Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable organizations to liberate data from their applications, improve integration, and standardize how claims and information is governed.
However, what about the associated API security risks? That’s the subject Gartner analyst Mark O’Neill tackled in his presentation, API Security: Enabling Innovation Without Enabling Attacks and Data Breaches at Qualys Security Conference 2018. O’Neill sees API vulnerabilities as a serious enterprise risk in the years ahead. In fact, by 2020, he predicts API abuses will be the most frequent attack vector that results in data breaches for enterprise web applications. “We see more and more APIs as a threat vector,” O’Neill said.
Attackers go after APIs, O’Neill said, because they’re a direct way to valuable data and enterprise resources. In addition to stealing data, APIs are also susceptible to other forms of attack, such a denial-of-service attacks, O’Neill said.
So what can organizations do to better secure their APIs and the resources and information they expose?
O’Neill broke down the approach to API security into three primary processes: discover, monitor, and secure. “The number one step is to discover APIs,” he said. “That’s easier said than done, I know.”
O’Neill shared a story that highlighted how many enterprises don’t realize the APIs that are in use within their organizations. One communication API vendor will approach CIOs at organizations where their API is already in use in places within the organization. “This contact is often the first time the CIO is made aware that they have this particular API in use in their organization,” he said.
There are tools enterprises can use to help automate API discovery, and organizations can survey developers and others in the organization to get a list of APIs in use. No matter how an organization goes about identifying the APIs in use, they should expect discovery to be an ongoing exercise.
Once APIs are identified as being in use, it’s essential to monitor them, O’Neill said. Organizations need to understand how their APIs are allocated, how much they are being used, and other attributes and activity such as if there is local caching of data and how many retries for access is permitted. “Before you attempt to secure any API, you want to understand how it is used,” he said.
When it comes to securing APIs, O’Neill advised developing different policies for different use case scenarios, such as for internal APIs, external APIs, and APIs developed in-house. “These APIs are all used differently, which is why it is not as simple as making a click box to secure your APIs,” he said.
There are also technologies that help when it comes to API security, such as web application firewalls and API gateways. While web application firewalls are stronger when it comes to protection, such as from SQL injection attacks, API gateways provide benefits when it comes to API orchestration and integration.
Finally, while there are many attributes to API security, such as API key management, tokenization, audit logging, and more, each organization has to look at API security as a sequence of things to do. “Everyone is different,” he said. The critical thing to understand is that APIs are a serious risk vector, and they need to be monitored and secured with adequate security policies and technologies.