Why APIs Will Be This Year’s Most Targeted Service
Cybersecurity threats are front of mind for many organizations, and with good reason. Cybercrime is rising and is expected to reach a staggering $10.5 trillion annually by 2025. API exploits are an all-too-common approach and will be the most targeted service in 2023.
The Rise of APIs
APIs are the unsung heroes in a digital-first world, facilitating many critical aspects of our personal and professional lives. Now more than ever, APIs are the backbone of business operations as organizations embrace cloud-based models and use apps for critical business functions.
No longer reserved for the development cycles of major tech platforms, developers report their organizations are writing APIs into project scopes from the outset. That means better-designed, highly-functional, yet more secure APIs.
A Growing Concern
As the affinity for and reliance on APIs grows, so does the risk. Bad actors have taken notice of the increasing presence of APIs and have turned their sights on exploiting weak points for their personal gain.
API vulnerabilities cost companies up to $75 billion annually, according to a 2022 report. While APIs serve as convenient messengers for organizations and end users, making life and workflows much more manageable, they also serve as doorways to valuable data, including backend databases and financial transactions.
Gartner predicts that by 2025, less than 50% of enterprise APIs will be managed, signaling a distressing reality for organizations, their data, and their end users. Unmanaged APIs are akin to leaving your wallet on the table in a cafe and walking away to use the bathroom, hoping no one takes it. Optimism without due diligence is risky in the cyber world.
Key Threats
According to a recent report on API security trends:
“Unfortunately, only 12% of respondents’ organizations have what they consider to be advanced API security strategies that include dedicated API testing and runtime protection. On the opposite side of the spectrum, 30% of respondents — all of whom have APIs running in production — admit they have no current API strategy.”
Of course, it’s exceedingly difficult to plan for and protect from threats you’re unaware of. Some critical API threats to look out for include the following:
Denial of Service (DDoS) Attacks
Denial of service (DDoS) attacks take down a system or network through a false flood of activity. Cybercriminals overload a server with a barrage of requests that overload the traffic and prevent legitimate traffic or requests from getting through.
Prevention best practice: to prevent DDoS attacks, implement rate limiting. This approach prevents an attacker from abusing the API by restricting the number of requests a single user can make per minute.
Broken Object Level Authorizations (BOLAs)
When attempting to utilize an API to access an object, the system will validate the user making the request. Through a background process of checks and balances, the user credentials are assessed for authenticity and permission levels before they are allowed to proceed.
In a broken object-level authorization (BOLA) attack, bad actors then exploit API vulnerabilities to gain access to objects they are not authorized for. Then, they can read, change, or delete object property values.
Prevention best practice: ensure APIs employ robust authorization practices, including strong authentication. A zero-trust security model submits every user requesting access to an object to the same authentication and authorization vetting process.
Security Misconfiguration
Security misconfigurations are the low-hanging fruit of cyber risks. Often due to negligence, misstep, or poor security practices, a misconfiguration all but rolls out the welcome mat for nefarious criminals. This risk is not limited to small operations with limited security resources - even the United States Army Intelligence and Security Command fell victim when their cloud resources were improperly secured.
Prevention best practice: Take the time to develop a robust security strategy and execute it at all layers of the organization; network, application, and everywhere in between. Patch flaws, protect files and directories, and ensure all permissions are adequately and consistently upheld across all cloud services.
Injection Attacks
The most common type of API security threat, injection attacks, are popular amongst cybercriminals. In this method, the attacker enters malicious code via the API interface. Beware of:
- SQL Injection Attacks: In which a criminal uses malicious SQL code and places it in the input fields of the database to gain access to data that is meant to remain private.
- XSS Injection Attacks: This is similar to an SQL injection, only in this instance, it’s malicious JavaScripts code inserted into input fields.
Prevention best practice: Implement input validation to validate user input and match the expected parameters.