Businesses have made steady improvements of their network’s perimeter security, and the results have been better protection against increasingly sophisticated cyberattacks. Normally, this would be welcome news.
After all, that means that cyberattackers must look elsewhere for easier pickings, and that’s a good thing, right? Well, not exactly. Attackers have moved on to third-party APIs, a wildly popular type of connectivity and development tool.
Internal and External Threats
Third-party API security threats are growing because API adoption rates are exploding. What makes these APIs so alluring to developers? They make it easier and less expensive to deliver new apps more quickly, extend application functionality, and communicate and collaborate with customers, suppliers, and partners.
With attractive capabilities like these, it’s no surprise that API adoption is accelerating across public and private sectors worldwide. The number of publicly available APIs worldwide exceeds 50,000, and the total is expected to quadruple by 2020.
But here’s where things get complicated. There are at least as many privately managed APIs as the third-party variety. Many of these of these “internal” APIs lack documentation or standard security practices.
This can make them invisible to standard security monitoring and troubleshooting methods. This dual security threat is one reason why Gartner forecasts APIs as the largest source of data breaches by 2022.
A Long List of Exploits and Impacts
So why are APIs such an attractive target to cyberattackers? They are used in many ways, not just on a website but throughout entire corporate networks. That make it easy for cybercrooks to find weaknesses in a business’ security system.
And all those potential weaknesses add up to a formidable list of exploits: unencrypted data transport, access to authentication data, cross-site scripts, forged cross-site requests, denial of service attacks, injection of malware code, and many more.
Just as there are many ways to be attacked, there are many ways for businesses to incur attack-related losses. Financial loss created by regulatory fines, direct costs of restoring employee productivity and network uptime, and the potential loss of a company’s investors, customer loyalty, and brand reputation add up to serious damage to businesses of all sizes.
Defending Against Insecure APIs
Perhaps the most disturbing aspect of these latest exploits is that API cyberattacks are becoming more sophisticated. This trend makes it more urgent than ever for API adopters understand what it takes to defend API security.
- What makes APIs valuable to a business makes them an attractive security target.
APIs are connectivity and interoperability tools, which simplify software development and installation processes. Because APIs are present in so many parts of a business network, they provide express routes to many types of valuable data, information, and IT infrastructure. - Signature-based solutions offer only partial protection.
Traditional solutions such as web application firewalls and newer solutions such as runtime application self-protection are based on identifying known vectors (signatures), which are collected from earlier attacks. These solutions provide good protection from known attacks. However, modern API exploits use approaches that identify and work against each API’s unique logic. The design of traditional API security solutions often lacks the capabilities to fight off advanced API exploits. As a result, modern cyberattacks can often go unnoticed by routine IT security operations. - No single appliance or approach provides comprehensive API protection.
Robust API security methods require a multi-layered approach. The latest alternatives, which combine traditional and modern API security capabilities on a dedicated platform, have come to market.
This comprehensive approach promises to provide the most effective protection against the latest innovations in API security exploits.
Multiple Capabilities, Unified Operation
Now, companies of any size can use an alternative to inhouse API protection solutions. By subscribing to third-party security services, organizations can take the full-stack approach to API protection. For example, advanced services might combine cloud WAF, CDN, attack analytics, and multi-layer DDoS protection.
With these services, companies can protect access to their website, network, and valuable data and IT infrastructure. In these solutions, changes to APIs are updated automatically from dedicated management platforms. And all the economy and convenience of cloud services also apply to ensuring API security.