APIs lack cybersecurity strategies

The increasing use of APIs (Application Programming Interface) as a means to drive digital transformation efforts has grown significantly in recent years. And the trend is expected to continue into 2022. According to a survey conducted by RapidAPI, a hub that enables developers and businesses to find and manage thousands of APIs, 68.4% of more than 2,200 respondents from 130 countries and across functions expect to use more APIs in 2022 than this year. Additionally, the majority (75.5%) of developers indicated that participating in the API economy is a priority for their organizations now or in the near future.

Internal APIs are still the most common type used by developers (74.3%), however, more respondents (49.1%) reported working with third-party APIs. Partner APIs saw the most significant increase in 2021 (44.3% vs. 34.6% in 2020). 

Security, privacy, and testing remain important areas of focus (for over 90% of developers). The three most popular types of testing conducted in 2021 were functional (29.5%), integration (26.8%), and acceptance (16.3%).  

Despite the relevance of testing to almost all API developers, API-related security incidents have increased in recent years. In one August case, for example, dozens of organizations using Microsoft Power Apps inadvertently had 38 million records exposed due to API configuration issues, according to UpGuard researchers. “This problem is systemic, it occurred not only with Microsoft Power Apps, but also with Amazon Web Services S3, Elasticsearch and MongoDB,” Bitdefender’s Radu Crahmaliuc pointed out

In another recent case from early December, a vulnerability was revealed in an API based on the GraphQL specification implemented by a major B2B (fintech) platform that offers financial services in the form of mobile apps and software as a service (SaaS) for small and medium-sized businesses. By exploiting these two vulnerabilities, any individual could submit unauthorised transactions and also collect sensitive customer data. In other words, attackers could transfer funds from customers’ accounts without their knowledge and consent. The financial platform also had another security hole whereby API calls could access endpoints without the need for authentication.

Cybercriminals are attacking APIs because their developers generally have little or no cybersecurity knowledge, explains a Salt Security report that revealed 62% of organizations have no security strategy for APIs, or when they do, it is very basic. In a 6-month period (December 2020 to June 20210, overall API traffic grew by 141%, while the volume of malicious APIs increased by 348%.

Data gathered by Salt Security also highlights that in these cases deployed WAFs (Web Application Firewalls) and API gateways were being used, meaning that attacks via APIs have bypassed traditional cybersecurity controls. 

Outdated or “zombie” APIs are the top concern for 40% of respondents, nearly triple the second-biggest area of concern, account appropriation. According to Salt Security, frequent app updates are the biggest culprit in producing zombie APIs, which can lead to risks and exposure of unmonitored data. 

Issues associated with API security are delaying the launch of business applications for two-thirds of respondents (64%) by Salt Security. APIs are critical because they move data and run services in high volume, which are often critical to business processes. Delaying the availability of applications, or having them available but with security issues, can mean financial loss, reputational damage, lost customers, or all of the above. 

Lack of manpower is another challenge 

In the RapidAPI survey, the lack of software engineers or other professionals associated with the API universe is the top challenge predicted for 2022, with over 56.8% of developers anticipating this problem.

“All companies are accelerating the transition to digital channels and investing in development to enable this change. On the other hand, developers are becoming scarce – we are seeing a huge gap between workforce availability and the supply of job openings, causing companies to turn to resources that make development more productive – in particular, APIs,” explains Iddo Gino, CEO and founder of RapidAPI.  

But while they hold great promise for business, APIs also represent a major security risk and must be addressed accordingly. Gartner warns that by 2022, API attacks will become the most frequent attack vector, causing major data breaches in enterprise web applications.