Why API security needs to be top priority for business enterprises
Aug 4, 2022, 14:09 IST
- API adoption has skyrocketed in the last one year, with about 92% of organisations seeing increased usage of APIs.
- Undocumented APIs prove to be the weakest links in the system
- Open source and microservices are often misleadingly considered more secure
Advertisement
APIs (application programming interfaces) are often referred to as the building blocks of digital transformation, and rightly so. In today’s app-driven economy, APIs fuel innovation, faster time-to-market and help drive revenue for organisations. A vast majority of enterprises have adopted APIs with the goal of creating a competitive differentiator in the market.
Emerging workplace scenarios and connected applications have further pushed the adoption of APIs. More than 96% of organisations are utilising APIs for communications between their workloads and systems, according to a recent study by Enterprise Management Associates (EMA), in association with Radware.
However, its huge popularity is tied to high security concerns, which organisations tend to overlook. If we analyse some of the more recent API-related breaches – Microsoft, Facebook, Venmo or JustDial, it’s evident that API security must be taken more seriously.
Unfortunately, that does not seem to be the case at this stage. Even worse, organisations that are extensively leveraging APIs believe that they have the security aspect under control, which is more of a ‘false sense’ of overconfidence, states the EMA survey.
The reality of undocumented APIs
A large number of organisations (92%) have increased the usage of APIs in the previous year, with 59% already running most of their applications in the cloud – indicating how widespread the adoption of APIs will continue to be. At the same time, API security often becomes an afterthought in today’s highly distributed, cloud- and mobile-intensive technology environments, where a large percentage of applications appear to be poorly documented.
Advertisement
About 62% of organisations surveyed by EMA indicated that they have over 30% of their APIs undocumented. Undocumented or untracked APIs regularly act as the weakest link during cyber incidents.
A more intriguing finding from the survey is the general perception among organisations about their ability and visibility to protect those APIs from attacks. Many of the standard solutions deployed by organisations – XDR, API gateways and web app firewalls etc., – are considered effective in identifying attacks by almost 98% of the organisations. At the same time, over 7% of those surveyed indicate that there were no attacks to identify, while about 3% reported that the tools deployed were not able to adequately identify API attacks.
“For many companies, there is unequivocally a false sense of security that they are adequately protected from cyberattacks. In reality, they have significant gaps in the protection around unknown and undocumented APIs,” said Gabi Malka, Radware’s chief operations officer and head of research and development. “API security is not a ‘trend’ that is going away. APIs are a fundamental component to most of the current technologies and securing them must be a priority for every organisation,” he added.
Open source API security
Many industries have witnessed an increasing adoption of open APIs in recent years. The general perception is that open-source technologies are inherently secure – for example, about 65% of the respondents in the EMA survey believe that open-source code is more secure and about 74% think that containers and microservices – which enable companies to design and deliver applications with speed – are secure by default. These factors add to the false sense of security.
“The belief that open source is more secure by design could explain why some organisations are lax when it comes to patch management. Yet, as we have seen with Log4j and Heartbleed, open source can have the same security flaws as proprietary code. Believing that open source is inherently more secure by default only further contributes to the false narrative that leaves organisations vulnerable to cyber-attacks,” says Malka.
Advertisement
Open-source APIs, microservices or containers thus offer no magic bullet for security.
The survey findings accentuate why API protection must become a top priority for tech and security leaders, especially in a world where app experience determines the success of a brand. But organisations in general seem to be getting API security wrong, with many demonstrating the inability to protect the unknown, overconfidence in their existing security tools, and a lack of skilled resources. This also brings to the fore the need to incorporate API auto-discovery and data classification capabilities in enterprise security solutions to ensure the security of APIs.
SEE ALSO:
The path to cyber security 2030
A peek into the next level of automation