breaches are being perpetrated in the post-authentication and authorization phase.
Security from the start: When starting the planning process for new APIs, organizations need to remember to protect the entire API lifecycle from planning to production and everything in between. If your planning process for new APIs doesn’t properly account for security, your results may suffer, no matter how good the rest of your process is.
Decision makers should weigh the risks versus the benefits during the ideation phase of any project. Once risks are identified, a mitigation strategy should be implemented. A true partnership between IT, Development and Information Security from the beginning will go a long way in addressing these risks. As the year continues, we can expect APIs to become front and center in security conversations, in an effort to help prevent additional breaches. ###
Comentários